Open ISMS platform for GDPR and NIS-2 The open-isms platform, a self-hostable Information Security Management System for EU NIS 2 Directive compliance, has been released as free and open-source software under AGPL-3.0. Built with Next.js, TypeScript, and Postgres, it aims to halve Europe's NIS 2 compliance costs by providing an operational evidence trail with owners, deadlines, and sign-offs. The platform behind nisd2.eu https://www.nisd2.eu : a self-hostable Information Security Management System built for the EU NIS 2 Directive, with GDPR, the EU AI Act, and the CRA alongside it. Most compliance tooling treats evidence as a folder of PDFs you assemble the week before an audit. open-isms inverts that. Every requirement carries an owner, a deadline, and a sign-off, so assignments, approvals, and an append-only audit trail become your evidence as you operate, not something you reconstruct after the fact. Free and open source. AGPL-3.0. Mission: halve Europe's NIS 2 compliance bill. apps/ reference/ minimal docker-compose demo Postgres + Next.js boot stack, gates routes behind email magic links packages/ grc-data-model/ framework data + entity model NIS 2, GDPR, EU AI Act, CRA incident-notification-schema/ NIS 2 §23 4 incident notification format isms-schema/ operational ISMS schema audit-log, sign-off, evidence, policies, training isms-ui/ shadcn-based UI primitives isms-pages/ pre-translated page components isms-lib/ compliance helpers deadlines, format isms-trpc/ tRPC setup + audit middleware isms-messages/ i18n catalogs app/ the production SaaS — marketing + portal + supplier + training components/ lib/ schema/ server/ drizzle/ messages/ i18n/ SaaS app code courses/ NIS 2 CEO course content + tabletop exercises + CRA SBOM data/ docs/ public reference data + deployment docs public/ static assets scripts/ operational + release tooling .github/workflows/ CI + release pipeline grc-data-model and incident-notification-schema are published to npm. The other packages are workspace-only consumed via bun workspaces; not on npm yet . git clone https://github.com/NISD2/open-isms.git cd open-isms bun install bun run dev http://localhost:3026 For the minimal docker-composed reference app: cd apps/reference cp .env.example .env set AUTH SECRET via openssl rand -base64 32 docker compose up --build http://localhost:3000 bun add @nisd2/grc-data-model @nisd2/incident-notification-schema js import { nis2Categories, getNis2RequirementsForCategory } from "@nisd2/grc-data-model/frameworks"; import { complianceFramework, requirement } from "@nisd2/grc-data-model/schema"; 49 NIS 2 articles, 7 GDPR articles, NIS 2 ↔ GDPR mappings, Drizzle-compatible Postgres schema. EU Directive : 2022/2555 NIS 2 German transposition : NIS2UmsuCG → revised BSIG 2025 Implementing Regulation : Commission Implementing Regulation EU 2024/2690 Effective : 6 December 2025 Registration deadline : 6 March 2026 | Layer | Tech | |---|---| | Framework | Next.js 16 + React 19 App Router, SSR-first | | Language | TypeScript 5.7 strict mode | | Styling | Tailwind CSS 4 + shadcn | | Validation | Zod 4 | | ORM | Drizzle 0.45 Postgres | | API | tRPC 11 | | Auth | Auth.js v5 email magic links + Google OAuth | | i18n | next-intl DE/EN/NL | | AI | Vercel AI SDK + xAI Grok for form prefill | | Runtime | Bun 1.3+ | | Hosting | Coolify self-hosted | See CONTRIBUTING.md /NISD2/open-isms/blob/main/.github/CONTRIBUTING.md . External PRs welcome — particularly: - New framework articles / mappings packages/grc-data-model/src/frameworks/ - Translation work messages/ , packages/isms-messages/ - Schema improvements packages/isms-schema/src/tables/ - Documentation and examples For security disclosures, see SECURITY.md /NISD2/open-isms/blob/main/.github/SECURITY.md . AGPL-3.0-or-later /NISD2/open-isms/blob/main/LICENSE for the app, scripts, and workspace-only packages. Published npm packages have their own licenses: | Package | License | |---|---| @nisd2/grc-data-model | MIT | @nisd2/incident-notification-schema | Dual: AGPL-3.0 + commercial | @nisd2/isms- workspace-only | AGPL-3.0-or-later |