Venvera
Features

SIX NEW CAPABILITIES FOR BOARD-LEVEL COMPLIANCE, AI-POWERED POLICY DRAFTING, AND RISK-BASED VENDOR MANAGEMENT

·Alexander Sverdlov

Platform Release · March 2026 — Wave 2

Personal liability tracking for DORA and NIS2 management bodies, DORA Article 24–27 resilience testing with TIBER-EU support, AI Act fundamental rights impact assessments, automated vendor risk scoring, AI-powered policy drafting, and intelligent gap analysis — all live now.

Two weeks ago we shipped our first wave of multi-framework features. Today we’re releasing six more capabilities that move Venvera from compliance tracking into compliance intelligence — features that actively guide your team, score your vendors, draft your policies, and keep your board members out of personal regulatory trouble.

Every feature below addresses a real gap in the market. No other GRC platform combines DORA personal liability tracking, TIBER-EU test management, AI Act fundamental rights assessments, and AI-powered policy generation in a single product.

6

New Features

4

New API Endpoints

7

Frameworks Enhanced

Feature 1

Board Dashboard & Personal Liability Tracking

The Risk

Under DORA Article 5(2), individual management body members bear personal liability for ICT risk management failures. NIS2 Article 20 adds cybersecurity training requirements with personal accountability. No GRC platform on the market tracks this. If your CEO or CISO hasn’t completed mandatory training, they are personally exposed — and most organisations don’t even know it.

Venvera’s Board Dashboard gives executives a single screen showing compliance health across all frameworks, with personal liability status for every named officer.

board-dashboard

What’s Included

🛡 Compliance Officers Registry

Track CEO, CISO, DPO, CTO, and board members with their framework responsibilities, appointment dates, training status, and approval history.

⚠️ Liability Status Engine

Automatic Compliant / At Risk / Non-Compliant classification based on training completion, overdue dates, and framework requirements.

📈 Health Score Trends

0–100 compliance scores per framework with 30-day trend tracking. Scores auto-record daily — no cron jobs needed. Board can see if compliance is improving or declining.

📄 Unified Board Report

One-click DOCX generation with executive summary, compliance ring chart, personal liability table, per-framework status, and key risks. Board-ready in seconds.

✨ Why This Matters

DORA enforcement begins January 2025 and NIS2 transposition was due October 2024. Regulators are actively looking at management body accountability. Venvera is the only platform that tracks personal liability under both DORA Art. 5(2) and NIS2 Art. 20 in a single dashboard.

Feature 2

DORA Resilience Testing with TIBER-EU Support

The Requirement

DORA Articles 24–27 mandate a comprehensive digital operational resilience testing programme. Financial entities must perform vulnerability assessments, scenario-based tests, and network security reviews at least annually. Entities identified by competent authorities must also undergo Threat-Led Penetration Testing (TLPT) every three years following the TIBER-EU framework.

Venvera now includes a complete DORA test type library with nine pre-defined test types, each mapped to specific DORA articles with regulatory guidance, recommended frequencies, and methodology templates.

Nine DORA-Mapped Test Types

Test Type DORA Article Frequency TLPT
Vulnerability Assessment Art. 24(1)(a), 25(1) Quarterly
Scenario-Based Testing Art. 24(1)(b), 25(1) Semi-annually
Network Security Testing Art. 24(1)(c), 25(1) Annually
Penetration Testing Art. 24(1)(d), 25(2) Annually
Source Code Review Art. 24(1)(e), 25(1) Annually / major release
Gap Analysis Art. 24(1)(f), 25(1) Annually
Tabletop Exercise Art. 24(1)(b), 25(1) Quarterly
TLPT (TIBER-EU) Art. 26, 27 Every 3 years TLPT
Red Team Exercise Art. 26(2), 27 Every 3 years / annually TLPT

When creating a new test, selecting a test type auto-fills scope and methodology from DORA guidance and displays the regulatory basis, recommended frequency, and applicable DORA articles. The detail page includes a DORA reference sidebar so testers always know exactly which regulatory requirements they’re satisfying.

Feature 3

EU AI Act — Fundamental Rights Impact Assessment

The Deadline

The EU AI Act (Regulation 2024/1689) requires deployers of high-risk AI systems to conduct a Fundamental Rights Impact Assessment (FRIA) per Article 27 before putting the system into use. Full high-risk obligations take effect August 2, 2026. With the deadline five months away, organisations need to start these assessments now.

Venvera’s FRIA module provides a structured assessment covering all 12 fundamental rights categories from the EU Charter, with a 0–4 impact scoring scale, mitigation tracking, and DPA notification management.

12 Fundamental Rights Assessed

1. Human Dignity
2. Privacy & Data Protection
3. Non-Discrimination
4. Gender Equality
5. Freedom of Expression
6. Freedom of Assembly
7. Right to Education
8. Worker Rights
9. Consumer Protection
10. Child Rights
11. Disability Rights
12. Environmental Protection

Each right receives a 0–4 impact score (No Impact → Critical Impact) with colour-coded visualisation. The module also tracks:

  • Specific risk identification and mitigation measures per right
  • Stakeholder consultation records
  • DPA notification status and dates
  • Assessor and reviewer assignment with workflow tracking
  • EU database registration export (Art. 49/71) in JSON and CSV formats

Feature 4

Automated Vendor Risk Scoring

DORA Article 28 requires financial entities to identify, classify, and monitor ICT concentration risk. Manual vendor assessments don’t scale. Venvera now automatically scores every ICT provider on a 0–100 risk scale using five weighted signals derived directly from your existing compliance data.

Five-Signal Risk Algorithm

Criticality Classification 30%

Critical (90) · Important (50) · Supporting (20)

Geographic Risk 20%

EU adequacy decisions, high-risk jurisdictions, data location analysis

Concentration Risk 20%

Spend share (>30% = high risk), critical function dependencies

Contract Health 15%

Expiry status, Art. 30 clause completion, exit strategy presence

Data Sensitivity 15%

Data locations, provider type (cloud/SaaS = higher sensitivity)

The TPRM dashboard now includes a Vendor Risk Overview widget showing risk distribution (high / medium / low / unscored), top-risk vendors with drill-down links, concentration alerts from your register data, and contracts expiring within 90 days. One-click “Score All Vendors” recalculates every provider instantly.

Feature 5

AI-Powered Policy Drafting & Gap Analysis

The Difference

Unlike generic AI assistants, Venvera’s AI has deep regulation-specific knowledge injected into every interaction — exact article numbers, materiality thresholds, reporting timelines, classification decision trees, and penalty amounts for DORA, NIS2, GDPR, the EU AI Act, ISO 27001, SOC 2, and NIST CSF. Combined with your organisation’s live compliance data, it produces advice that is both precise and contextual.

Two New AI Capabilities

AI Policy Drafting

Generate framework-specific compliance policies tailored to your organisation. Select a framework and policy type, and the AI produces a complete draft with correct article references, your organisation name, jurisdiction, and entity type baked in.

Output: Saved as a draft policy in your policy register for team review and approval.

AI Gap Analysis

Point the AI at any framework, and it analyses your live compliance data to generate prioritised gaps with specific regulatory references, severity ratings, estimated remediation effort, and concrete action steps.

Output: Structured JSON with gaps, quick wins, and strategic recommendations — ready for task generation.

Enhanced Virtual CISO Context

The existing chat assistant now receives significantly richer context in every conversation:

  • Tasks: total, open, in-progress, overdue, and critical priority counts
  • Policies: approved, draft, in-review, and overdue-for-review counts
  • Vendor Risk: provider counts by risk tier, average risk score
  • Resilience Testing: test counts, completion status, open findings
  • Regulatory Updates: total and unacknowledged update counts

Feature 6

Compliance Roadmap — Guided Step-by-Step Progress

compliance-roadmap

The most common question compliance teams ask when starting a new framework: “What do we do first?” Venvera now answers that with a Compliance Roadmap widget on every framework dashboard showing ordered steps with auto-detected completion from your existing data.

✅ Auto-Detection

Steps complete automatically when data exists — register a provider and “Register ICT Providers” lights up green with a count. No manual checking required.

📋 Task Generation

Click “Generate Tasks” and Venvera creates tasks for every incomplete step, pre-filled with descriptions, priorities, and task types. Deduplicates automatically.

📊 Progress Tracking

Visual progress bar showing X/Y steps completed per framework. Collapsible widget with state persisted in localStorage.

🌍 All Frameworks

Available on all 10 framework dashboards: DORA, GDPR, ISO 27001, NIS2, AI Act, SOC 2, NIST CSF, Cyber Essentials, UAE IA, and NDPA.

Example: DORA Roadmap (10 Steps)

Complete Gap Assessment → Register ICT Providers → Map Business Functions → Register Contracts → Complete Risk Assessments → Set Up Incident Response → Define ICT Policies → Plan Resilience Testing → Review Concentration Risk → Prepare RoI Export

How This Compares

Features unique to Venvera or significantly differentiated from competitors.

Capability Venvera Vanta Drata
Personal liability tracking (DORA/NIS2)
DORA TLPT / TIBER-EU test management
AI Act FRIA (12 fundamental rights)
Automated vendor risk scoring (5-signal) Basic Basic
AI policy drafting with regulation expertise Generic AI Generic AI
AI gap analysis with regulatory references
Guided compliance roadmap (10 frameworks) SOC 2 only SOC 2 only
EU database export (AI Act Art. 49/71)
Unified multi-framework board report (DOCX) Per-framework Per-framework

Technical Summary

New Database Tables

  • compliance_officers
  • compliance_score_history
  • ai_act_fria

New API Endpoints

  • Board Dashboard & Officers CRUD
  • AI Act FRIA CRUD
  • Vendor Risk Scoring
  • AI Policy Drafting
  • AI Gap Analysis
  • EU Database Export
  • Compliance Roadmap

Enhanced Components

  • Virtual CISO with deep regulation expertise
  • Resilience testing (9 test types)
  • TPRM vendor risk overview
  • Cross-cutting compliance context

Security

  • All data tenant-isolated via PostgreSQL RLS
  • AI API keys encrypted with AES-256-GCM
  • Rate-limited AI endpoints
  • Permission-checked at every endpoint

Ready to See It in Action?

These features are live today for all Venvera customers. Schedule a demo to see how AI-powered compliance intelligence works with your regulatory landscape.

Venvera · Built for EU Financial Entities · Amsterdam, Netherlands

AS

Alexander Sverdlov

CEO & Founder

Alexander is the CEO and founder of Venvera, leading the development of multi-framework compliance solutions for European regulated entities.

RELATED POSTS

Five Features That Make Multi-Framework Compliance Actually Work
Features

Five Features That Make Multi-Framework Compliance Actually Work

Product Release · March 2026 Cross-framework control mapping, automated incident classification, unified health scoring, NIS2 transposition intelligence, and...

What is Venvera?
Features

What is Venvera?

What Is Venvera? Venvera is a unified compliance management platform built for organisations navigating complex regulatory landscapes. Whether you are a...

How Venvera speeds up the Governance, Risk Management and Compliance processes
Features

How Venvera speeds up the Governance, Risk Management and Compliance processes

The Problem: GRC on Spreadsheets and Email Let's be honest about how most organisations handle governance, risk, and compliance today. The typical setup looks...