Home Onboarding Understand your Trust Passport

Understand your Trust Passport

Last updated on Jun 02, 2026

๐Ÿ’ก What the Trust Passport is, how to share it with customers and auditors, and how third parties verify its authenticity.

Understand your Trust Passport

The Trust Passport is one of NexCyber's signature artefacts and, for most customers, the reason they signed up in the first place: a portable, verifiable proof of your compliance posture you can send to anyone in 30 seconds.

It's the lighter, instant counterpart to the MR2C Certificate (expert-signed, see "What is an MR2C Certificate?"). Most companies use both โ€” the Passport every day for partners and customers, the MR2C once or twice a year for regulators and high-stakes audits.

This article explains what's on the Passport, how to share it, and how verification works.

What is the Trust Passport?

After every completed assessment, NexCyber issues a Trust Passport โ€” a digitally signed document that summarises:

  • Who you are โ€” company legal name and country of registration.
  • What was assessed โ€” which regulation, which products or scopes, on which date.
  • Your status โ€” readiness score and high-level applicability decision.
  • Validity โ€” issue date and recommended re-assessment date (typically 6 to 12 months out).
  • A verifiable URL โ€” a public link a third party can open to confirm the Passport is authentic.

Think of it as a compliance credential โ€” analogous to an SSL certificate badge, but for regulatory readiness.

Where to find your Passport

Go to /trust (or click "Trust Passport" in your dashboard). You'll see:

  • The latest Passport for each regulation you've assessed.
  • The full history of past Passports (versioned โ€” each new assessment generates a new Passport, the old one is archived but still verifiable).
  • A "Share" button for each Passport.

You can also download a PDF copy from the same page.

Three ways to share it

1. Public verification URL

The simplest option. Click "Share" on any Passport and copy the public URL. It looks like:

https://nexcyber-eu.vercel.app/verify-passport/<your-passport-id>

Anyone with the link can open it and see:

  • A clean one-page summary of your compliance status.
  • A green โœ“ "Verified by NexCyber" badge.
  • The issue date, validity window, and assessment scope.
  • A "Download PDF" button.

The URL is public โ€” anyone with the link can view it. There's no listing or search; only people you give the link to can find it.

2. PDF attachment

Download the PDF from /trust โ†’ "Download" and attach it to an email, RFP response, or due diligence questionnaire. The PDF includes:

  • All the information from the public URL.
  • A QR code in the corner that points back to the verification URL.
  • The Passport's cryptographic fingerprint, so an auditor can confirm authenticity offline.

3. Embedded badge (coming soon)

A small HTML snippet you'll be able to paste into your website's footer or your security page. The badge will update automatically when your Passport is renewed and link back to the verification URL. Embedded badges are rolling out for Portfolio, Command and Strategic customers โ€” contact us via the chat if you'd like early access.

How third parties verify it

When someone opens your verification URL, they see:

  1. A green confirmation banner with your company name and the regulation.
  2. The Passport's metadata โ€” issuance, scope, score range.
  3. A "Verified" stamp with a cryptographic timestamp.

NexCyber signs every Passport with a key managed in the EU. The verification page checks the signature server-side; the visitor doesn't need to do anything.

For deeper verification (an auditor checking authenticity in a court setting, for example), each Passport has a unique signed digest. Our public signing key and verification procedure are published on the Trust & Security page so any third party can validate a Passport offline.

How long is it valid?

Passports are issued with a recommended validity window that depends on the regulation:

  • CRA, NIS2, DORA โ€” 6 months (regulatory updates and threat landscape evolve quickly)
  • AI Act, RED โ€” 12 months

After the validity window, the Passport still verifies as authentic but the verification page shows an amber "Re-assessment due" banner. To extend validity, simply re-run the assessment.

Revoking a Passport

If your company name changes, you spin off an entity, or you decommission a product, you can revoke a Passport from /trust โ†’ "Revoke". Revoked Passports show a red "Revoked" banner on the verification URL.

Can someone fake a Passport?

No. Every Passport is cryptographically signed by NexCyber's EU-hosted signing service. A fake URL would either fail to verify or point at a different domain. We recommend recipients always check that the verification URL starts with https://nexcyber-eu.vercel.app/verify-passport/.

โ†’ See "Run your first compliance assessment" โ€” every assessment automatically issues a Passport.

๐Ÿ’ฌ Need help?

  • Reach out via our live chat (bottom-right) โ€” Captain AI replies instantly, human experts within business hours.
  • Email support@nexcyber.eu with [P1] for Command/Strategic priority issues.

โ„น๏ธ Disclaimer โ€” RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification.

Last reviewed: 2026-06-02 ยท NexCyber Help Center