A curated index of resources for organisations subject to EU compliance regimes — NIS2, GDPR, ePrivacy, the Cyber Resilience Act, DORA, and the AI Act. Regulations, official guidance, national authorities, open-source toolkits, schemas, and community.
Maintained by NISD2.eu. PRs and issues welcome — see Contributing.
- Regulations & Directives
- Guidance & Methodology
- National Authorities
- Open-Source Schemas
- Open-Source Toolkits & Platforms
- Community
- Contributing
- License
The EU-level legal instruments. National transpositions vary; see National Authorities for per-country implementations.
| Instrument | Reference | Description |
|---|---|---|
| NIS2 Directive | EU 2022/2555 | Cybersecurity risk-management for essential and important entities. Member States transposed by 17 October 2024. |
| GDPR | Regulation EU 2016/679 · annotated text on gdpr-info.eu | General Data Protection Regulation. In force since 25 May 2018. |
| CIR 2024/2690 | Commission Implementing Regulation | Detailed implementation rules for NIS2 cybersecurity measures. Applies directly across all 27 member states. |
| ePrivacy Directive | 2002/58/EC, amended by 2009/136/EC | Cookie consent, electronic communications privacy. National transpositions: TDDDG (DE), PECR (UK), etc. |
| Cyber Resilience Act | Regulation EU 2024/2847 | Cybersecurity requirements for products with digital elements. Applies from December 2027. |
| DORA | Regulation EU 2022/2554 | Digital Operational Resilience Act for the financial sector. Applies from 17 January 2025. |
| AI Act | Regulation EU 2024/1689 | Risk-tiered governance of AI systems. Phased application from August 2024. |
Published guidance from EU bodies and national authorities. EU-level first, then national.
| Resource | Source | Description |
|---|---|---|
| ENISA NIS2 Technical Implementation Guidance v1.0 | enisa.europa.eu | Operational guidance on Article 21(2) measures, with mapping table to national frameworks. |
| EDPB Guidelines | edpb.europa.eu | European Data Protection Board guidance on GDPR application: breach notification, DPIA, controller/processor relationships, etc. |
| BSI IT-Grundschutz | bsi.bund.de | German baseline cybersecurity methodology. Recognised for NIS2 implementation in Germany under §44(2) BSIG. |
| BSI Stand-der-Technik-Bibliothek | github.com/BSI-Bund/Stand-der-Technik-Bibliothek | Machine-readable Grundschutz successor (Grundschutz++). OSCAL format, CC BY-SA 4.0. |
| BSI Standards 200-1 / 200-2 / 200-3 | bsi.bund.de | ISMS, IT-Grundschutz methodology, risk analysis. |
| DSK Standard Data Protection Model (SDM) v3.1 | datenschutzzentrum.de | Methodology used by German DPAs for GDPR Art. 32 evaluation. Seven assurance goals. |
| ANSSI NIS2 Guidance | cyber.gouv.fr | French national guidance, including MonAideCyber assessment tool. |
| NCSC-NL NIS2 Resources | ncsc.nl | Dutch national cybersecurity centre guidance. |
| CCB NIS2 Resources (Belgium) | ccb.belgium.be | Centre for Cybersecurity Belgium guidance. |
Per-country supervisory authorities and registration portals. For a live, machine-readable list across all 27 member states, see nisd2.eu/nis2-registration-portals.
Cybersecurity (NIS2) — selection:
| Country | Authority | Portal |
|---|---|---|
| 🇩🇪 Germany | BSI | mip2.bsi.bund.de |
| 🇫🇷 France | ANSSI | monaidecyber.cyber.gouv.fr |
| 🇳🇱 Netherlands | NCSC-NL | ncsc.nl |
| 🇧🇪 Belgium | CCB | ccb.belgium.be |
| 🇮🇹 Italy | ACN | acn.gov.it |
| 🇦🇹 Austria | NIS-Stelle (BMI) | nis.gv.at |
Data Protection (GDPR):
| Country | Authority |
|---|---|
| 🇩🇪 Germany | BfDI (federal) + 16 state LfDIs |
| 🇫🇷 France | CNIL |
| 🇳🇱 Netherlands | Autoriteit Persoonsgegevens |
| 🇧🇪 Belgium | Gegevensbeschermingsautoriteit |
| 🇮🇹 Italy | Garante per la Protezione dei Dati Personali |
| 🇦🇹 Austria | Datenschutzbehörde |
| 🇪🇺 EU | European Data Protection Board (EDPB) |
Machine-readable data formats — install once, use anywhere.
| Repository | License | Description |
|---|---|---|
| @nisd2/nis2-gap-assessment-schema | MIT + CC BY 4.0 | 116-question NIS2 self-assessment with scoring logic. Zod schema, JSON Schema, Drizzle storage example. |
| @nisd2/nis2-supply-chain-questionnaire-schema | MIT + CC BY 4.0 | 56-field NIS2 supplier questionnaire across 6 sections. Zod schema, JSON Schema. |
| @nisd2/grc-data-model (planned) | MIT + CC BY 4.0 | Relational core: RoPA, DPA checklist, TOMs catalog, supplier-core, asset-core, risk, incident schemas, plus NIS2↔GDPR mappings. |
Working software you can run, fork, or learn from.
| Project | License | Description |
|---|---|---|
| ISMS Builder | AGPL-3.0 | Self-hosted ISMS covering ISO 27001, NIS2, GDPR, BSI Grundschutz, EU AI Act, ISO 9001, CRA, EUCS. SQLite or MariaDB backend. By Claude Hecker. |
| Paolo Carner — NIS2 SMB Toolkit | CC BY 4.0 | RTF + Excel templates: gap assessment with GDPR + ISO 27001 crosswalks, executive briefing, incident response playbook. Belgium and Netherlands focus. By BARE Consulting. |
| NISD2 platform | Hosted SaaS | NIS2 + GDPR compliance platform with 49 BSIG-aligned requirements, 47-lesson management training, supplier portal, gap assessment. EU-baseline structure with national-supplement lookups. |
| Resource | Description |
|---|---|
| BARE Alliance | Network of independent European cybersecurity consultants sharing knowledge and resources. |
| OpenKRITIS | German community for critical-infrastructure operators. |
| gdpr-info.eu | Annotated GDPR text with article-level navigation, cross-references, and recital lookup. |
| eur-lex.europa.eu | The official EU legal database. Authoritative source for all directive and regulation text. |
Open an issue or PR with:
- The link
- The license (or "hosted SaaS" / "proprietary" / etc.)
- A one-line description that doesn't oversell
Three rules for inclusion:
- License must be visible. Readers need to know what they can do with it.
- One-line description max. This is an index, not a review.
- No promotional puff. Even our own NISD2 entry is flat — "hosted compliance platform", not "the world's leading...".
This index is licensed under CC0 1.0 Universal — public domain, no attribution required. Take it, fork it, redistribute it. Linked resources retain their own licenses.