OneComply helps EU financial entities run ICT risk, third-party oversight, incident clocks, evidence, audit trail, and board-ready reporting from one governed workspace — with mapped evidence reuse across ISO 27001, NIS2, GDPR, CSSF 22/806, and CRA where coverage applies.
DORA ROI package
EBA-format package preparation
See proof
CSSF templates
Readiness gates before export
See proof
Audit trail
Actor, timestamp, source object
See proof
Control import
Reviewable mapping workbench
See proof
DORA incidents
2 open
ICT providers
18 critical
Evidence gaps
7 blockers
Board pack
Ready
Score based on controls, evidence validity, incident actions, and ICT-provider gaps.
DORA incidents
2 open
Next initial report in 3h 12m
ICT providers
18 critical
4 contracts missing exit evidence
Evidence gaps
7 blockers
3 owners overdue this week
Board pack
Ready
Traceable to 64 controls
Incident clocks
DORA Art. 19Evidence lineage
Exit strategy.pdf
ICT RiskDORA Art. 28
ISO A.5.23 · CSSF §5
Incident decision log
Resilience LeadDORA Art. 19
NIS2 Art. 23 · GDPR Art. 33
Vulnerability register
SecurityDORA Art. 9
ISO A.8.8 · CRA Art. 13
Audit trail
Each status change stores actor, timestamp, old value, new value, and source object for reviewer traceability.
Product-style view with sample data · each object is traceable in-app
Most teams spread DORA work across spreadsheets, ticketing, vendor files, and policy folders. OneComply keeps the operational evidence, owners, incidents, vendors, and audit trail in one governed workspace.
Traceable operating loop
OneComply is designed to show why the posture changed, which obligation is affected, and what evidence needs attention before a regulator, auditor, or board reviewer asks.
Step 1
CloudStore AG contract lacks exit evidence
Vendor · DORA Art. 28
Step 2
Owner assigned with 7-day validity check
Evidence · ISO A.5.23
Step 3
Initial, intermediate, and final report deadlines visible
Incident · Art. 19
Step 4
Gap, owner, and blocker summary regenerated
Reporting · Audit trail
Mappings show where the same control and evidence support other frameworks. They do not replace legal or auditor review.
Art. 9.2 — ICT Security Tools & Processes
Art. 21(2)(e) — Vulnerability Handling & Disclosure
Circular 22/806 §6.4 — ICT Vulnerability Management
Art. 10(6) — Vulnerability Identification & Documentation
Art. 23 — Significant Incident Notification
A.5.24 — Information Security Incident Management
Circular 22/806 §7 — ICT Incident Management
Art. 33 — Personal Data Breach Notification (72h)
Art. 6 — ICT Risk Management Framework
Clause 6.1 — Actions to Address Risks
Circular 22/806 §3 — ICT Risk Management
Art. 13 — Obligations of Manufacturers
Art. 5 — Governance and Organisation
Art. 20 — Governance
Art. 24 — Responsibility of the Controller
Circular 22/806 §4 — ICT Governance
A.5.19–A.5.22 — Supplier Relationships
Art. 21(2)(d) — Supply Chain Security
Circular 22/806 §5 — ICT Outsourcing
Art. 13(7) — Due Diligence on Components
Vendor oversight, incident clocks, controls, evidence, reports, and audit trail — focused on DORA launch readiness with mapped evidence reuse.
Import vendors, classify criticality, track risk posture, dependency mapping, and concentration checks for DORA third-party oversight.
Send assessments to vendors via secure signed link — no vendor account needed. Optional AI assistance can tailor questions by vendor profile; responses land back in risk scoring.
Log incidents, track DORA deadlines (4h/72h/1mo), timeline view, post-incident actions and lessons learned.
Initialize DORA controls and reuse linked evidence across ISO 27001, NIS2, GDPR, CSSF 22/806, and CRA where mappings are defensible.
Policy templates with optional AI drafting, version control, approval workflows, and review cycles. 15 templates included.
Three access tiers — read-only, comment, or full — scoped per framework. Time-boxed invites, no auditor account, every action in the audit trail.
Prepare Register of Information source data, validate official table rows, and generate the EBA plain XBRL-CSV ZIP for CSSF/eDesk upload.
Every action logged with before/after diffs. Sensitive fields auto-redacted. Full traceability for auditors.
How We Compare
See how OneComply compares to manual processes and single-framework tools.
DORA and CSSF are the launch workflow anchors. ISO 27001, NIS2, GDPR, and CRA are shown as evidence-reuse and readiness layers with explicit caveats.
End-to-end workflow coverage
Primary launch workflow for EU financial entities: ICT risk, vendors, incidents, evidence, audit trail, posture, and board/regulator readiness.
End-to-end workflow coverage
Luxembourg-focused overlay for ICT governance, outsourcing readiness, circular tracking, and DORA/CSSF operational alignment.
Mapped evidence coverage
Mapped ISMS control library, Statement of Applicability support, policy/evidence linkage, and certification-preparation reporting.
Mapped evidence coverage
Entity classification, security-measure evidence mapping, incident-readiness tracking, and supply-chain alignment.
Mapped evidence coverage
Privacy-security evidence linkage across ROPA, DPIA, DSR, consent, breach evidence, processors, and audit trail.
Readiness coverage
Future-readiness mapping for product-security controls, SBOM, vulnerability handling, technical documentation, and reporting timelines.
We're working with a small group of compliance teams to shape OneComply before general availability. Get early access, direct influence on the roadmap, and priority support.
Luxembourg Focus
Purpose-built for Luxembourg financial institutions with CSSF readiness workflows, ROI source-data checks, EBA-format package generation, and incident-report preparation. Authority acceptance is recorded only when external receipt evidence exists.
Prepare ROI source data, validate official EBA table rows, and generate the ZIP package for CSSF/eDesk upload.
26 requirements mapped from Circulars 25/882, 25/881, and 25/883.
Initial (4h), intermediate (72h), and final (1 month) clocks for DORA incident operations.
ROI window tracking (Feb–Mar), incident deadlines, and board report schedules.
| B_01.01 | Entity maintaining the register | Ready |
| B_02.01 | Contractual arrangements | Ready |
| B_03.01 | ICT third-party service providers | Ready |
| B_04.01 | ICT services — provider level | Ready |
| B_05.01 | Functions identified | Review |
| B_06.01 | ICT services — function level | Review |
Enterprise-grade security and compliance infrastructure designed for the highest regulatory standards.
Granular permissions from Owner to External Vendor. Every action checked against entity-level access rules.
Append-only log with before/after diffs. Sensitive fields auto-redacted. Queryable by entity, user, date range.
CSP, HSTS with preload, CORS whitelist, X-Frame-Options DENY, COOP, CORP. Zero-trust by default.
8-hour inactivity timeout via httpOnly secure cookies. Auto-signout with redirect to login.
Compliance data is never hard-deleted. All deletions are reversible and fully auditable — required by DORA Art. 28.
Supabase PostgreSQL hosted in EU. All data processing stays within European jurisdiction.
Pricing
Start with DORA operations, then reuse evidence across adjacent frameworks. Get 2 months free with annual billing.
DORA Essentials
€349
per month
DORA Operations
€799
per month
DORA Assurance
€2,199
per month
Prices shown are VAT-inclusive unless stated otherwise. View full pricing details
Launch with DORA-first operations, then reuse the same evidence across ISO 27001, NIS2, GDPR, CSSF 22/806, and CRA where mappings apply.
14-day free trial. No credit card required. Cancel anytime.