Open Source
We publish the data structures we work with on nisd2.eu — so other consultants, GRC tools, and auditors can use them without paying anyone.
NIS2 affects roughly 29,500 German companies and tens of thousands more across the EU. Most have no compliance budget. Closed-source compliance tooling charges €7,000 to €12,000 per year for a checklist over a public legal text.
The legal text belongs to everyone, the checklist that decomposes it should belong to everyone, and the only legitimate value capture is in the implementation work that follows. A single well-maintained, publicly auditable data base is more valuable than ten proprietary forks.
What we publish
NIS2 Gap Assessment — 116 questions, 15 domains
A structured self-assessment as a typed Zod schema. Every question is anchored to a specific legal source (NIS2 Directive, BSIG, CIR 2024/2690, BSI IT-Grundschutz). Includes reference scoring logic and a Drizzle storage example for responses.
NIS2 Supplier Questionnaire — 56 fields, 6 sections
The questions a NIS2-regulated entity needs to ask its suppliers. Anchored to NIS2 Art. 21(2), CIR 2024/2690, ENISA TIG, BSI IT-Grundschutz, and GDPR Art. 28. With a visibleWhen mechanism that gates optional sections by service type.
Both repositories are dual-licensed: MIT for code (Zod schemas, helpers, examples), Creative Commons Attribution 4.0 (CC BY 4.0) for content (questions, descriptions, legal citations).
You may share, adapt, and use the content commercially as long as you credit nisd2.eu. Suggested attribution wording is in the LICENSE file in each repository.
Pull requests welcome — particularly corrections to legal citations (with a primary-source reference), additional language translations, sector-specific extensions (KRITIS, energy, healthcare), and national transposition deltas. For substantial changes please open an issue first.