Open Source NIS2 Risk Assessment Tool

Security tools that handle sensitive data about your organisation’s vulnerabilities must be trustworthy by design — not by promise. Open Risk Register is open source so you never have to take our word for it.

Why it matters

Why open source matters for NIS2 security tools

A risk assessment tool processes some of the most sensitive information in your organisation: your vulnerabilities, your threat landscape, and your risk tolerance. Using a closed-source tool means trusting that vendor completely — with no way to verify what happens to your data. Open source eliminates that leap of faith.

Transparency

Every function that reads, writes, or processes your assessment data is public. There are no hidden API calls, no telemetry, and no obfuscated logic.

Auditability

Your IT team, your auditor, or your NIS2 supervisory authority can inspect exactly how the risk scoring is calculated and how data is stored.

No vendor lock-in

Fork it, self-host it, or modify it to fit your organisation’s needs. No subscription, no account, and no risk of the tool disappearing behind a paywall.

Verify for yourself

How to verify the tool

You don’t have to trust our description of how the tool works. Here are three independent ways to confirm the tool does exactly what it claims.

  1. Inspect the source code

    Browse the GitHub repository and read the JavaScript files directly. The assessment logic is written in plain, unobfuscated ES2020 modules with no external dependencies to audit.

  2. Check browser DevTools

    Open your browser’s Network tab while using the tool. You will see zero outbound requests to any third-party server — all data operations happen entirely in-browser.

  3. Review the Content Security Policy

    The CSP header on every page enforces script-src 'self' and style-src 'self', making it technically impossible for injected scripts or external resources to run.

Your data stays yours

No vendor lock-in, no data exposure

Many cloud-based GRC and risk management tools store your assessment data on their servers — creating data protection risk, potential subpoena exposure, and dependency on a third-party vendor’s continued operation. Open Risk Register takes a different approach.

Browser-local storage

All assessment data is written exclusively to your browser’s localStorage. It never leaves your device unless you explicitly export it.

Portable JSON export

Export your full risk register as a JSON file at any time. You own the data, and you can re-import it into any future version of the tool.

Self-hostable

Download the built files and serve them from your own web server or intranet. Ideal for organisations that require air-gapped or on-premise tooling.

Get involved

How to contribute

Open Risk Register improves when more people use it, review it, and contribute to it. There are several ways to get involved — no coding experience required for some of them.

Report an issue

Found a bug, an incorrect risk score, or a NIS2 requirement that isn’t covered? Open an issue on GitHub. Clear, well-described issues are enormously valuable.

Submit a pull request

Improvements to the assessment logic, UI accessibility, or translated content are all welcome. Fork the repository, make your changes, and open a PR for review.

Spread the word

If Open Risk Register has been useful for your NIS2 compliance work, telling colleagues, sharing on LinkedIn, or linking from your own site makes a real difference.

View on GitHub →
NIS2 & trust

Open source and NIS2 supply chain due diligence

NIS2 Article 21(2)(d) requires entities to address security risks in their supply chain, including the software tools used in security processes. When you use an open source tool with a publicly auditable codebase, you can satisfy your own due diligence obligation by reviewing the code — something impossible with closed-source alternatives.

Consideration Open source (this tool) Closed source / SaaS
Code auditability Full — inspect every function None — trust the vendor
Data location Your browser only Vendor servers (jurisdiction varies)
Data breach risk None (no server-side storage) Vendor breach exposes your risk data
Vendor lock-in None — fork or self-host High — data migration often difficult
Subpoena / legal exposure None (vendor holds no data) Vendor may be compelled to disclose
Cost Free, always Subscription or per-seat pricing
NIS2 supply chain due diligence Satisfiable via code review Requires contractual SLAs and audits

Ready to run a transparent, auditable risk assessment?

No account required. No data leaves your browser. Open source from top to bottom.

Start Assessment →