ISMS Governance - NIS 2, DORA, GDPR.

All your security steering in one platform.

EBIOS RM and 30+ frameworks pre-loaded. Modules activable one by one. Hosted in France · on-prem or cloud AI of your choice.

Request a demo → See modules
Upcoming deadlines

3 major regulations. One platform to handle them all.

NIS 2
In force
EU Directive 2022/2555 · cybersecurity for essential and important operators
  • Fines up to €10M or 2% of global turnover
  • Incident notification 24h / 72h / 30d
  • Personal liability of executives
How CYBERACT addresses it

3-tier notification workflow + Risk register + Technical measures + Treatment plan + Signed acceptance of residual risks (art. 21.3).

DORA
In force
EU Regulation 2022/2554 · finance, banking, insurance · applicable since 17 January 2025
  • Mandatory ICT critical providers register
  • Operational resilience testing (TLPT)
  • Major incident notification within 4h
How CYBERACT addresses it

5-phase TPRM module + Dependency mapping + Business continuity (BIA / BCP / DRP) + Resilience test roadmap.

EU AI Act
D-…
EU Regulation 2024/1689 · GPAI obligations applicable 2 August 2026
  • Mandatory AI systems inventory
  • AI risk assessment + dedicated DPIA
  • Transparency + decision traceability
How CYBERACT addresses it

Polymorphic risk analysis module with AI_SYSTEM type + OWASP LLM Top 10 and ISO 42001 frameworks pre-loaded.

Modules · risk-driven · 4 business hubs

A central risk register. 4 business hubs around it.

Platform core

Central risk register

A unified register consolidates risks from every module. G×V heatmap updated in real time.

ISP EBIOS RM scenarios inherent risks
Audit Identified non-conformities residual risks
TPRM Vendor gaps residual risks
Roadmap Closed treatment plans residual recalculation
🎛️
Activate modules to match your needs.
Start with 1 or 2 modules based on your current priority - NIS 2 compliance, audit, tender, GDPR rollout - then activate the others as you go. Each module configures independently and feeds the central risk register. Activation per tenant, at your own pace.
Modules delivered · activate one by one
4 business hubs, one risk register
Governance Hub
Policies, steering, awareness
CISO strategic cycle: consolidated roadmap, formal policies, procedures, board KPIs, program animation, awareness
Polymorphic roadmap
Consolidated roadmap Gantt / Kanban / List, 8 entity types, auto-fed by modules - you validate every risk recalculation
Security Policy & Charter
Formal ISMS policy, user/admin charter, executive approval, versioning, time-stamped signature
Procedures & best practices
Security documentation library: runbooks, guides, 10 pre-loaded templates (incidents, BCP/DRP, remote work...)
Board KPIs / Executive
Executive dashboard, 30+ monthly/quarterly indicators, trends, configurable alert thresholds
Cyber program animation
Group → subsidiaries steering: decisions, communications, workshops, regular reviews, inherited targets
Cyber awareness
Campaigns, training, phishing simulations, board reporting (NIS 2 art. 21.2.g)
Risk Hub
Registers, analyses, mappings, incidents
Everything that feeds the central register: EBIOS RM project assessment, polymorphic analyses, IT inventories, external surface, exceptions, NIS 2 incidents, continuity
Project security integration
Project Security Integration: 8-step wizard S0-S8 (scoping, EBIOS workshops, requirements, treatment plan, CISO GO/GOC/NO-GO decision)
Risk register
Cross-project consolidation, G×V heatmap, 3 states (inherent/adjusted/residual), residual KPI per framework
Risk analyses
Polymorphic EBIOS RM / ISO 27005 engine: project, asset, AI system, vendor, process, standalone
Asset inventory
IT inventory, classification, owners, criticality, 4 input modes
Exceptions register
Formal risk acceptance, periodic reviews, 30-day expiry alerts
External surface radar
Passive discovery of exposed subdomains, 0-100 scoring (A-F), HTTPS / DNS / TLS exposure
NIS 2 incidents
NIS 2 art. 23 notification (24h / 72h / 30j), full workflow, ISO 27035 classification
BIA / BCP / DRP
Business impact analysis, RTO/RPO/MTPD, continuity plans (ISO 22301 + NIS 2 art. 21.2.c)
Risk acceptance
Formal multi-level workflow, electronic signature, audit, expiry (NIS 2 art. 21.3)
Threat Intelligence
CVE/KEV/ATT&CK watch from 6 sources (CISA, ENISA, CERT-FR, EPSS, MITRE, OSV), crossed with your assets
Financial risk quantification
FAIR method: annual loss expectancy (ALE) in euros, COMEX/CFO and cyber insurance argument
Compliance Hub
Frameworks, GDPR, regulatory audits
Regulatory verification cycle: multi-subsidiary compliance center, AI-assisted ISO 19011 audits, normative frameworks, full GDPR (processing register, DPIA, data subject requests), regulatory watch
Compliance Center
3 tabs (Frameworks / Policies / Procedures), 10 ready-to-use policy templates, multi-subsidiary mode with consolidated annexes
Security audit
4 phases (scoping, AI-assisted interviews, CMMI 0-5 evaluation, report) with signed verdict Favorable / Reserved / Unfavorable
Frameworks & requirements
ISO 27001/27002/27005/27036/27701/22301/42001, NIS 2, GDPR, DORA, HDS, PCI, SOC 2 - risk coverage + residual KPIs + cross-framework mapping
Regulatory watch
NIS 2, DORA, RGPD, EU AI Act, alertes & jurisprudence, comparateur cross-textes
Processing register
GDPR art. 30 register: purposes, legal basis, retention, EU transfers, DPO workflow
DPIA (CNIL PIA-3)
GDPR impact analyses, CNIL-referenced measures §X (S1 pseudonymisation, S2 strong authentication, S4 AES-256 encryption...), DPO workflow
Data subject requests
Access, rectification, erasure, portability, objection, complaints - 30/90-day SLA, audit trail
Data mapping
GDPR/HDS data mapping, PII flows, non-EU transfers, automatic link with processing register
Annual audit plan
Multi-auditor planning, cycles, scopes, resources, yearly archiving
Self-assessment
Fast self-assessment for subsidiaries / teams (light vs full audit), aggregated CMMI score
Compliance assessments
Dated sessions on a framework, versioning, over-time comparison, forensic PDF/CSV export
Third Party Risk Hub
Trust Center, due diligence, DPA contracts
Full vendor relationship cycle: vendor qualification (TPRM), tenders (RFP), public trust page, due diligence, DPA contracts
TPRM (vendor qualification)
Third Party Risk Management: 5 phases (Identification / Evaluation across 12 domains / GO-GOC-NO-GO decision / Contract & SAP / Monitoring), auto-link from ISP S0
RFP (tender campaign)
Multi-vendor on a single project-contextualised questionnaire, colour-coded comparison matrix, weighted scoring, adjustable CISO decision
Trust Center
Trust page shared with clients/prospects, public certifications, security.txt link
Inbound due diligence
Security questionnaires sent by clients, centralised answers, comparison matrix
Contracts & DPA
Security contracts register, GDPR DPA, signed clauses, deadlines with 30-day alerts
Unique capability on the GRC market

6 NIS 2-recognised intelligence sources. Live. Included.

Most competing GRC tools ask you to fill in vulnerabilities manually. CYBERACT natively connects 6 official feeds and crosses with your asset perimeter. NIS 2 Art. 21.2.e argument: traceability of intelligence sources.

CISA
1.6k
Exploited KEVs
NVD
23k
NIST-indexed CVEs
ENISA
22k
EUVD mirror
CERT-FR
478
ANSSI bulletins
MITRE
697
ATT&CK techniques
OSV
15k
Google advisories
Continuous monitoring
6 sources connected 24/7, daily refresh. No manual entry, no third-party subscription to manage - everything included in the platform.
Asset perimeter crossing
Your declared assets are automatically crossed with CISA KEVs. If one of your technologies is targeted, a CRITICAL task opens in the Roadmap (14-day SLA).
NIS 2 Art. 21.2.e argument
Source traceability preserved for every indexed CVE. Demonstrates to ANSSI that you follow authorised sources - without spending an extra euro.
Who for

A workspace per role. One source of truth.

RSSI Security analyst DPO Internal auditor Project manager IT executive / Board
Compliance

Regulations, standards and audit grids

Switch between frameworks - or apply several at once to a single project. Automatic context-aware filtering (GDPR for personal data, HDS for healthcare, OWASP LLM Top 10 for AI...). Internal framework upload supported.

EU & FR regulation

RGPD NIS 2 LPM / OIV EU AI Act DORA ACPR Cyber PSD2 HDS PGSSI-S SecNumCloud TSA (Transports)

International regulation

HIPAA (US health) DPDPA (Inde) FedRAMP (US federal)

International standards

ISO 27001:2022 ISO 27002:2022 ISO 27005:2022 ISO 27701:2025 ISO 27036 ISO 22301 ISO 42001 NIST CSF 2.0 CIS Controls v8 SOC 2

Technical standards & red teaming

PCI-DSS v4.0.1 OWASP Top 10 OWASP ASVS OWASP LLM Top 10 CSA CCM MITRE ATT&CK TIBER-EU

Audit grids (Audit module)

ReCyF NIS 2 (ANSSI) ISO 27001:2022 · grille CMMI ISO 27002:2022 + your internal grids

CyberAct measures (own weighting)

24 weighted requirements cross-frameworks deduplication configurable
Pricing

Activate per module. Quote tailored to your scope.

Pricing set together based on the activated modules, your users and your context. No long-term commitment.

Starter
“I am starting my program”
On quote
Quote tailored to your scope
  • Up to 25 users
  • 6 modules of your choice
  • 1 primary framework
  • Email support, D+1
  • Hosted in France
Ideal for SMEs 50-250 employees starting their GRC program.
Request a quote
Most chosen
Essential
“I am subject to NIS 2 or DORA”
On quote
Quote tailored to your scope
  • Up to 100 users
  • 12 modules of your choice
  • Unlimited frameworks
  • Threat Intelligence included (6 sources)
  • Multi-subsidiaries (up to 5)
  • Priority support, same day
Ideal for mid-sized firms 250-2000 employees under NIS 2 or DORA.
Request a demo
Enterprise
“I steer a group”
On quote
Tailored contract
  • Unlimited users
  • All modules available
  • CRQ FAIR (financial quantification)
  • Unlimited subsidiaries
  • Dedicated on-prem AI
  • 99.9% SLA + 24/7 support
  • Dedicated Customer Success
For large accounts, critical operators, holdings, NIS 2 essential entities.
Contact our team

All tiers include: France hosting, daily backups, updates included, 30+ pre-loaded frameworks, guided onboarding and free 30-day trial.

Frequently asked questions

What CISOs and DPOs ask us most often

How long until I am operational?
2 weeks for a single module with a pre-loaded framework. 6 to 8 weeks for a multi-module / multi-subsidiary rollout. Guided onboarding is included in every tier.
Do my data leave France?
<strong>No.</strong> OVH Roubaix hosting by default. On-premise hosting available for Enterprise tier. AES-256-GCM encryption at rest and in transit, tenant-scoped keys.
Does the AI see our sensitive documents?
<strong>You choose.</strong> Local AI mode (on-prem Ollama): no document leaves your tenant. Cloud mode (OpenRouter, OpenAI, Anthropic): documents are sent with your explicit consent, PII-masked.
Does a demo or trial cost anything?
<strong>No.</strong> 30-minute free demo. 30-day free trial on your own dedicated tenant, with one framework and one module of your choice. No credit card required.
Are you ISO 27001 certified yourselves?
ISO 27001:2022 certification targeted Q4 2026. Successful blank audit in Q1 2026. Security by design from inception: 18 principles applied, OWASP LLM Top 10 integrated, AES-256-GCM, MFA TOTP + Passkeys WebAuthn/FIDO2.
What if I want to switch platform later?
<strong>No vendor lock-in.</strong> Full ZIP export of your tenant (GDPR art. 20 portability). Data in open formats: CSV, JSON, PDF. Your custom frameworks and risk analyses are fully recoverable.

Ready to structure your security program?

Let us schedule a demo tailored to your context. 30 minutes to see the platform in action and answer your questions.

✉️ Request a demo

Or write directly to grc@cyberact.fr