Skip to content

Home

Jump to bottom
Fabrizio Salmi edited this page May 15, 2026 · 2 revisions

NIS2 Continuous Posture Management Platform

Open-source platform for NIS2 Directive (EU 2022/2555) continuous posture management. It combines a governance framework, a technical validation engine, automated incident deadline tracking, and supply chain risk management into a single self-hosted system.

License: AGPL-3.0 | Current version: v2.5.11 | Language: Python (API + Scanner), TypeScript (Web)

What this platform is and is not

This is a GRC layer with an integrated technical validation engine. It is not a scanner that calls itself a compliance platform, and it does not replace a CISO, an internal audit programme, or a legal review of your D.Lgs 138/2024 obligations.

Layer Function
Governance Framework 30-item checklist cross-referenced to NIS2 Art. 21, document tracking, owner assignment
Technical Validation Engine 30+ automated checks — TLS, DNS, ports, certificates, HTTP headers, secrets detection
Incident Lifecycle Art. 23 deadlines, automated alerts at 24 h / 72 h / 1-month thresholds
Supply Chain Risk Art. 18 vendor scoring with a documented 100-point formula
Business Impact Analysis RTO/RPO/MTPD per process, dependency mapping, gap detection

The scanner probes the observable technical surface. The governance framework is where most NIS2 compliance work lives, and most of that work is human.

Documentation — English

Page Contents
Getting Started Prerequisites, quick start, first steps, Make commands
Deployment Production stack, Caddy reverse proxy, database backup, scaling
Configuration All environment variables with defaults and descriptions
Usage Assets, scans, findings, reports, schedules, team management, API keys
Architecture Component diagram, data flow, database schema, multi-tenancy model
Scanner Checks Port scanning, TLS, HTTP headers, DNS security, secrets detection, WHOIS
API Reference All REST endpoints, authentication, request and response shapes
Governance Checklist 30-item NIS2 Art. 21 checklist — how to use it and what each item covers
Secrets Rotation Rotation procedures for JWT, session, and database secrets
NIS2 Compliance Matrix Art. 21 coverage — what is automated, what is partial, what is manual

Documentazione — Italiano

Pagina Contenuto
Guida-Rapida Prerequisiti, avvio rapido, primi passi, comandi Make
Distribuzione Stack di produzione, reverse proxy Caddy, backup, scaling
Configurazione Tutte le variabili d'ambiente con valori predefiniti e descrizioni
Utilizzo Asset, scansioni, finding, report, schedulazioni, gestione team, chiavi API
Architettura Diagramma dei componenti, flusso dati, schema database, multi-tenancy
Controlli-Scanner Port scanning, TLS, intestazioni HTTP, DNS, rilevamento segreti, WHOIS
Riferimento-API Tutti gli endpoint REST, autenticazione, formato richieste e risposte
Checklist-Governance Checklist NIS2 Art. 21 — come usarla e cosa copre ogni voce
Rotazione-Segreti Procedure di rotazione per JWT, sessioni e credenziali database
Matrice-Conformita-NIS2 Copertura Art. 21 — cosa è automatizzato, parziale o manuale

Quick reference

# Development
git clone https://github.com/fabriziosalmi/nis2-public.git
cd nis2-public
cp .env.example .env   # edit JWT_SECRET and NEXTAUTH_SECRET
make dev               # starts all services

# Production
make prod              # starts with Caddy auto-HTTPS (requires DOMAIN in .env)

Default ports:

  • Frontend: http://localhost:8077
  • API + Swagger UI: http://localhost:8000/docs

Clone this wiki locally