Assessments

Understand your assessment results, Trust Passports, MRCC certificates, and remediation roadmap.

By NexCyber Support and 1 other

• 7 articles

How NexCyber decides which regulations apply to you

💡 📊 Assessments — Applicability is the foundation of every assessment — here's how NexCyber determines which EU cybersecurity regulations are in scope for your company. How NexCyber decides which regulations apply to you EU regulations don't apply uniformly. Some target product manufacturers (CRA, RED). Others target essential entities (NIS2). Others target the financial sector (DORA). Others target AI providers and deployers (AI Act). Before you spend time on an assessment, you need to know which ones actually concern you. This article explains how NexCyber decides — transparently, with the legal anchor for every conclusion. The applicability inputs NexCyber reads three pieces of your profile to determine applicability : 1. Country of registration — anchors you to EU member state law. 2. Sector — drives NIS2 essential / important / out-of-scope classification. 3. Company size (headcount + turnover) — drives the thresholds in NIS2, DORA, and the AI Act. Plus, for each regulation, a series of regulation-specific questions during the assessment (do you place products on the EU market ? do you operate an AI system ? do you handle financial data ? etc.). How each regulation's applicability is decided CRA — Cyber Resilience Act Applies if : you place a product with digital elements on the EU market. Digital elements = software, hardware with connected components, IoT devices, AI systems embedded in products. Full enforcement from 11 December 2027. Decision anchor : Regulation (EU) 2024/2847, Art. 2. NIS2 Applies if : you operate in one of 18 sectors listed in Annex I/II of the Directive and you meet the size threshold (medium = 50+ headcount or €10M+ turnover for most sectors). Essential vs important entity classification follows. Decision anchor : Directive (EU) 2022/2555, Art. 2 + Annexes I/II. AI Act Applies if : you are a provider (you develop or place an AI system on the EU market) or a deployer (you use an AI system within the EU). Risk tier (prohibited · high-risk · limited · minimal) determines obligations. Decision anchor : Regulation (EU) 2024/1689, Art. 2-6 + Annex III. DORA Applies if : you are a financial entity as defined in Art. 2 (banks, payment institutions, insurance, crypto-asset service providers, etc.) or a critical ICT third-party provider to one. In force from 17 January 2025. Decision anchor : Regulation (EU) 2022/2554, Art. 2. RED — Radio Equipment Directive Applies if : you place radio equipment (any device that intentionally emits or receives radio waves for communication or radio determination) on the EU market. Cyber requirements from 1 August 2025. Decision anchor : Directive 2014/53/EU + Delegated Act 2022/30. When you're "not applicable" This is good news. A regulation that doesn't apply to you is a regulation you can ignore — and we don't bury that finding under a "still recommended" disclaimer. We say plainly : "CRA does not apply to your company because…" with the article and the threshold that excluded you. You can re-check applicability anytime — if your sector, size, or product mix changes, your applicability picture moves. What if you're unsure ? Run a Free Scope Review. It takes 5 minutes and gives you a clear applicability map for all five regulations without you committing to a full assessment. → See "Reading your assessment results" → See "Common mistakes to avoid in your first assessment" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Reading your assessment results

💡 📊 Assessments — Your assessment produces a score, a status per obligation, a penalty exposure, and priority actions. Here's how to read each section. Reading your assessment results Once you finish a NexCyber assessment, you land on the results page. It's information-dense by design — every section is built to answer a question an auditor, board member, or customer will ask you. This article walks through each section so you can read your results confidently. The headline score A single percentage from 0 to 100. It represents the share of applicable obligations you cover today, weighted by criticality. - 0–40% — substantial gaps, prioritise immediate remediation. - 40–70% — partial readiness, gaps are addressable but require effort. - 70–85% — solid baseline, address remaining gaps before audit. - 85–100% — strong posture, ready for audit-like conversations. The score is not a marketing badge — it's a deliberate, honest indicator. We never round up. Applicability summary A clear "yes / no" for each regulation : does it apply to your company, scoped to this assessment ? Each conclusion cites the relevant article and the threshold that triggered it. If the conclusion is "yes", you'll see the regulation family (essential vs important for NIS2, high-risk vs limited for AI Act, etc.). The obligation list The body of the results page. Each obligation appears as a row with : - Status — Covered · Partial · Gap · Not applicable - Article anchor — exact regulatory citation (CRA Art. 13(2), NIS2 Art. 21(2)(j), etc.) - Your answer — what you said during the assessment - Evidence linked — what you uploaded to back it up - Suggested action — if Partial / Gap, what would close it Click any obligation to drill in : full regulatory text excerpt, related obligations, NexCyber's published crosswalk to ISO 27001 / SOC 2 / NIST CSF / EN 18031. Priority actions The Workspace section surfaces the top 3 actions that close the most obligations across regulations. These are typically cross-cutting policies (vulnerability disclosure, incident response, supply-chain due diligence) that satisfy multiple regulations at once. Tackle them first. Penalty exposure Your maximum legal exposure if nothing is done, expressed in your local currency. The number comes from the regulation's penalty regime (e.g. NIS2 Art. 32 — up to €10M or 2% global turnover, whichever is higher) applied to your declared turnover. This is a worst-case ceiling, not a guaranteed outcome. It's there to help you size compliance investment proportionate to risk. Trust Passport preview A condensed view of your Trust Passport — exactly what a customer or auditor will see when you share the public URL. Verify it reflects your company correctly before sharing. What to do next 1. Address gaps from the priority list, one per week. 2. Upload evidence for any obligation marked Partial that you do have proof for. 3. Re-run the assessment after each major change to see the score move. 4. Share the Trust Passport with the people who asked for it. → See "Re-running assessments — what changes" → See "Understand your Trust Passport" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

The five EU regulations NexCyber covers

💡 📊 Assessments — A reference summary of CRA, NIS2, AI Act, DORA, and RED — who they target, what they require, and how NexCyber maps them. The five EU regulations NexCyber covers NexCyber natively covers the five EU regulations that together form the new cybersecurity baseline for digital companies operating in or selling to the European market. This article is a reference card — keep it open during your assessment. CRA — Cyber Resilience Act Regulation (EU) 2024/2847 Â· Full enforcement 11 December 2027. Targets : anyone who places a product with digital elements on the EU market. Software vendors, IoT manufacturers, embedded device makers, AI providers, hardware companies — all in scope. Core obligations : - Annex I Â§ 1 — security requirements + secure-by-default - Annex I Â§ 2 — vulnerability handling + coordinated disclosure - Art. 13-14 — manufacturer obligations + SBOM (Software Bill of Materials) - Art. 11 — conformity assessment route (Module A vs B+C) - Art. 14 — incident reporting (24h / 72h / final) Maximum exposure : â‚¬15M or 2.5% global turnover. NIS2 — Directive on the security of network and information systems Directive (EU) 2022/2555 Â· In force since October 2024. Targets : essential and important entities across 18 sectors — energy, transport, banking, health, digital infrastructure, ICT service management, public administration, manufacturing of computer/electronic products, and more. Size threshold typically medium (50+ headcount or â‚¬10M+ turnover). Core obligations : - Art. 21 — 10 cybersecurity risk management measures - Art. 23 — incident reporting cascade (24h early warning Â· 72h notification Â· 1 month final) - Art. 24 — supply-chain security + third-party assurance - Art. 32 — sanctions up to â‚¬10M or 2% global turnover AI Act Regulation (EU) 2024/1689 Â· Risk-tiered enforcement, full obligations 2 August 2026. Targets : providers (you develop or place an AI system) and deployers (you use an AI system) within the EU. Risk tier drives obligations : - Tier 1 — Prohibited (Art. 5) : social scoring, manipulative AI, etc. Banned outright. - Tier 2 — High-risk (Art. 6 + Annex III) : credit scoring, employment, education, law enforcement, etc. Major obligations. - Tier 3 — Limited risk (Art. 50) : transparency obligations only (chatbots, deepfakes). - Tier 4 — Minimal risk : no specific obligations. Maximum exposure : â‚¬35M or 7% global turnover (Tier 1 violations). DORA — Digital Operational Resilience Act Regulation (EU) 2022/2554 Â· In force since 17 January 2025. Targets : EU financial entities (banks, payment institutions, insurance, investment firms, crypto-asset service providers, etc.) and their critical ICT third-party providers. Five pillars : - Art. 5-14 — ICT risk management framework - Art. 17-23 — incident classification + reporting - Art. 24-27 — digital operational resilience testing (TLPT) - Art. 28-30 — ICT third-party risk register - Art. 45 — information + intelligence sharing Maximum exposure : â‚¬10M or 2% global turnover. RED — Radio Equipment Directive (Cyber Delegated Act) Directive 2014/53/EU + Delegated Act 2022/30 Â· Cyber requirements in force 1 August 2025. Targets : manufacturers of radio equipment placed on the EU market (Wi-Fi devices, Bluetooth, cellular, satellite — anything that intentionally emits or receives radio waves). Three new cyber essential requirements added by the Delegated Act : - Art. 3.3.d — protect network functioning + resources - Art. 3.3.e — safeguards for personal data + privacy - Art. 3.3.f — anti-fraud features Harmonised standards : EN 18031-1/-2/-3. Conformity assessment via Module A or B+C. Maximum exposure : market withdrawal + national financial penalties. How to choose your first assessment Most companies are in scope for two or more regulations. Common combinations : - Product companies : CRA + NIS2 - AI providers : AI Act + GDPR (separate) - Financial sector : DORA + NIS2 - IoT manufacturers : CRA + RED + NIS2 Start with the regulation where your deadline is closest, then iterate. â†’ See "How NexCyber decides which regulations apply to you" â†’ See "Fastest path to your first MRCC Certificate" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Re-running assessments "” what changes

💡 📊 Assessments — When and how to re-run a NexCyber assessment, what gets carried over from previous runs, and how your Trust Passport refreshes. Re-running assessments — what changes Compliance is a moving target. New regulatory guidance lands every quarter, your evidence library grows, your product evolves, and your readiness picture changes. NexCyber is built around the assumption that you'll re-run assessments regularly — and the second, third, tenth runs should be dramatically faster than the first. This article explains when to re-run, what carries over, and how your Trust Passport / MRCC Certificate behave across re-runs. When to re-run Recommended triggers : - You closed a gap — uploaded new evidence, deployed a new policy, achieved a new certification. - Your scope changed — new product line, new region, new business unit. - The regulation moved — new implementing act, RTS, ENISA guidance, sectoral interpretation. - Trust Passport expiry approaching — typically every 6 to 12 months. - Before a high-stakes conversation — auditor visit, RFP response, board update. Most companies settle into a quarterly cadence plus event-driven re-runs. What carries over When you click "Re-run assessment" on a previous result, NexCyber pre-fills : - Your company profile (always current, no re-entry). - Your previous answers — you only need to update what changed. - Your evidence library — every previously-uploaded document stays linked to the obligations it supports. - Your scope (company-wide vs product-scoped) — you can override if needed. A typical re-run takes 2 to 5 minutes instead of the 12 to 15 of the first run. What changes regulation-side between runs NexCyber continuously ingests : - New EU regulatory acts (implementing acts, RTSs, delegated acts). - ENISA / EBA / ESMA / EIOPA / SRB technical guidance. - National competent authority interpretations. - Harmonised standards updates (EN 18031, ETSI publications). If anything material changed since your last run that affects an obligation you previously answered, the re-run flags it as "Review needed" — your prior answer remains valid until you confirm it still holds. What changes evidence-side If any evidence document expired since your last run (e.g. an ISO 27001 certificate that lapsed), the obligations relying on it are automatically flagged. You don't have to track expiry dates yourself. Score evolution Each run is dated. Your dashboard shows a score history chart — typically going up over time as you close gaps. Re-running with no change does not move your score ; only real evidence does. Trust Passport on re-run A new Trust Passport is issued automatically after each completed re-run, with : - A new issue date. - A new expiry date (6 or 12 months forward). - A new unique ID (so the previous Passport URL still verifies as authentic-but-superseded). If you've embedded a Passport badge on your website, it auto-updates to the new Passport — no manual link change needed. MRCC Certificate on re-run MRCC re-issuance is faster than the first issuance : - No material change — light re-validation, 2 business days. - Scope change or new regulation — delta review only on the changed parts, 3-4 business days. - Annual renewal — automatic reminder, click "Renew", review starts. The previous MRCC remains verifiable indefinitely (with a "superseded" banner pointing to the new one). Cost of re-running Re-running an assessment is always free — there's no per-assessment fee on any plan. You're paying for the platform, the regulatory intelligence, and (on Portfolio+) the expert review for MRCC. â†’ See "Reading your assessment results" â†’ See "Understand your Trust Passport" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Scoring methodology — what the percentage means

💡 📊 Assessments — How NexCyber computes your readiness score, why we never round up, and how to interpret the number in front of an auditor or a board. Scoring methodology — what the percentage means The number at the top of your assessment results is the single most-asked-about element of NexCyber. This article makes the methodology fully transparent — what's in the score, what's not, and how to defend it under questioning. The headline score in one sentence Your headline score is the share of applicable obligations you cover today, weighted by regulatory criticality. How it's built 1. Applicable obligations only — obligations marked "Not applicable" never count against you. The denominator is your real perimeter, not a generic checklist. 2. Status weighting — Covered = 1.0, Partial = 0.5, Gap = 0.0. There's no implicit credit for "we're working on it". 3. Criticality weighting — each obligation carries a criticality weight (1 to 5) based on its position in the regulation (an Annex I requirement weighs more than a definitional clause). 4. Sum and normalise — (sum of status × criticality) / (sum of max possible) × 100. The result is a percentage between 0 and 100, displayed as an integer. Why we never round up If your real score is 78.4%, we display 78%, not 80%. Auditors notice rounding. Buyers notice rounding. Your future self running an audit defence notices rounding. We'd rather you see the harder number now. What's NOT in the score Several things are deliberately excluded : - Planned actions — actions you've scheduled but not completed don't count. A roadmap is not coverage. - Self-attestations without evidence — answering "yes" to an obligation without uploading evidence keeps the obligation at Partial, not Covered. The Free plan and Starter can declare coverage without evidence (single-tenant trust). From Launch onwards, evidence is recommended for full Covered status. - Sub-thresholds — partial coverage of an obligation is recorded as Partial (50%), not promoted to Covered. We don't grade on a curve. - External certifications you cite but haven't proven — claiming ISO 27001 without uploading the certificate does not credit your score. How to interpret a specific number | Score | Reading | |---|---| | 0-40% | Substantial gaps. Prioritise the top 3 actions in the Workspace. | | 41-70% | Partial readiness. Address gaps in priority order. | | 71-85% | Solid baseline. Focus on Partial → Covered transitions for the next audit-like conversation. | | 86-100% | Strong posture. Maintain through quarterly re-assessment. | Defending your score under questioning A common question : "Why isn't this 100% ?" The honest answer is that 100% coverage is rare and often suspicious. A 100% Covered status across 30+ obligations either means the assessment is too shallow, the evidence isn't being scrutinised, or the obligations being measured are too generic. A score in the 80s with clearly identified residual gaps reads as mature to an auditor. Trying to display 100% reads as immature — or worse, as overclaiming. What auditors typically focus on Audit questions tend to land on : - Gaps marked Not Applicable — they'll want the legal reasoning. NexCyber surfaces it (the article + threshold that excluded you). - Partial-status obligations — they'll want to see your closure plan. NexCyber's Workspace section gives you it. - High-criticality Gap obligations — these are red flags. Address them before audit. Score history Every re-run is dated. Your score history chart over the last 12 months gives auditors the trajectory : are you improving, plateauing, or sliding ? A clear upward trajectory is one of the strongest signals an auditor can see. → See "Reading your assessment results" → See "Common mistakes to avoid in your first assessment" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Common mistakes to avoid in your first assessment

💡 📊 Assessments — The eight most common mistakes companies make on their first NexCyber assessment — and how to sidestep them. Common mistakes to avoid in your first assessment After thousands of first assessments, certain patterns repeat. This article calls out the eight most common mistakes so you don't repeat them. None of these are catastrophic — but each one costs you accuracy or time. 1. Picking the most ambitious scope on day one Symptom : starting with "company-wide CRA + NIS2 + AI Act" on the first assessment. Better : pick the most urgent regulation, scoped to one product or one entity. Get the methodology right on a narrow scope, then expand. Your second assessment is twice as fast and ten times more accurate. 2. Inflating answers Symptom : answering "Yes, we have a vulnerability disclosure process" when what you have is a private email address nobody monitors. Better : answer what you really do today, not what you intend to do. The score reflects current posture, not aspiration. Honest gaps are valuable signal ; inflated coverage is a trap. 3. Ignoring the "I don't know" option Symptom : guessing on questions you're unsure about, especially the technical ones. Better : pick "I don't know". NexCyber treats it as a Partial gap and surfaces it as a discovery action. Far better than guessing wrong and looking confused under audit. 4. Uploading evidence without tagging it Symptom : 47 PDFs in your evidence library, none linked to obligations. Better : after uploading, link each document to the obligations it supports. NexCyber suggests links based on filename and content, but only you can confirm them. Untagged evidence doesn't credit your score. 5. Treating the assessment as a one-off Symptom : running an assessment once, then disappearing. Better : schedule a quarterly cadence (or align with your existing risk-review cadence). Compliance moves ; your assessment should move with it. Re-runs are fast (2-5 minutes), so the cost is minimal. 6. Not assigning owners to actions Symptom : the Workspace surfaces 12 priority actions, none of which has an owner. Better : assign each action to a real teammate from day one. Unowned actions don't get done. Assigned actions trigger reminder notifications. 7. Trying to certify before you're ready Symptom : requesting an MRCC Certificate while still at 45% readiness. Better : reach at least 70% before requesting MRCC. The expert review will flag too many gaps and pause the issuance, which adds days to your timeline. Spend a week closing top gaps first. 8. Hiding your gaps from your own team Symptom : declaring perfect scores internally to avoid uncomfortable conversations. Better : your gaps are the work. Surface them to your team, your management, your board. The companies that get certified fastest are the ones that treat NexCyber as a shared planning surface — not a scorecard to protect. A 9th, bonus mistake Symptom : answering the assessment alone, in 12 minutes, on a Tuesday afternoon. Better : the first assessment for any non-trivial scope deserves a 45-minute review meeting with your security lead, compliance lead, and product lead together. Better answers, better evidence pointers, better Workspace prioritisation. â†’ See "Run your first compliance assessment" â†’ See "Scoring methodology — what the percentage means" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

EU Regulatory Glossary - functional view

TL;DR NexCyber RICE covers 5 EU regulatory frameworks. This page is your one-page functional map. Detailed pages live in each section. Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. 🔍 At a glance | Framework | Scope (functional) | Why it matters | |---|---|---| | 🛡️ CRA | Products with digital elements (PDE) | Manufacturers, importers, distributors placing PDEs on the EU market | | 🌐 NIS2 | Essential & important entities (18 sectors) | Medium/large entities + their suppliers | | 🤖 AI Act | AI systems & GPAI (risk-tiered) | Providers, deployers, importers, distributors | | 📡 RED Cyber | Connected radio equipment | Devices processing personal data, traffic, payments | | 🏦 DORA | Financial sector + critical ICT providers | Banks, insurers, fintechs, their key ICT vendors | 🛡️ CRA — Cyber Resilience Act Functional scope. Horizontal cybersecurity requirements for products with digital elements (PDE). Top obligations - Essential cybersecurity at design & development - Vulnerability handling (coordinated disclosure, security updates) - Conformity assessment + CE marking - Incident & exploited-vulnerability reporting - Technical documentation + SBOM RICE helps scope your product estate, map applicable requirements, surface evidence gaps, ingest SBOMs, build audit-ready dossiers, issue MRCC. RICE does NOT act as a notified body, sign your CE declaration, or replace legal counsel. 🌐 NIS2 — Network & Information Security 2 Functional scope. Baseline cybersecurity across essential & important entities, transposed per Member State. Top obligations - 10 minimum risk-management measures (incl. supply chain) - Incident notification: 24h early warning · 72h notification · 1-month report - Governance & management accountability - Business continuity & crisis management - Vulnerability handling & disclosure RICE helps map entity classification, surface the 10 measures vs your evidence, track supplier risk, prepare incident-reporting templates. RICE does NOT replace national CSIRT/CSA guidance, your DPO or CISO judgment. 🤖 AI Act — Artificial Intelligence Act Functional scope. Risk-tiered framework: prohibited · high-risk · limited-risk · minimal-risk · GPAI. Top obligations (high-risk) - Risk management across lifecycle - Data governance & quality (training / validation / test) - Technical documentation + record-keeping - Transparency & instructions for use - Human oversight, accuracy, robustness, cybersecurity - Conformity assessment + EU declaration + CE - Post-market monitoring + serious-incident reporting RICE helps classify AI use cases per tier, map applicable obligations, organize technical docs, prepare GPAI transparency artifacts. RICE does NOT run notified body assessment for high-risk AI, replace your DPIA or fundamental-rights assessment. 📡 RED Cyber — Radio Equipment Directive (delegated act) Functional scope. Cybersecurity essential requirements (Art. 3.3 d/e/f) for radio equipment. Top obligations - 3.3.d — Network protection - 3.3.e — Personal data & traffic data protection - 3.3.f — Fraud / monetary-value protection - Conformity via harmonized standards (EN 18031 series) or notified body route - Technical file + CE marking RICE helps identify applicable sub-requirements, map evidence against harmonized standards, organize test reports, prepare technical file. RICE does NOT run notified body testing or accredited lab measurements. 🏦 DORA — Digital Operational Resilience Act Functional scope. ICT operational resilience for financial sector + oversight of critical ICT third-party providers (CTPP). Top obligations - ICT risk management framework - ICT-related incident reporting (classification + timelines) - Digital operational resilience testing (incl. TLPT for significant entities) - ICT third-party risk management (register, clauses, exit strategy) - Information & intelligence sharing (voluntary) RICE helps map entity classification, structure ICT third-party register, surface contract gaps, organize testing evidence, prepare incident-classification templates. RICE does NOT substitute EBA/ESMA/EIOPA decisions, TLPT provider engagement, or internal audit. 🔁 Regulatory overlap Many obligations cross frameworks — vulnerability handling (CRA, NIS2, DORA), supply-chain risk (NIS2, DORA, AI Act high-risk), incident reporting (CRA, NIS2, DORA). Cross-Reg Decision Engine lets you assess once and reuse evidence — instead of running 5 parallel audits. Always verify, per regulator, that a piece of evidence is acceptable for that specific obligation in its jurisdiction. 🚫 What RICE never does - Does not issue binding legal opinions - Does not act as a notified body - Does not certify your final compliance - Does not replace your DPO, CISO, internal auditor, or external counsel - Does not file regulatory notifications on your behalf RICE prepares you. The final step always involves your team + your legal/certification partners. ➡️ Next steps - 📊 Run your first assessment → see your scope & gap - 🛡️ Reach Trust Passport & MRCC → share readiness - 💬 Ask NexCyber Support anytime via the chat Last reviewed: 2026-06-02 · Disclaimer applies on every section above.

Last updated on Jun 02, 2026