NIS2 Platform

English

Italiano

English

Italiano

Appearance

Open-source · AGPL-3.0 · self-hosted by design

NIS2 governance, technical validation, and incident response — under one roof.

The open-source platform for the EU NIS2 Directive (2022/2555). Bridge the gap between Art. 21 policy and what your network actually does — without sending a single byte of scan data to a third party.

Get started — freeStar on GitHub

Need a guided tour? Read the Guide

automated checks
30+
EU languages
5
NIS2 coverage
Art. 18 / 21 / 23
SaaS dependencies
0

Six modules, one workspace

Everything Art. 21 asks for, in one auditable platform.

Most NIS2 work is human work. The platform automates the parts that should be automated, and tracks the parts that legally require a person to sign their name to.

  • Art. 21

    Governance Framework

    30-item checklist mapped to NIS2 Art. 21 (a)–(j), with owner, evidence, and review-cadence tracking. Cross-referenced to the Italian D.Lgs 138/2024 transposition and ACN determine.

    Learn more
  • Scanner

    Technical Validation

    30+ async checks on TLS, DNS, certificates, HTTP headers, port exposure, secrets, and resilience. The probe that verifies if the policy your governance framework documents is actually enforced on the wire.

    Learn more
  • Art. 23

    Incident Response

    Art. 23 lifecycle with the 24h / 72h / 1-month deadlines tracked as live countdowns. The Red Button generates a CSIRT-ready Early Warning JSON from three fields plus the latest asset inventory.

    Learn more
  • Art. 18

    Supply Chain Risk

    Vendor inventory with 4-level criticality, security scoring, contract tracking (SLA, audit rights, security clauses), and ACN Art. 18 fields for Italian transposition.

    Learn more
  • BIA

    Business Impact Analysis

    Process inventory with RTO / RPO / MTPD, five-dimension impact scoring, asset and vendor dependency mapping, and automatic BCP / DRP gap detection.

    Learn more
  • MCP

    AI Copilot + MCP

    Optional remediation copilot via Ollama (air-gapped) or OpenAI. Native Model Context Protocol server lets Claude, Cursor, and other AI agents query your compliance posture directly.

    Learn more

Posture you can read in 30 seconds.

One dashboard for total scans, average compliance score, open findings, and monitored assets — with the recent-scan trend on the same screen.

localhost:8077/dashboard
NIS2 Platform dashboard

How it works

From clone to first executive report in an afternoon.

  1. 01

    Clone and run locally

    make dev — the platform comes up on http://localhost:8077 with Postgres, Redis, and the API in one compose file.

    $ git clone … && make dev
  2. 02

    Map your governance

    Walk the 30-item Art. 21 checklist with owners and evidence. Add assets, vendors, and processes. Generate the executive PDF for the board.

  3. 03

    Run the technical probe

    Schedule scans against your domains and IP ranges. Findings flow into the same workspace as the governance posture. Cross-reference each finding to the Art. 21 sub-paragraph it weakens.

Built with the people who actually use it.

One platform that speaks fluently to the boardroom and to the SOC.

For CISO

Bridge the gap between the policy you signed off and what the network actually does. Boardroom-ready evidence on a deadline.

For DPO

GDPR / ePrivacy posture surfaced separately from NIS2 — never aggregated into the wrong score. Vendor risk and incident workflows aligned to your obligations.

For NIS2 Consultant

Multi-tenant by design. Manage every client in one self-hosted instance. White-label PDF reports per organisation; switch tenants without logging out.

For IT / SecOps

30+ async checks shipped, MCP-ready for AI agents, Prometheus-friendly metrics, scheduled scans via cron. No third-party SaaS in your tenant blast radius.

Designed for on-premise

Your scan data never leaves your infrastructure.

A CISO of an essential entity will not upload their vulnerability data to a third-party SaaS. So we built the platform around the assumption that it won't.

  • Your PostgreSQL, your data — no telemetry, no external calls, no cloud dependencies.
  • Air-gapped support: Ollama AI copilot runs entirely local. OpenAI is opt-in.
  • Postgres FORCE ROW LEVEL SECURITY enforces tenant isolation in the database, not just the app.
  • AGPL-3.0 — own your fork forever. Commercial dual-licensing available.

Tech stack

  • Next.js 15
  • React 19
  • FastAPI
  • PostgreSQL 16
  • Celery
  • Tailwind v4
  • MCP

Run it

# 60 seconds, one compose file
$ git clone https://github.com/fabriziosalmi/nis2-public.git
$ cd nis2-public
$ cp .env.example .env
$ make dev

Production: make prod — Caddy auto-HTTPS, all services healthy-gated.

Stop talking about NIS2. Start showing the matrix.

Self-host the platform in 60 seconds. AGPL-3.0 — yours, forever. Need a hand? Reach out.

Read the GuideRequest Consultation