Nine steps to a complete risk register
Open Risk Register walks you through the NIST SP 800-30 risk assessment process. Each step builds on the last — from defining your scope to a prioritised risk register you can act on and report to management.
Dashboard
Manage multiple independent assessments. Each is isolated in your browser and named for a specific system or project.
Assessment Setup
Define the system or process you are assessing: name, boundaries, purpose, and scope. This context shapes the entire assessment.
Risk Model
Choose your assessment tier (system-level or organisation-level) and configure how you will categorise threats and score risk.
Threat Sources
Identify the actors who might target your system — from adversarial groups and insiders to environmental and structural threats.
Threat Events
Map specific attack scenarios that threat sources could carry out, drawing from the full NIST SP 800-30 threat event catalogue.
Vulnerabilities
Identify predisposing conditions and weaknesses in your system that increase the likelihood of a threat event succeeding.
Likelihood
Score the probability of each threat event occurring, combining threat source capability, intent, and your system's vulnerability exposure.
Impact
Assess the potential harm if each threat event occurs — covering operational, financial, and reputational consequences.
Results
Review your complete risk register, prioritised by risk level. Export as JSON or print a PDF report for governance documentation.
Your data never leaves your browser
Open Risk Register is a local-first application. Every assessment you create is stored in your browser's localStorage — never on a server, never transmitted over the internet.
No account required
No registration, no login, no email address. Open the tool and start your assessment immediately with zero setup.
No server storage
Your risk data contains sensitive information about your organisation's vulnerabilities. It stays in your browser — zero network requests are made.
Open source & auditable
The entire codebase is open source. You can inspect, audit, and self-host the tool to verify exactly what happens with your data.
Mapped to NIS2 Article 21 security measures
NIS2 Directive Article 21 requires essential and important entities to implement appropriate and proportionate technical and organisational measures to manage cybersecurity risks. A documented risk assessment is the mandatory foundation. Open Risk Register covers these Article 21 measures:
Built for teams without a dedicated risk function
IT managers at NIS2-subject SMEs
You need to demonstrate cybersecurity governance to management and regulators. Open Risk Register provides a structured, NIST-based workflow to document your risk landscape without requiring a team of consultants.
Information security consultants
You work with multiple clients who need NIS2 readiness. Use Open Risk Register to run fast, repeatable risk assessments — one per client system, exportable for your engagement records.
CISOs at essential and important entities
You need a documented starting point for your formal risk management programme. Open Risk Register provides a qualitative NIST SP 800-30 assessment you can build on with formal tooling.
What this tool does not do
- Qualitative only. This tool produces qualitative risk scores (Very High to Very Low). It does not produce quantitative financial risk calculations or monetary loss estimates.
- No certification. Completing this assessment does not certify NIS2 compliance. NIS2 compliance involves legal obligations, incident reporting, and supervision by national authorities.
- Guidance, not legal advice. The tool helps document cybersecurity risks in a structured way. It does not constitute legal, regulatory, or professional security advice.
- Browser-only storage. Assessments are stored in localStorage. Clearing your browser data permanently deletes them. Export your work regularly as JSON.
- No incident reporting. This tool does not assist with NIS2 incident reporting obligations, which have specific timelines defined by your national competent authority.
Questions about Open Risk Register
Yes. Open Risk Register is completely free to use. There is no account, no subscription, and no hidden cost. The tool runs entirely in your browser with no back-end service required.
The tool guides you through a structured risk assessment process aligned with NIS2 Article 21 security measures. It covers risk identification, likelihood scoring, impact scoring, and produces a risk register to document your cybersecurity governance obligations.
NIS2 requires entities to apply risk-based security measures. A documented risk assessment is the foundation of demonstrating that measures are "appropriate and proportionate."
Your data never leaves your browser. All processing happens client-side using browser localStorage. Nothing is sent to any server. The tool's source code is open source — you can review and verify exactly what it does.
The tool is useful for both essential and important entities under NIS2. It is especially well-suited for SMEs and organisations starting their risk management journey. For large essential entities, the output can serve as a structured starting point or gap analysis.
Your assessments are saved in your browser's localStorage and persist when you close and reopen the browser. However, clearing your browser's site data will delete your assessments permanently.
We strongly recommend using the JSON export feature to create regular backups of completed assessments.
Yes. From Step 9 (Results) you can export your complete risk register as an encrypted backup for safer storage or sharing, or as a JSON file for backup or further analysis. You can also print a formatted PDF report directly from the browser for sharing with management or auditors.
Start your first risk assessment today
Free, private, and in your browser. No sign-up required.
Open the Tool →