💡 🔧 Setup — Upload policies, certificates, SBOMs and incident reports to NexCyber's evidence library — the foundation of audit-ready compliance.

Build your evidence library

Self-assessed scores are a starting point. Evidence-backed scores are what turn a NexCyber report into an audit-ready artefact. The Evidence Library is where you upload, tag, and link the documents that prove each compliance claim.

Evidence is available from the Launch plan onwards (with light mode on Starter).

What counts as evidence

Anything that proves you do what you say you do, in writing:

Policies — information security, data retention, vulnerability disclosure, incident response.
Certificates — ISO 27001, SOC 2, ISO 9001, sector-specific (EN 18031 for RED).
Technical artefacts — SBOMs, penetration test reports, threat models, architecture diagrams.
Process records — change management logs, training records, supplier due diligence.
External attestations — letters from auditors, customer reference documents.

How to upload

Go to /evidence.
Click "+ Upload" or drag-and-drop directly onto the page.
For each file you upload, NexCyber asks you to tag:
- Type (Policy · Certificate · Report · Process record · Other)
- Regulation(s) it supports (CRA · NIS2 · AI Act · DORA · RED, multi-select)
- Validity start and validity end dates
- Owner (the teammate accountable for keeping it current)
Click "Save".

Uploads run on EU-hosted storage and are encrypted at rest.

Linking evidence to obligations

This is where the magic happens. After uploading, link each evidence item to one or more obligations in your assessments:

Open an assessment.
Click an obligation marked "Partial" or "Gap".
Click "Attach evidence" and pick from your library.
NexCyber re-scores the obligation. If your evidence covers the obligation in full, it moves to "Covered" automatically.

One evidence document often covers several obligations across multiple regulations — a single vulnerability disclosure policy can satisfy CRA Art. 13, NIS2 Art. 21(2)(j), and DORA Art. 17 simultaneously. Linking it once propagates the coverage everywhere.

Recommended naming convention

Consistent naming makes auditor review dramatically faster. We recommend:

[year]-[type]-[product]-[short-description]-v[version].[ext]

Examples:

2026-policy-acme-iot-vulnerability-disclosure-v2.pdf
2026-sbom-acme-saas-v4.2-spdx.json
2026-cert-acme-corp-iso27001-2025-renewal.pdf

NexCyber doesn't enforce a naming scheme — pick what works for your team and stay consistent.

Validity tracking

Every evidence item has a validity window. NexCyber warns you when:

An item is within 60 days of expiry (banner on the Evidence page).
An item is expired but still attached to obligations (the affected obligations are flagged Partial or Gap).
An item's referenced regulation has been updated since the document was issued.

This means your compliance posture automatically decays as policies age — which is exactly what you want, because real compliance does the same.

Bulk operations

Select multiple evidence items to:

Re-tag in bulk.
Reassign owners.
Archive when superseded.
Download a ZIP of the selection for offline review.

Storage limits

Storage is generous on all paid plans. Free has 5 evidence items visible. Starter has 20. From Launch onwards, the practical limit is the file count per product — usually no constraint for typical compliance libraries.

If you have unusually large files (large penetration test reports, video walkthroughs, etc.) contact us via the chat and we'll help.

→ See "Map existing compliance work to NexCyber obligations"

💬 Need help?

Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours.
Email support@nexcyber.eu with [P1] for Command/Strategic priority issues.

ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification.

Last reviewed: 2026-06-02 · NexCyber Help Center