💡 📊 Assessments — Your assessment produces a score, a status per obligation, a penalty exposure, and priority actions. Here's how to read each section.

Reading your assessment results

Once you finish a NexCyber assessment, you land on the results page. It's information-dense by design — every section is built to answer a question an auditor, board member, or customer will ask you. This article walks through each section so you can read your results confidently.

The headline score

A single percentage from 0 to 100. It represents the share of applicable obligations you cover today, weighted by criticality.

• 0–40% — substantial gaps, prioritise immediate remediation.
• 40–70% — partial readiness, gaps are addressable but require effort.
• 70–85% — solid baseline, address remaining gaps before audit.
• 85–100% — strong posture, ready for audit-like conversations.

The score is not a marketing badge — it's a deliberate, honest indicator. We never round up.

Applicability summary

A clear "yes / no" for each regulation : does it apply to your company, scoped to this assessment ? Each conclusion cites the relevant article and the threshold that triggered it.

If the conclusion is "yes", you'll see the regulation family (essential vs important for NIS2, high-risk vs limited for AI Act, etc.).

The obligation list

The body of the results page. Each obligation appears as a row with :

• Status — Covered · Partial · Gap · Not applicable
• Article anchor — exact regulatory citation (CRA Art. 13(2), NIS2 Art. 21(2)(j), etc.)
• Your answer — what you said during the assessment
• Evidence linked — what you uploaded to back it up
• Suggested action — if Partial / Gap, what would close it

Click any obligation to drill in : full regulatory text excerpt, related obligations, NexCyber's published crosswalk to ISO 27001 / SOC 2 / NIST CSF / EN 18031.

Priority actions

The Workspace section surfaces the top 3 actions that close the most obligations across regulations. These are typically cross-cutting policies (vulnerability disclosure, incident response, supply-chain due diligence) that satisfy multiple regulations at once. Tackle them first.

Penalty exposure

Your maximum legal exposure if nothing is done, expressed in your local currency. The number comes from the regulation's penalty regime (e.g. NIS2 Art. 32 — up to €10M or 2% global turnover, whichever is higher) applied to your declared turnover.

This is a worst-case ceiling, not a guaranteed outcome. It's there to help you size compliance investment proportionate to risk.

Trust Passport preview

A condensed view of your Trust Passport — exactly what a customer or auditor will see when you share the public URL. Verify it reflects your company correctly before sharing.

What to do next

1. Address gaps from the priority list, one per week.
2. Upload evidence for any obligation marked Partial that you do have proof for.
3. Re-run the assessment after each major change to see the score move.
4. Share the Trust Passport with the people who asked for it.

→ See "Re-running assessments — what changes" → See "Understand your Trust Passport"

💬 Need help?

• Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours.
• Email support@nexcyber.eu with [P1] for Command/Strategic priority issues.

ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification.

Last reviewed: 2026-06-02 · NexCyber Help Center