The GRC, TPRM and resilience workspace built for ISO 27001, NIS2 and DORA.
Nexelora keeps your compliance program, your supply chain and your continuity plans on the same source of truth. Run assessments, treat risks with a full audit trail, manage incidents with regulator-ready timers, and close them with a dual-control sign-off.
- ISO Annex A controls
- 93
- Mandatory policies
- 27
- NIS2 / DORA timers
- 24h · 72h · 1m
- Audit trail
- Every change
GRC, TPRM and Resilience — on the same source of truth.
The same business processes drive your continuity plans, your risk register, and the criticality of your third parties. We model that once — then thread the audit trail through every assessment, treatment, vendor review and incident.
GRC
Run the compliance journey end to end: assessments, Statement of Applicability, risks with a full audit trail, controls, policies and evidence.
- Maturity assessments seeded with the ISO 27001 Annex A catalog
- Risk register with inherent / residual scoring, treatments, and a per-risk timeline of every status, score and treatment change
- Treatment closure with mandatory note + optional evidence, and a residual-reassessment prompt on completion
- 27 mandatory policies, versioned, owned and acknowledged
TPRM
Map your supply chain, classify ICT and critical providers, link them to the risks they carry, and pull NIS2 / DORA evidence on demand.
- ICT and critical-function flags per vendor (NIS2 Art. 21(2)(d))
- Vendor detail with a Risks tab — see every risk tied to a third party in one place
- Concentration risk and attestation gap surfacing
- Token-based vendor portal for questionnaires
Resilience
Map business processes, score impact, set RTO / RPO targets, and link continuity plans. Critical processes drive your risks and incident severity.
- Process catalogue with impact scoring and resilience tier
- RTO / RPO targets with at-risk surfacing
- Continuity plans with reviewers, review cadence and pagination
- Direct line to NIS2 Art. 21(2)(c) requirements
Third-party risk you can actually defend in audit.
Auditors don't fail you on a missing vendor — they fail you on a vendor with no attestation, a critical function with no second source, or a supply chain with no concentration view. TPRM 2.0 makes those three things obvious.
- ICT & critical-function flagsEach vendor carries explicit flags for NIS2 Art. 21(2)(d) and DORA Art. 28 scoping, so the right governance is applied automatically.
- Concentration riskSee at a glance how many critical processes depend on the same provider, and which providers cluster around your most fragile RTOs.
- NIS2 supply-chain coverageAutomatic surfacing of ICT vendors missing a current attestation — the single most common audit finding under NIS2.
- Vendor portalToken-based access lets third parties fill questionnaires and refresh attestations directly on your tenant — no email back-and-forth.
- VEN-104Atlas Payments PSPICT · CriticalOverdue 12d
- VEN-088Northwind Cloud HostingICTDue in 9d
- VEN-072Helio Identity ProviderICT · CriticalDue in 21d
Built for the work, not the wiki.
Every surface below is a real, operable workspace with an audit trail underneath — not a spreadsheet wrapper. Click any tile to land on the live demo.
Executive view
Read-only seat for board, COMEX, DG and DAF. Aggregated posture, risk evolution chart, framework coverage, certification timeline and third-party concentration on a single surface.
AI compliance copilot
Embedded chat trained on your workspace. Role-aware prompts, approval workflow on write-tools, file attachments, and an MCP server for external agents.
Risk evolution chart
12-month diverging view of new versus closed risks with a critical-open overlay, plus companion trend cards for risks worsening, improving and regulatory incidents.
Maturity assessments
Score against the ISO 27001 Annex A catalog with a CMMI scale. Re-assess on a cadence and trend the score over time.
Statement of Applicability
Per-control applicability and justification, with an overall maturity-trend chart and exportable auditor pack.
Risk register
Inherent and residual scoring, treatments with owners and dates, heat-map view, and a board of in-flight remediations.
Risk audit trail
Per-risk timeline of every status change, score update, residual reassessment, treatment closure and linked action — auditor-ready out of the box.
Controls & evidence
Operational controls with frequency, owner, last-test date, and a freshness-aware evidence library with proper user attribution.
27 mandatory policies
Versioned, owned, approved, acknowledged. Auto-reminders before review dates expire.
Incidents with timers
NIS2 Art. 23 and DORA Art. 19 reporting deadlines tracked the moment severity is set, with war-room, commander and PIR workflows.
4-eye incident closure
Dual-control sign-off: the closer must be a different user from the opener, with a mandatory resolution comment and optional evidence.
Third-party risk
Vendor catalogue with ICT and critical-function tagging, a Risks tab on every vendor, concentration risk, and a token-based portal.
Resilience
Per-process RTO and RPO targets, resilience tiers, continuity plans tied back to assets — with pagination across long catalogues.
Action plan & sub-tasks
Kanban with always-visible move arrows and full filters; each action breaks down into assignable sub-tasks tracked separately.
Evidence freshness
Surfaces stale or expiring artefacts before your auditor finds them — the #1 NIS2 finding in 2025.
ISO is always on. NIS2 and DORA are toggles.
Pick your scope at onboarding. Flipping NIS2 or DORA in settings adds the right reporting timers, supply-chain widgets, banners on every relevant page, and seeds the requirements catalog automatically.
- Dashboard gains an NIS2 readiness card across three pillars
- Vendors page shows the supply-chain coverage widget
- BIA page surfaces Article 21(2)(c) banner and continuity tracking
93 Annex A controls across Organizational, People, Physical, and Technological domains, plus the 27 mandatory policies.
Cybersecurity directive for essential & important entities. Adds early-warning, intermediate, and final report obligations on major incidents, plus supply-chain scope.
EU regulation on ICT risk for financial entities. Adds critical-function tagging on third parties and shorter incident reporting cycles.
Shipped recently.
- v1.2Executive
Executive view & risk-evolution chart
New read-only seat for board, COMEX, DG and DAF. A dedicated dashboard with five tabs and a diverging 12-month chart of new vs closed risks on the Risks & incidents tab.
- v1.1AI
AI compliance copilot
Embedded copilot powered by AI SDK 6 with role-aware prompts, an approval workflow on write-tools, file attachments and an MCP server for external agents.
- v1.0GA
Single-tenant GRC, TPRM and resilience
ISO 27001 baseline, Statement of Applicability, risk register with full audit trail, NIS2 / DORA incident timers, 4-eye closure, vendor inventory and BIA — all on one source of truth.
Request a demo
See NEXELORA on your own data.
Tell us about your scope and we'll provision a single-tenant sandbox seeded for the frameworks you care about. No slide deck — we open the app and walk through the surfaces matching your role.
- 30-minute working sessionWalk through the surfaces relevant to your role — ISO baseline, NIS2 / DORA timers, vendor inventory, executive view.
- Single-tenant sandboxProvisioned for you within one business day, seeded with the ISO 27001 catalog and the NIS2 / DORA article catalogs.
- AI copilot enabledBring real questions — the demo runs with the AI compliance copilot turned on so you can try role-aware prompts live.
Already evaluating? Provision your instance.
Single-tenant. Framework-scoped. Seeded with the ISO 27001 baseline, the NIS2 article catalog, and the DORA technical standards — ready to assess in minutes.