OneComply brings together ICT vendor risk, incident management, controls, evidence, policy governance, and internal reporting for EU financial entities, with explicit cross-framework coverage boundaries.
DORA and CSSF are treated as launch workflow anchors. ISO 27001, NIS2, GDPR, and CRA remain visible as evidence reuse and readiness layers so customers understand exactly what OneComply supports.
DORA
End-to-end workflow coverage
Primary launch workflow for EU financial entities: ICT risk, vendors, incidents, evidence, audit trail, posture, and board/regulator readiness.
CSSF 22/806
End-to-end workflow coverage
Luxembourg-focused overlay for ICT governance, outsourcing readiness, circular tracking, and DORA/CSSF operational alignment.
ISO 27001
Mapped evidence coverage
Mapped ISMS control library, Statement of Applicability support, policy/evidence linkage, and certification-preparation reporting.
NIS2
Mapped evidence coverage
Entity classification, security-measure evidence mapping, incident-readiness tracking, and supply-chain alignment.
GDPR
Mapped evidence coverage
Privacy-security evidence linkage across ROPA, DPIA, DSR, consent, breach evidence, processors, and audit trail.
CRA
Readiness coverage
Future-readiness mapping for product-security controls, SBOM, vulnerability handling, technical documentation, and reporting timelines.
Most tools help you prepare for audits. OneComply keeps DORA operational-resilience evidence current with monitoring, drift detection, and explainable scoring.
6 automated checks continuously scan your compliance posture for issues that could become audit findings.
8 event types automatically generate compliance tasks on your Kanban board — no manual ticket creation needed.
Weighted A-F grading across 6 modules. See exactly why your score changed — no black boxes.
Daily snapshots track changes. Each score update includes reasons: “2 controls moved to IMPLEMENTED”, “1 evidence expired”.
Import vendors, classify criticality, send questionnaires, track risk posture, and maintain the evidence needed for DORA ICT third-party oversight, with mapped reuse for NIS2, ISO 27001, CSSF, and CRA where applicable.
Criticality Classification
Critical, Important, Standard, Low — with weighted scoring across 6 factors (data access, operational importance, cloud dependency, concentration risk, substitutability, dependency risk)
Vendor Health Dashboard
Real-time overview of all vendor risk postures with status indicators and expiry alerts
Contract Compliance Checker
Optional AI-assisted clause review across frameworks — audit rights, exit strategy, SLA, sub-outsourcing, data location (DORA Art. 30, GDPR Art. 28)
11 Assessment Templates
5 DORA + 3 ISO 27001 + 3 NIS2 pre-built questionnaires covering data protection, cloud security, incident response, access control, and supply chain
Secure Vendor Portal
External vendors respond to questionnaires via unique secure links without needing an account
Soft Delete with Full Audit Trail
Vendor records are never hard-deleted. Status moves to TERMINATED with full before/after logging
CloudStore AG
CRITICAL87%
risk score
DataPipe SaaS
IMPORTANT72%
risk score
SecureAuth Ltd
STANDARD94%
risk score
NetOps GmbH
LOW65%
risk score
Log ICT incidents, track multi-framework regulatory deadlines (DORA Art. 19, NIS2 Art. 23, CRA Art. 14, GDPR Art. 33), visualize timelines, manage post-incident remediation, and capture lessons learned — with full audit trail.
DORA Deadline Auto-Calculation
Major incidents auto-calculate initial (4h), intermediate (72h), and final (1 month) notification deadlines per Art. 19
Interactive Timeline View
Chronological event visualization with status dots (completed, overdue, upcoming) for each incident milestone
Post-Incident Actions
CRUD for remediation tasks with priority, assignment, due dates, and completion tracking
Major Incident Classification
Flag major incidents for enhanced tracking with 3-phase CSSF reporting workflow
Lessons Learned Capture
Editable field for post-incident analysis. Link incidents to affected controls for cross-entity visibility
5 Incident Categories
Cybersecurity, System Failure, Data Breach, Service Disruption, Third-Party — translated across 5 languages
Initialize DORA-first controls, track implementation status, assign owners, link evidence, and reuse evidence across ISO 27001, NIS2, GDPR, CSSF 22/806, and CRA where mappings are defensible.
One-Click Framework Initialization
Initialize 118 DORA + 93 ISO 27001 + 45 NIS2 + 43 GDPR + 35 CSSF 22/806 + 44 CRA controls individually or all 378 at once
Cross-Entity Linking
Link controls to evidence, incidents, and policies via bridge tables for complete traceability
Self-Attestation System
Attest controls without external dependencies. DB-backed with review schedules and expiry tracking
AI Policy Generation
Generate policies from templates with AI assistance. 15 templates covering ICT risk, incident response, business continuity, and more
Version Control & Approval Workflow
Draft > In Review > Approved > Archived lifecycle with full audit trail of who approved what and when
20 Guided Checklists
DORA (8), ISO 27001 (8), NIS2 (4) checklists with article references and progress tracking
209
Implemented
31
In Progress
14
Not Started
4
Needs Review
Pre-built security assessment templates across DORA, ISO 27001, and NIS2. Send vendor questionnaires via secure links or generate custom assessments with AI based on vendor profile.
5 DORA Templates
Data protection, cloud security, incident reporting, regulatory compliance, ICT due diligence
3 ISO 27001 Templates
Supplier security (A.5.19-A.5.23), access control (A.5.15-A.5.18), incident management (A.5.24-A.5.28)
3 NIS2 Templates
Supply chain security (Art. 21), cybersecurity measures (Art. 21(2)(a-j)), incident reporting readiness (Art. 23)
AI Questionnaire Generator
Generate vendor-specific questions based on vendor name, service type, and category using AI
Secure Response Links
Vendors respond without needing an account. Copy secure link and share via email
Weighted Scoring
Each question has configurable weight for risk-proportionate scoring of vendor responses
Generate internal readiness reports, track submission deadlines, and monitor your compliance calendar. DORA RoI now generates an official-format EBA ZIP; other authority exports remain gated until their exact official schema is implemented.
Register of Information (ROI)
ROI source-data preparation, official table validation, and EBA plain XBRL-CSV ZIP package generation for CSSF/eDesk upload
Submission Deadline Dashboard
Track ROI submission windows (Feb-Mar), incident notification deadlines, board report dates, and audit schedules
Compliance Calendar
Auto-generated calendar events from database data plus fixed recurring compliance dates
Penalty Risk Calculator
Multi-framework fine estimation: DORA up to 10% turnover, NIS2 up to 2%/1.4%, GDPR up to 4%. Per-violation scenarios
NIS2 Entity Classification
Automated wizard: Essential, Important, or Out of Scope based on sector, size, and special criteria per Art. 2-3
TLPT Management
3-year Threat-Led Penetration Testing cycles. Tester qualification verification against DORA Art. 27. TIBER-EU support
Production-grade security infrastructure designed to meet DORA, ISO 27001, and NIS2 requirements out of the box.
Owner, Admin, Compliance Officer, Risk Manager, Control Owner, Member, Viewer, Auditor, External Vendor. Granular permissions across 14 entity types and 9 actions.
Every create, update, delete, and approval logged with before/after diffs. Sensitive fields (password, token, apiKey) auto-redacted. Append-only by design.
Compliance data is never hard-deleted. Deletions set deletedAt/deletedBy and mark status as TERMINATED. Full traceability for regulators.
Content-Security-Policy, HSTS with preload (2yr), CORS whitelist, X-Frame-Options DENY, COOP, CORP, Permissions-Policy. Zero-trust defaults.
8-hour inactivity timeout via httpOnly secure cookie. Auto-signout with session expiry redirect. Activity tracking per request.
JSON logs with request timing, compliance events, and error context. Compatible with CloudWatch, Datadog, ELK, Grafana Loki. Global exception handlers.
/api/health endpoint with 3 checks: database connectivity, table accessibility, memory usage. Returns 503 on critical failures for load balancer integration.
Sentry-compatible error reporting with standalone fallback. API route wrapper with timing, auto-catching, and generic 500 responses. Internal details never exposed.
Error messages (401, 403, 404, 429, 500), session expiry notifications, and incident categories translated across 5 EU languages.
Purpose-built for Luxembourg financial institutions with CSSF workflows, circular tracking, DORA RoI package generation, and reporting preparation.
Prepare vendor, contract, and service data for the Register of Information, then generate the pre-validated EBA ZIP package for CSSF/eDesk upload.
26 requirements mapped from CSSF Circulars 25/882, 25/881, and 25/883. Track implementation status and evidence per requirement.
Automated deadline tracking across DORA (4h/72h/1mo), NIS2 (24h/72h), CRA (24h/72h/14d), GDPR (72h). Deadlines auto-calculated with visual tracking.
Track ROI submission windows (Feb-Mar), incident notification deadlines, board report dates, and recurring compliance events.
Track cloud officer designation, competency requirements, and CSSF notification deadlines for Luxembourg-regulated entities.
Full lifecycle for Threat-Led Penetration Testing: 3-year test cycles, tester qualification verification (DORA Art. 27), TIBER-EU methodology. CRA vulnerability testing support.
Built on modern infrastructure for reliability, speed, and compliance.
English, French, German, Italian, Luxembourgish across all pages
3-step guided setup: frameworks, entity profile, compliance mode
6-phase guided journey from setup to audit-readiness with progress tracking
Auto-generated events from database plus fixed recurring regulatory dates
Upload, track expiry, link to controls. Expiry alerts via drift detection
Invite external auditors with three access tiers — read-only, comment, or full — scoped per framework. Time-boxed grants, signed-link invites, every action logged to the audit trail.
Drift detection alerts, expiry notifications, and compliance degradation warnings
Cookie consent, privacy policy, data processing terms, EU data residency
Start your 14-day free trial and see how OneComply helps EU financial institutions run DORA operations and reuse evidence across mapped frameworks.
No credit card required. Cancel anytime.