Skip to main content
ITSMx
For regulated EU IT teams

Meet DORA, NIS-2, and BAIT without buying a second platform.

ITSMxis a full ITSM and CMDB platform with the regulatory reporting built in. Classify a major incident, run the reporting cascade, and export your Register of Information from the same place you manage day-to-day tickets.

Request a compliance walkthroughSee the regulatory toggles
The problem

The deadlines are real. The tooling usually isn't ready.

DORA expects a major ICT-related incident classified and an initial notification out within hours. NIS-2 sets its own clock. BAIT wants an authorization concept you can produce on request. Most teams meet these with a service desk for the day job and a separate stack of spreadsheets, documents, and manual exports for the regulator — assembled under time pressure, every time.

ITSMxputs the operational work and the regulatory work in one system, so the evidence is a by-product of doing the job, not a project you run after the fact.

What you get

Regulation by regulation

DORA, end to end

Classify a major ICT-related incident against the 7 RTS criteria. Run the 4-hour, 72-hour, and 30-day reporting cascade with the clock tracked for you. Export your Register of Information in XBRL and CSV. Compute concentration risk across your ICT third-party providers.

NIS-2 incident reporting

Flag a significant incident and work the 24-hour, 72-hour, and 1-month cascade with the same machinery, scoped to NIS-2's criteria.

BAIT & MaRisk evidence

Generate a Berechtigungskonzept (authorization concept) as PDF and JSON. Classify information on configuration items, flag IDV applications, and hold audit records for the extended retention MaRisk expects.

GDPR & Works Council

PII tagged at the column level. A masking layer pseudonymizes personal data; de-pseudonymization requires dual approval and surfaces to the Works Council on a built-in delay. GDPR Art. 20 data export included.

An audit log built to be trusted

Append-only at the database level — the application has no rights to update or delete it. Every record is hash-chained to the previous one, and a verifier checks the entire chain daily. Personal-data access is logged on a separate channel.

How the toggles work

Turn on only what applies to you.

The regulatory capabilities are a catalogue of individual toggles, default off. A signup wizard offers ready-made bundles — Financial EU, Critical Infrastructure, and others — or a custom mix. Turn on DORA without NIS-2, or BAIT without either.

Once you've produced a regulated artifact, the relevant toggle becomes sticky and can only be switched off through a dual-approval flow, so nobody quietly removes a control you depend on.

FAQ

Not yet. It produces the report content and tracks cascade timelines. Submission to your national competent authority is manual. Automated submission is on the roadmap.
Yes. DORA and NIS-2 toggles are independent. Where timelines overlap, the system tracks both cascades separately on the same incident.
Once you produce a regulated artifact — a DORA notification, a Berechtigungskonzept — the toggle behind it becomes sticky. Switching it off takes dual approval, so a control you depend on can’t be removed quietly.

Informational only — not legal advice.

Show us your obligations. We'll map them to the platform.

Bring the regulations you answer to. We'll walk through exactly how ITSMx classifies, tracks, and reports against each one.

Request a compliance walkthroughTalk to us