Meet DORA, NIS-2, MaRisk, BAIT and GDPR from the system you already run.
Compliance capabilities are opt-in per tenant, produced from live operational records, and off by default. Turn on only what applies to you — no second system, no spreadsheet rebuild.
What each regulation needs — and what ITSMx produces.
Every check mark is a capability built into the platform, generated from the same incidents, changes, and CIs your team already works with.
| Capability | DORA | NIS-2 | MaRisk | BAIT | GDPR |
|---|---|---|---|---|---|
| Major-incident classification | ✓ | ✓ | — | — | — |
| Reporting cascade (timed notifications) | ✓ | ✓ | — | — | — |
| Register of Information | ✓ | — | — | — | — |
| Audit retention (extended) | ✓ | — | ✓ | — | — |
| Berechtigungskonzept export | — | — | — | ✓ | — |
| Segregation of duties (SoD) | ✓ | — | ✓ | ✓ | — |
| PII pseudonymization | — | — | — | — | ✓ |
| Data export (portability) | — | — | — | — | ✓ |
| Hash-chained audit log | ✓ | ✓ | ✓ | ✓ | ✓ |
| Information classification (IDV) | — | — | — | ✓ | — |
| Works Council workflow (BetrVG) | — | — | — | — | ✓ |
Compliance you switch on — not migrate into.
Feature-flag model
Each regulatory capability is gated behind a tenant-level toggle. The signup wizard offers four bundle presets — Financial EU, NIS-2 / Critical Infrastructure, EU SMB Unregulated, and Custom — or you can toggle individually.
Forward-only
Once a regulated artifact is produced (a cascade filed, a register exported), the toggle becomes sticky and auditable. No retroactive reclassification — your evidence trail stays intact.
Same records, different lens
Compliance reports draw from the same incidents, changes, and CIs your team already maintains. No duplicate data entry, no reconciliation.
Deep dives by regulation
DORA
Major-incident classification (7 RTS criteria), 4h/72h/30d reporting cascade, Register of Information (XBRL + CSV), and concentration risk evidence.
NIS-2
Significant-incident classification, 24h/72h/1mo reporting cascade for operators of essential and important services.
MaRisk / BAIT
Extended audit retention, Berechtigungskonzept export (PDF + JSON), information classification, and IDV flagging on CIs.
GDPR & Pseudonymization
Field-level PII tagging, masking layer, k-anonymity, dual-approval de-pseudonymization, and BetrVG Works Council workflow.
Informational only — not legal advice. Consult qualified counsel for regulatory obligations specific to your organization.
See it mapped to your obligations.
30 minutes. We walk through your DORA / NIS-2 / BAIT requirements against the live product.