Onboarding

Get started with your first compliance assessment, set up your profile, and orient on the platform.

By NexCyber Support

• 10 articles

Welcome to NexCyber — Your first 5 minutes

TL;DR 🚀 5 minutes to your first compliance signal. Create an account, add your product, see which EU regulations apply to you. No commitment. ⏱️ The 5-minute journey ① Create your account (1 min) - Sign up at nexcyber-eu.vercel.app - Verify your email - Pick a temporary plan — you can change anytime 👉 Create your account & verify your email ② Set up your company profile (1 min) - Company name, jurisdiction, sector - Used to refine your regulatory scope 👉 Set up your company profile ③ Add your first Regulated Product Estate (1 min) - One product / one codebase / one EU market exposure - This is the unit of analysis 👉 Add your first regulated product ④ Run your Scope Review (1 min) - Answer ~10 questions about your product - See which frameworks apply (CRA, NIS2, AI Act, RED, DORA) 👉 Run your first compliance assessment ⑤ Read your results (1 min) - Preview gaps and readiness band - Decide your next move 👉 Reading your assessment results 🎯 What you'll see after 5 minutes | Output | Free plan | Paid plans | |---|---|---| | 🔍 Scope frameworks | ✅ Preview | ✅ Complete | | 📊 Gap highlights | ✅ 3-5 representative | ✅ Full + priorities | | 🛡️ Trust Passport | Preview band | Computed / Evidence-backed | | 📜 MRCC eligibility | — | Launch+ | ➡️ After the first 5 minutes - 🎯 Choose the right plan for you - 📂 Build your evidence library - 🛡️ Understand your Trust Passport 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Create your account & verify your email

TL;DR ✉️ Sign up in under a minute — name, work email, password. Verify the email link, you're in. 🪜 Steps 1. 🌐 Open nexcyber-eu.vercel.app → click Get Started 2. ✏️ Enter your work email, name, and a strong password 3. 📩 Check your inbox for our verification email 4. 🔗 Click the verification link — your account is live 5. 👋 You land on the onboarding flow 💡 Tips - ✅ Use your work email (helps us identify your organisation) - 🔐 Pick a password ≥ 12 chars (we recommend a passphrase or a manager) - 📧 No verification email? Check spam, then Resend from the login screen 🚧 Troubleshooting | Issue | Fix | |---|---| | Email not received | Check spam · Resend · Try alternate address | | Verification link expired | Request a new one (24h validity) | | Email already in use | Use Reset password instead | ➡️ Next - 🏢 Set up your company profile - 🔐 Login options & SSO 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Choose the right plan for you

💡 Compare NexCyber's Free, Starter, Launch, Portfolio, Command and Strategic plans to find the one that fits your stage. Choose the right plan for you NexCyber has six plans, designed to match where your company is on its regulatory journey — from "I just want to see where we stand" to "we run regulated products across multiple entities". This article helps you pick the right one in 2 minutes. You can always upgrade or downgrade later, and your data follows you across plans. Quick decision tree - Just exploring? → Start with Free. - One regulated product, getting ready to launch? → Launch. - Two or more regulated products? → Portfolio. - Large enterprise with continuous compliance needs? → Command or Strategic. The six plans at a glance Free Scope Review — €0 A no-strings-attached scoping pass. You answer a short questionnaire and get a high-level view of which regulations apply to you and a draft PDF report (watermarked). Best for: founders, compliance leads scoping the work, anyone curious about what NexCyber does. Limits: 1 product scope · up to 5 obligations visible · draft watermarked report. Starter — €490/year The first paid tier. Removes most Free limits and unlocks the full obligation list for your product, with a clean (non-watermarked) PDF report. Best for: small teams who want a real readiness check on one regulation, fast. Launch — €828/year For companies bringing their first regulated product to market. Adds the Decision Workspace, evidence upload, penalty detail per obligation, and a higher-quality PDF. Best for: seed-to-Series-A companies with one regulated product (a connected device, an AI system, a financial app, etc.) preparing for first sale or audit. Portfolio — €3,480/year For companies managing multiple regulated product lines. Includes everything in Launch, plus multi-product management, MRCC certificates, audit logs, and continuous monitoring. Best for: scale-ups, multi-product B2B SaaS, IoT manufacturers with several SKUs. Command — €8,280/year Enterprise-grade product compliance at scale. Adds API access, CI/CD integration, supplier workflows, multi-tenant, and the highest support tier. Best for: mid-market and enterprise companies with internal compliance, security and product teams who need NexCyber wired into their stack. Strategic — €5,988/year Built for large regulated portfolios, multi-entity governance, and premium readiness programmes. Includes white-glove onboarding, dedicated CSM, and quarterly executive reviews. Best for: regulated incumbents (financial, healthcare, energy) with multi-entity structures and board-level reporting needs. What's locked behind paid plans? The most common features people ask about: - Full obligation list (not just first 5) — from Starter - Clean (non-watermarked) PDF report — from Starter - Decision Workspace — from Launch - Evidence upload — from Launch - MRCC certificate — from Portfolio (draft) / Command and Strategic (full) - Multi-tenant management — from Portfolio - API access — from Command - Dedicated Customer Success Manager — from Command - Premium success layer & quarterly executive reviews — Strategic How to upgrade 1. Go to Settings → Subscription (or visit /subscription directly). 2. Pick the plan you want, click "Upgrade". 3. You're redirected to a secure checkout (Stripe). Pay by card or SEPA. 4. Your new plan is active immediately — no downtime, no data migration. What about discounts? - Annual billing is already priced in (no monthly upsell). - Startup / NGO pricing — contact us via the chat for a tailored quote. - Multi-year commitments — Strategic plan only, contact sales. → See "Run your first compliance assessment" once you've chosen. 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Set up your company profile

💡 Fill in your company profile in 2 minutes — it's how NexCyber decides which EU regulations apply to you. Set up your company profile Your company profile is the foundation of every assessment. NexCyber uses it to determine which EU regulations apply to your company, what penalties you face, and which obligations to highlight first. Spend 2 minutes here and the rest of the platform becomes dramatically more useful. Why it matters EU regulations don't apply uniformly to every company. For example: - NIS2 kicks in based on your sector and your headcount + turnover thresholds. - CRA depends on whether you place a product with digital elements on the EU market. - AI Act depends on whether you provide or deploy an AI system, and at what risk level. - DORA is specific to the financial sector and its ICT providers. If your profile is wrong, your applicability analysis is wrong. Take the extra minute. Where to find it Go to /profile (top-right menu → "Profile") or /organization for company-level fields. The profile is split into two sections: 1. Personal — your name, role, and contact preferences. 2. Organization — your company information (the part that drives regulation applicability). Required fields Legal company name Use the exact name as it appears on your incorporation certificate or company register entry. If you operate under a trading name, put both: Acme Operations Ltd (trading as Acme). Country of registration The EU member state where your company is registered. This affects: - Which national competent authority oversees you for NIS2 - Which currency your fines are denominated in - Which CSIRT you report incidents to Sector Pick the closest match from the dropdown. The list follows NACE / NIS2 sector codes: - Energy, Transport, Banking, Financial market infrastructures, Health, Drinking water, Digital infrastructure, ICT service management, Public administration, Space, Postal services, Waste management, Manufacture of medical devices, Manufacture of computer/electronic/optical products, Manufacture of motor vehicles, etc. If your activity spans multiple sectors, pick the dominant one by revenue. You can mark secondary sectors later. Company size - Micro — fewer than 10 employees and ≤ €2M turnover - Small — fewer than 50 employees and ≤ €10M turnover - Medium — fewer than 250 employees and ≤ €50M turnover - Large — 250+ employees or > €50M turnover This is the EU definition (Recommendation 2003/361/EC). Use whichever ceiling you hit first (headcount or turnover). Product or service description One or two sentences. Examples: - "Cloud-based payroll software for European SMEs." - "Connected industrial sensors for water utilities." - "Generative AI chatbot for customer support, sold to mid-market companies." This helps the platform refine which obligations are likely to matter to you. Optional fields (recommended) - VAT number — used for the PDF report header and any audit-ready document. - Operating member states — beyond your country of registration, where else you place products or have customers. - Estimated annual turnover — helps refine maximum penalty exposure. Editing later Everything in your profile is editable at any time. Changes immediately update: - Your applicability analysis (re-run assessments to see the new picture). - The penalty exposure shown on each obligation. - The Trust Passport metadata. Privacy Your company profile is stored on EU-hosted infrastructure (Germany), encrypted at rest, and never shared with third parties for marketing. See our Privacy Policy and DPA for the full detail. → Next: invite your team or run your first assessment. 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Invite your team & understand roles

💡 Add team members to your NexCyber workspace, choose the right role for each, and manage access over time. Invite your team & understand roles Compliance is rarely a solo sport. NexCyber lets you invite teammates — compliance leads, security engineers, product managers, executives — and gives each of them the right level of access. This article walks you through inviting, role selection, and ongoing management. When to invite teammates You can invite teammates at any time after your account is verified. The most common patterns: - Day 1 — invite your CISO or compliance lead so they see the same assessment you do. - Pre-audit — invite an external consultant or auditor with view-only access. - Post-launch — invite product managers responsible for specific products under compliance. Team management is available from the Launch plan and above. On Free and Starter, only the account creator has access. How to invite 1. Go to Settings → Team (or visit /team directly). 2. Click "Invite member". 3. Enter: - Email address (work email recommended) - Role (see below) 4. Click "Send invitation". The invitee gets an email with a one-click link to join. The link is valid for 7 days. If it expires, you can resend it from the Team page. Understanding the roles NexCyber uses a simple two-tier role model out of the box: Admin - Can do everything the account owner can, except delete the company account or transfer ownership. - Sees and edits all assessments, products, evidence, and the Trust Passport. - Can invite, remove, and change roles of other users. - Can change the subscription plan and billing details. Use for: co-founders, CISO, head of compliance, head of product. Member - Can view and contribute to assessments and evidence. - Cannot invite users, change roles, or modify billing. - Cannot delete data. Use for: product managers, engineers, contributors, individual contributors. External auditors: for auditors and consultants who only need to see results, we recommend creating a Member account and sharing the Trust Passport URL for their review. Granular auditor roles are on our roadmap. Removing a member 1. Go to Settings → Team. 2. Click the member's row. 3. Click "Remove". The user immediately loses access. Their contributions (uploaded evidence, comments, assessments) remain attributed to them but read-only. Changing a role Click the member's row, then "Change role". The change is instant and the affected user sees the new permissions on their next page load. What about ownership transfer? If you're the account creator and want to hand the company over to someone else (e.g. you're leaving the company), open a chat with us — we handle ownership transfers manually to avoid lockouts. Audit trail Every team action (invite, remove, role change) is recorded in your audit log on the Portfolio plan and above. → See "Set your notification preferences" to control how each teammate gets notified. 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Login options & Single Sign-On (SSO)

💡 How to log in to NexCyber today, what SSO providers we plan to support, and how to request early access. Login options & Single Sign-On (SSO) This article covers how you and your team sign in to NexCyber — what's available today, what's coming, and how to keep your login secure. What's available today NexCyber supports email + password authentication for every plan. Specifically: - Email/password sign-in at /login - Password reset by email - Email verification (required on signup) - Session cookies are HttpOnly, Secure, SameSite=Lax — they cannot be read by JavaScript and are protected against the most common session attacks - Sessions expire after a period of inactivity to keep your account secure Each member of your team uses their own email/password — no shared accounts. Password best practices - At least 12 characters, with a mix of letters, numbers and a symbol. - Don't reuse passwords across services. We recommend a password manager (Bitwarden, 1Password, KeePassXC, the built-in browser manager). - Change your password immediately if you suspect it's been compromised — go to /profile → Security → Change password. Two-factor authentication (2FA) 2FA is on our roadmap. We plan to support: - TOTP authenticator apps (Google Authenticator, Authy, 1Password, Bitwarden) - WebAuthn / hardware keys (YubiKey, Titan, Solo Key) You'll be notified by email when 2FA becomes available — no migration needed on your side. Single Sign-On (SSO) SSO is on our roadmap. We plan to support: - Google Workspace — OAuth 2.0 - Microsoft Entra ID (formerly Azure AD) — SAML 2.0 - Okta — SAML 2.0 - Generic SAML 2.0 — for any IdP that speaks SAML If SSO is a hard requirement for your evaluation, contact us via the chat — we prioritise SSO rollout for committed customers on Command and Strategic plans. What about SCIM / automatic provisioning? SCIM 2.0 (automatic user provisioning and de-provisioning from your IdP) is on our roadmap, available with SSO. Security questions - Where is my session stored? In an HttpOnly cookie on your browser, scoped to .nexcyber.eu. Never in localStorage or sessionStorage. - Can I log out remotely? Yes — go to /profile → Security → Active sessions to revoke any session. - What happens if my account is compromised? Use the chat or email security@nexcyber.eu — we can lock the account, force a password reset, and trigger an audit trail review. → See "Set your notification preferences" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Set your notification preferences

💡 Control how NexCyber notifies you — email, in-app, and the weekly Regulatory Signal newsletter. Set your notification preferences Compliance moves at the pace of EU regulators — meaning a few critical updates a year that you absolutely cannot miss, and a lot of noise in between. NexCyber's notification system is built to surface the signal without burying you in alerts. The three channels NexCyber sends you information through three channels. You control each one independently. 1. In-app notifications The bell icon in the top-right corner of every page shows your unread notifications. Click it to see: - Deadline reminders (e.g. "DORA enforcement in 14 days") - New regulation updates we've ingested ("Implementing Act adopted for…") - Workspace changes (someone on your team uploaded evidence, completed an assessment, etc.) In-app notifications are always on — you can mark items as read but cannot disable the channel. 2. Email notifications These are the alerts you'd want to wake up to. Configurable from /profile/notifications: - Account & security — login from a new device, password changes, role updates. (Cannot be disabled — security baseline.) - Deadline reminders — 90, 60, 30, 14, 7, 1 day before each regulation deadline that applies to you. - Regulation updates — when EU institutions adopt a new implementing act, RTS, or guidance that affects you. - Team activity — assessments completed, evidence uploaded, comments on items you own. - Weekly digest — a Friday summary of everything that happened in your workspace. For each category you can choose: - Off (no email) - Immediate (email as soon as the event happens) - Digest (rolled up into your weekly summary) 3. The Regulatory Signal newsletter A separate weekly newsletter that goes to every subscriber regardless of plan. Five regulatory updates that matter for digital product makers plus one curated deep-dive. No spam, no third-party trackers, unsubscribe in one click. Subscribe from the signup form in the footer of any page on nexcyber-eu.vercel.app. Unsubscribing from the newsletter does not affect your account notifications. Where to change your preferences 1. Click your avatar (top-right) → "Profile". 2. Click the "Notifications" tab (or visit /profile/notifications). 3. Toggle each category to your preference and click "Save". Changes apply immediately — no restart, no logout. Recommended starting setup For most new users we recommend: - Account & security — ON (always-on anyway) - Deadline reminders — Immediate - Regulation updates — Digest - Team activity — Digest - Weekly digest — ON This gives you fast alerts on what's urgent and time-sensitive, and a calm Friday summary of everything else. What happens if I miss a notification? Every email is also recorded as an in-app notification. Open the bell icon to see the full history (last 90 days). Beyond 90 days, look in your audit log on the Portfolio plan and above. Email frequency We're careful not to send too many emails: - Alerts are de-duplicated and rate-limited so you never get the same notification twice. - Digests are sent at most once per week per category. - The Regulatory Signal newsletter is strictly weekly. If you ever feel we're emailing you too much, hit the chat — we'd rather know early. → See "Run your first compliance assessment" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Run your first compliance assessment

TL;DR 🔍 10 minutes to a regulatory scope + first gaps. No card needed for the Free Scope Review. 🪜 The flow 1️⃣ Pick the estate You'll assess one Regulated Product Estate at a time. Add one if you haven't. 2️⃣ Answer the scoping questions (~10) - 🌍 Where do you sell? - 🔗 Is the product connected? - 🧠 Does it use AI? - 📡 Does it use radio? - 🏦 Is your customer base in financial services? 3️⃣ Get your scope output - Frameworks applying (CRA, NIS2, AI Act, RED, DORA, multi) - Top representative obligations - Preview gaps (3-5) 4️⃣ Review the gaps - 🔴 Critical — block compliance - 🟠 High — actively monitored - 🟡 Medium — to plan - ⚪ Info — context only 5️⃣ Decide next move | What you see | What to do | |---|---| | You're in scope | Upgrade to a paid plan for full analysis | | You're not in scope | Keep your Trust Passport for transparency | | Mixed signals | Re-run with refined inputs OR talk to us | 💡 Free vs Paid - Free Scope Review = preview (representative gaps, frameworks list) - Paid plans = complete gap, save & resume, evidence upload, Trust Passport, MRCC ➡️ Next - 📊 Reading your assessment results - 📊 Scoring methodology - 🎯 Choose the right plan 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Understand your Trust Passport

💡 What the Trust Passport is, how to share it with customers and auditors, and how third parties verify its authenticity. Understand your Trust Passport The Trust Passport is one of NexCyber's signature artefacts and, for most customers, the reason they signed up in the first place: a portable, verifiable proof of your compliance posture you can send to anyone in 30 seconds. It's the lighter, instant counterpart to the MR2C Certificate (expert-signed, see "What is an MR2C Certificate?"). Most companies use both — the Passport every day for partners and customers, the MR2C once or twice a year for regulators and high-stakes audits. This article explains what's on the Passport, how to share it, and how verification works. What is the Trust Passport? After every completed assessment, NexCyber issues a Trust Passport — a digitally signed document that summarises: - Who you are — company legal name and country of registration. - What was assessed — which regulation, which products or scopes, on which date. - Your status — readiness score and high-level applicability decision. - Validity — issue date and recommended re-assessment date (typically 6 to 12 months out). - A verifiable URL — a public link a third party can open to confirm the Passport is authentic. Think of it as a compliance credential — analogous to an SSL certificate badge, but for regulatory readiness. Where to find your Passport Go to /trust (or click "Trust Passport" in your dashboard). You'll see: - The latest Passport for each regulation you've assessed. - The full history of past Passports (versioned — each new assessment generates a new Passport, the old one is archived but still verifiable). - A "Share" button for each Passport. You can also download a PDF copy from the same page. Three ways to share it 1. Public verification URL The simplest option. Click "Share" on any Passport and copy the public URL. It looks like: https://nexcyber-eu.vercel.app/verify-passport/<your-passport-id> Anyone with the link can open it and see: - A clean one-page summary of your compliance status. - A green ✓ "Verified by NexCyber" badge. - The issue date, validity window, and assessment scope. - A "Download PDF" button. The URL is public — anyone with the link can view it. There's no listing or search; only people you give the link to can find it. 2. PDF attachment Download the PDF from /trust → "Download" and attach it to an email, RFP response, or due diligence questionnaire. The PDF includes: - All the information from the public URL. - A QR code in the corner that points back to the verification URL. - The Passport's cryptographic fingerprint, so an auditor can confirm authenticity offline. 3. Embedded badge (coming soon) A small HTML snippet you'll be able to paste into your website's footer or your security page. The badge will update automatically when your Passport is renewed and link back to the verification URL. Embedded badges are rolling out for Portfolio, Command and Strategic customers — contact us via the chat if you'd like early access. How third parties verify it When someone opens your verification URL, they see: 1. A green confirmation banner with your company name and the regulation. 2. The Passport's metadata — issuance, scope, score range. 3. A "Verified" stamp with a cryptographic timestamp. NexCyber signs every Passport with a key managed in the EU. The verification page checks the signature server-side; the visitor doesn't need to do anything. For deeper verification (an auditor checking authenticity in a court setting, for example), each Passport has a unique signed digest. Our public signing key and verification procedure are published on the Trust & Security page so any third party can validate a Passport offline. How long is it valid? Passports are issued with a recommended validity window that depends on the regulation: - CRA, NIS2, DORA — 6 months (regulatory updates and threat landscape evolve quickly) - AI Act, RED — 12 months After the validity window, the Passport still verifies as authentic but the verification page shows an amber "Re-assessment due" banner. To extend validity, simply re-run the assessment. Revoking a Passport If your company name changes, you spin off an entity, or you decommission a product, you can revoke a Passport from /trust → "Revoke". Revoked Passports show a red "Revoked" banner on the verification URL. Can someone fake a Passport? No. Every Passport is cryptographically signed by NexCyber's EU-hosted signing service. A fake URL would either fail to verify or point at a different domain. We recommend recipients always check that the verification URL starts with https://nexcyber-eu.vercel.app/verify-passport/. → See "Run your first compliance assessment" — every assessment automatically issues a Passport. 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Next steps after onboarding

💡 You've finished onboarding — here's how to turn NexCyber into a steady compliance engine for your company. Next steps after onboarding You've created your account, set up your company profile, run your first assessment, and downloaded your first Trust Passport. Welcome to the calmer side of EU compliance. This article is the bridge between "I'm set up" and "compliance is now a habit, not a fire drill". Here are the moves that take you from a one-off assessment to a steady compliance engine. 1. Address your top gaps Your first assessment likely surfaced a handful of obligations marked Partial or Gap. The Workspace shows you the top 3 actions that close the most gaps in the least time. Tips for tackling them: - Pick one gap per week. Compliance fatigue is real; small steady wins compound faster than heroic sprints. - Cross-regulation actions first. A vulnerability disclosure policy can close gaps in CRA, NIS2 and DORA simultaneously. Tackle those before single-regulation actions. - Assign owners. In the Workspace, click any action to assign it to a teammate. They'll get an email and an in-app notification. 2. Upload evidence From the Launch plan onwards, you can upload evidence — policies, certificates, SBOMs, incident response plans — and attach it directly to obligations. Two big wins: - Higher accuracy — your readiness score moves from self-assessed to evidence-backed. - Audit-ready — an auditor can click straight through from an obligation to the document that proves it. Go to /evidence to start uploading. Drag-and-drop is supported. If you have files larger than the upload limit, contact us via the chat and we'll help. 3. Track your deadlines Each regulation has firm enforcement dates. NexCyber tracks them for you on your dashboard's Timeline widget. For each upcoming deadline: - See how many days remain. - See which obligations of yours are still in Partial or Gap status. - Click through to the relevant Workspace action. You'll also get email reminders at 90, 60, 30, 14, 7 and 1 day before each deadline (configurable in your notification preferences). 4. Explore the Decision Center (Workspace) The Workspace is where cross-regulation magic happens. It shows you obligations grouped by shared control rather than by regulation — so you see at a glance that "publishing a coordinated vulnerability disclosure policy" satisfies CRA Art. 13, NIS2 Art. 21(2)(j) and DORA Art. 17 in a single move. For most teams the Workspace becomes the daily landing page within 2 weeks. 5. Run a second regulation Most NexCyber customers are subject to at least two regulations — typically CRA + NIS2 (product companies), AI Act + GDPR (AI providers), or DORA + NIS2 (financial entities + ICT providers). Running a second assessment usually takes less time than the first because: - Your company profile is already set up. - Many evidence items you uploaded are reusable. - The Workspace surfaces shared controls. 6. Subscribe to The Regulatory Signal EU regulation moves. Implementing acts, RTSs, ENISA guidance, national transpositions — there are dozens of relevant updates every year. The Regulatory Signal is our weekly newsletter that picks the 5 updates that actually matter for digital product makers, plus one curated deep-dive. Subscribe from the signup form in the footer of any page on nexcyber-eu.vercel.app. 7. Schedule a quarterly check-in For most companies, compliance is best treated as a quarterly cadence: - Q1 — re-run assessments for any regulation with a deadline in the next 6 months. - Q2 — update your evidence library (renewed certificates, updated policies, new product releases). - Q3 — review your Trust Passport and renew if validity is below 60 days. - Q4 — board update with the audit-ready PDF report. Add a recurring calendar reminder, or ask us in the chat to set one up via your team's preferred tool. 8. Talk to us when you need a human NexCyber's team is small, EU-based, and includes people who've worked inside regulators, big-4 audit and product companies. We respond to chat within 24 hours on business days, and to contact@nexcyber.eu the same way. Command and Strategic plan customers have a dedicated Customer Success Manager available for regular review calls. You're set That's onboarding. The rest is steady work — and you have the tools to keep it boring (in the best way). Welcome to NexCyber. We're glad you're here. 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026