WHAT IS VENVERA?

What Is Venvera? Venvera is a unified compliance management platform built for organisations navigating complex regulatory landscapes. Whether you are a financial institution preparing for DORA, a data controller meeting GDPR obligations, or an AI deployer assessing risk under the EU AI Act, Venvera brings every framework, every control, and every task into one place. Instead of juggling spreadsheets, shared drives, and disconnected tools per framework, Venvera gives your compliance team a single source of truth - with cross-framework visibility, automated progress tracking, and built-in reporting.

How Venvera Works - The Big Picture

When you log in, you land on your organisation dashboard. From the sidebar, you can navigate to any framework your organisation has access to, plus shared modules like Risk Management, Incidents, Policy Library, Tasks, and Reports. Each framework has its own dedicated dashboard with:

• A compliance score ring showing overall readiness
• Stat cards with live counts from your data (providers registered, controls implemented, incidents open, etc.)
• A Compliance Roadmap widget that shows ordered steps to achieve compliance and tracks your progress automatically
• Module cards linking to each section of the framework

The key principle: you enter data once, and Venvera uses it everywhere. An incident logged in the unified Incidents module automatically counts toward your DORA incident readiness score, your NIS2 Art. 23 notification tracker, and your GDPR breach register.

Getting Started - Your First Steps

Here is the typical workflow for a new organisation on Venvera:

1. Set up your Company Profile - Go to Settings → Company Profile and enter your organisation details. This information is used in policy generation and board reports.
2. Invite your team - Go to Settings → User Management and invite team members. Assign roles (Admin, Editor, or Viewer) and choose which frameworks each person can access.
3. Run a Gap Assessment - Open any framework dashboard and start with the Gap Assessment module. This gives you an immediate compliance score and highlights where the gaps are.
4. Follow the Compliance Roadmap - Each dashboard shows a step-by-step roadmap. Click "Generate Tasks" to automatically create tasks for your team based on incomplete steps.
5. Work through modules - Register providers, document processing activities, implement controls, write policies - each module guides you through what is needed.
6. Generate reports - When it is time for a board meeting or a regulatory submission, go to Reports and download a ready-made DOCX report.

Cross-Cutting Platform Features

These modules are shared across all frameworks. They appear in the top section of the sidebar and feed data into every framework dashboard automatically.

Risk Management

A full enterprise risk management programme embedded directly in the platform - no need for a separate GRC tool.

• Dashboard - interactive 5×5 risk heatmap (likelihood × impact), risk distribution by category, risk appetite indicator with Accept/Treat/Escalate zones, controls coverage breakdown
• ICT Asset Register - catalogue your information and communication technology assets
• Risk Register - create and manage risks with likelihood, impact, category, owner, and treatment plan
• Controls Library - cross-framework controls mapped to multiple standards, with status tracking (Planned → In Progress → Implemented → Not Applicable)
• Risk Snapshots - point-in-time snapshots of your risk posture for trend analysis and board reporting
• Settings - configure risk appetite thresholds for your organisation

Incident Management

A unified incident register that automatically feeds into framework-specific reporting workflows. Log an incident once, and it counts toward:

• DORA incident management (ICT-related incidents)
• NIS2 Art. 23 notification deadlines (24h early warning → 72h notification → 1-month final report)
• GDPR Art. 33–34 breach notifications
• UAE IA aeCERT reporting
• AI Act Art. 62 serious incident reporting

Third-Party Risk Management (TPRM)

Manage your supply chain risk with a structured vendor assessment workflow:

• ICT Providers - maintain a registry of all third-party providers, sub-contractors, and service organisations
• Questionnaire Campaigns - send due diligence questionnaires to vendors via secure tokenised links
• Automated Scoring - responses are scored automatically and assigned a risk rating (Critical / High / Medium / Low)
• Campaign Dashboard - track campaign progress: Total / Pending / In Progress / Completed
• Status Lifecycle - Draft → Sent → In Progress → Completed / Expired

Policy Library

Every compliance framework requires documented policies. Venvera includes a full policy lifecycle management module:

• Lifecycle: Draft → In Review → Approved → Archived
• Version tracking on all policy documents
• One-click policy generation from templates, pre-populated with your company data - available for all 10 frameworks
• File attachments per policy (PDF, DOCX, XLSX, CSV, TXT, PNG, JPEG - up to 25 MB)
• DOCX download for generated policies - ready to share with auditors or management
• Framework filter tabs to view policies by compliance programme

Task Management

A cross-framework task system that ties compliance work to specific people and deadlines:

• Filter by status, priority, framework, task type, assignee, due date range, or free-text search
• 11 task types: gap assessment, risk management, control implementation, incident response, policy review, audit finding, assessment, remediation, data subject request, conformity, general
• Assign Frameworks - admins can bulk-assign users to frameworks, triggering automatic task generation
• Sync Tasks - reconcile tasks against current assignments
• Auto-generated tasks - flagged with an "Auto" badge; generated from the Compliance Roadmap widget on each dashboard

Regulatory Updates

Stay on top of regulatory changes with a curated intelligence feed:

• 10 sources: EBA, EIOPA, ESMA, ECB, National Competent Authorities, European Commission, ENISA, EUR-Lex, ESA, and Other
• Impact levels: Critical / High / Medium / Low
• Status workflow: New → Under Review → Action Needed → Resolved / Not Applicable
• Acknowledgement tracking with count per update - so you know who has seen it
• "Sync Feeds" button to pull the latest regulatory publications

Reports

Generate board-ready reports with one click. Nine report types are available:

Report	Format
DORA Board Report	DOCX
NIS2 Board Report	DOCX
ISO 27001 Board Report	DOCX
GDPR Board Report	DOCX
AI Act Board Report	DOCX
SOC 2 Board Report	DOCX
NIST CSF Board Report	DOCX
Risk Management Board Report	DOCX
Risk Management Data Export	XLSX

Plus the DORA xBRL-CSV Export - the machine-readable file format required for ESA supervisory reporting submissions.

Cloud Integrations

Connect Venvera to your cloud environment to automatically discover assets and ingest security findings:

• Azure / Microsoft 365 (live) - discovers cloud resources, ingests Microsoft Defender for Cloud findings, surfaces identity posture data and M365 security policy status. Findings are automatically mapped to compliance framework controls.
• AWS - coming soon
• GCP - coming soon

The integration dashboard shows: resources discovered, findings by severity (Critical / High / Medium / Low), framework coverage (controls mapped), last scan timestamp, and a list of recent findings.

Compliance Roadmap

Every framework dashboard features a Compliance Roadmap widget at the top of the page - an ordered, step-by-step guide to achieving compliance:

• Progress is auto-detected from your data - no manual check-offs needed
• Each step links directly to the relevant module page
• A progress bar and percentage show overall completion at a glance
• Click "Generate Tasks" to create tasks for all incomplete steps in one click
• The widget is collapsible, and its state is remembered across sessions

AI Assistant (Virtual CISO)

Venvera includes a configurable AI chat assistant available on every page of the platform:

• Choose between Claude (Anthropic) or ChatGPT (OpenAI)
• Enter your own API key (encrypted at rest)
• Select which compliance frameworks to share context with the assistant
• Ask questions about your compliance posture, regulatory requirements, or next steps - the assistant responds with awareness of your organisation's data

Audit Trail

An append-only, immutable audit log of every mutation across the platform. Every create, update, and delete action is tracked with who did it and when - supporting regulatory audit requirements across all frameworks.

Settings

• Company Profile - organisation details used in policy generation and reports
• User Management - invite users, assign roles (Admin / Editor / Viewer), per-framework access gating
• Date Format - choose your preferred format, applied organisation-wide
• Theme - light or dark mode
• AI Assistant - configure the virtual CISO

Framework Deep Dives

Below is a detailed walkthrough of every framework in Venvera - what modules are included, what data you enter, and how Venvera helps you achieve compliance.

1. DORA - Digital Operational Resilience Act

DORA is Venvera's most feature-rich framework, reflecting the regulation's breadth and the supervisory reporting obligations it introduces.

Dashboard

The DORA dashboard displays:

• An animated compliance score ring
• 4 stat cards: ICT Providers, Active Contracts, Open Incidents, Active Policies
• Pillar score bars showing progress across DORA's four pillars: Register of Information (25 pts), ICT Risk (25 pts), Incident Management (25 pts), TPRM & Concentration Risk (25 pts)
• 6 module cards with live badge counts
• Quick Insights panel: Upcoming Renewals, Regulatory Updates, Data Completeness indicator

Register of Information (ROI)

The ROI is the heart of DORA compliance - a structured register of all ICT third-party arrangements that must be submitted to your competent authority. Venvera breaks it down into manageable sections:

• Overview - summary view of your entire register
• ICT Providers - full provider registry with LEI codes, jurisdictions, and classifications
• Contractual Arrangements - contract lifecycle, terms, and mapping to providers
• Business Functions - which critical or important functions each contract supports
• ICT Risk Assessments - per-provider risk scoring
• Branches - branch-level mapping for multi-entity organisations
• Sub-outsourcing - sub-contractor chain visibility
• Concentration Risk - cross-provider dependency analysis to identify single points of failure

Gap Assessment

A structured questionnaire covering all of DORA's requirements. Answer the questions, and Venvera calculates your compliance score and identifies exactly where the gaps are.

Resilience Testing

Track your Threat-Led Penetration Testing (TLPT) schedule and vulnerability management programme - a key requirement under DORA Chapter IV.

2. GDPR - General Data Protection Regulation

Dashboard

• Compliance score ring (from gap assessment)
• 6 stat cards: Processing Activities, DPIAs Completed, Open DSRs (with overdue flag), Active DPAs, Open Breaches, International Transfers
• 8 module cards with article references
• Cross-framework references panel (policies, incidents, risks)

Modules

Module	GDPR Reference	Description
Gap Assessment	Full regulation	48 questions across 8 chapters
Processing Activities (ROPA)	Art. 30	Record of Processing Activities - the foundation of GDPR compliance
DPIAs	Art. 35	Data Protection Impact Assessments for high-risk processing
Data Subject Requests (DSRs)	Art. 12–23	Track access, erasure, portability, objection, and other rights requests with deadline tracking
Processing Agreements (DPAs)	Art. 28	Data Processing Agreements with third-party processors
Breach Register	Art. 33–34	Personal data breach notifications to supervisory authorities and data subjects
International Transfers	Art. 44–49	Transfer mechanisms - SCCs, adequacy decisions, BCRs
Policies	Various	Cross-framework policy library filtered to GDPR-relevant policies

3. ISO 27001:2022

Dashboard

• Control coverage ring - implemented + N/A controls vs. total 93 Annex A controls
• Category breakdown bar chart for each Annex A control domain
• 11 module cards
• Cross-framework references panel

Modules

• Scope & Context - organisational context, interested parties, ISMS scope definition (Clause 4)
• Controls (Statement of Applicability) - all 93 Annex A controls with implementation status, justification for exclusions
• Risk Treatment Plan - risk treatment decisions linked to specific controls
• Objectives - information security objectives tracking (Clause 6.2)
• Gap Assessment - structured readiness assessment
• Internal Audits - audit schedule, findings, evidence, and corrective actions (Clause 9.2)
• Nonconformity Register - track nonconformities and corrective actions (Clause 10.2)
• Management Reviews - formal management review records (Clause 9.3)
• Training Records - staff awareness and competence log (Clause 7.2)
• Document Register - controlled document inventory (Clause 7.5)
• Certification - track certification status (certification body, dates, expiry, surveillance audits)

4. NIS2 - Network and Information Security Directive 2

Dashboard

• Compliance score ring
• 5 pillar bars: Risk Coverage (30 pts), Gap Assessment (30 pts), Incident Readiness (15 pts), Supply Chain (15 pts), Policy Coverage (10 pts)
• Art. 23 Incident Notification Tracker - shows sent/overdue/pending counts for each statutory deadline:
  • 24-hour Early Warning
  • 72-hour Notification
  • 1-Month Final Report
• 10-pillar gap breakdown aligned to Art. 21(2)(a)–(j)

Modules

• Gap Assessment - 10-pillar assessment aligned to Art. 21 cybersecurity risk-management measures
• Incident Readiness - Art. 23 notification workflow with deadline tracking and escalation
• Management Training - Art. 20 board and management training records (NIS2 makes management personally accountable)
• Certifications - Art. 24 cybersecurity certification tracking
• KPIs - Art. 21(2)(f) key performance indicators for measuring cybersecurity effectiveness

5. EU AI Act - Regulation (EU) 2024/1689

Dashboard

• 4 stat cards: AI Systems Registered, High-Risk Systems, Compliance Score, Systems Needing Review
• Risk distribution bar chart - Unacceptable Risk / High Risk / Limited Risk / Minimal Risk
• Gap assessment completion ring (50 questions)
• Recent AI systems table
• 10 module cards

Modules

• AI Systems - inventory of all AI systems your organisation develops, deploys, or uses
• Risk Classification - 4-level classification wizard aligned to Art. 5–6 and Annex III: Unacceptable Risk (prohibited), High Risk, Limited Risk, Minimal Risk
• Gap Assessment - 50 questions across 8 chapters covering the full regulation
• Technical Documentation - Annex IV documentation requirements per AI system
• Data Governance - Art. 10 data quality and data governance requirements
• Human Oversight - Art. 14 human oversight measures per system
• Post-Market Monitoring - ongoing performance monitoring and incident detection
• Incident Reporting - Art. 62 serious incident reporting to market surveillance authorities
• Conformity & CE Marking - Art. 43 conformity assessment procedures and CE marking status
• GPAI Models - Art. 51–55 General-Purpose AI model obligations (capability evaluation, systemic risk classification)

6. SOC 2 Type 2

Dashboard

• Readiness score ring
• Criteria coverage by Trust Services Category bar chart (Security, Availability, Processing Integrity, Confidentiality, Privacy)
• Control effectiveness breakdown: Operating Effectively / Needs Improvement / Not Implemented / Not Applicable
• Recent control test results table
• 9 module cards

Modules

• Scope & Categories - define your audit scope and select which Trust Services Categories apply
• Controls - control library mapped to Trust Services Criteria
• Control Activities - specific control activity documentation
• Gap Assessment - readiness assessment against TSC
• Evidence & Testing - evidence collection linked to controls
• Control Testing Log - test results with Pass / Fail / Exception tracking
• Internal Audits - audit engagements and findings
• Management Reviews - formal review records
• Readiness Tracker - overall readiness status toward your SOC 2 Type 2 report

7. NIST CSF 2.0

Dashboard

• Current vs. target Tier display - Tier 1 (Partial) / Tier 2 (Risk Informed) / Tier 3 (Repeatable) / Tier 4 (Adaptive)
• Function coverage bar chart for all 6 CSF functions: Govern (GV), Identify (ID), Protect (PR), Detect (DE), Respond (RS), Recover (RC)
• Recent control test results
• 9 module cards

Modules

• Profiles & Tiers - define current and target CSF profiles, set maturity tier
• Framework Overview - 6-function framework navigation
• Controls (Subcategories) - all CSF subcategories with implementation status
• Control Activities - specific activities per subcategory
• Gap Assessment - structured gap analysis
• Evidence - evidence collection linked to controls
• Internal Audits - audit records and findings
• Management Reviews - formal review records
• Action Plans - improvement plans tied to identified gaps

8. Cyber Essentials (UK)

Dashboard

• Readiness ring
• Theme coverage bar chart for all 5 themes: Firewalls, Secure Configuration, Access Control, Malware Protection, Security Update Management
• Certification status panel (tracks both CE Basic and CE Plus levels)
• 9 module cards

Modules

• Scope - boundary and system scope definition
• Requirements - the 5 Cyber Essentials themes with requirement-level detail
• Controls - specific controls per theme
• Gap Assessment - readiness assessment against CE requirements
• Evidence - evidence collection per control
• Audits - audit records and findings
• Management Reviews - formal review documentation
• CE Plus - enhanced assurance:
  • Vulnerability scanning management
  • Penetration testing records and scheduling
• Readiness Assessment - overall certification readiness tracker for both CE Basic and CE Plus

9. UAE IA - UAE Information Assurance Framework

Dashboard

• Gap assessment score ring (60 questions, 10 chapters)
• 6 stat cards: Controls Implemented, Open Risks (with critical/high flag), Audits Completed, Open Incidents, CNI Assessments, Controls Partial
• 6 module cards

Modules

• Gap Assessment - 60 questions across 10 chapters aligned to the UAE IA Framework
• Security Controls - organised in Management families (M1–M6) and Technical families (T1–T9)
• Risk Register - UAE IA-scoped risk management
• Compliance Audits - TDRA audit support and submission tracking
• Incident Register - incidents with aeCERT reporting workflow
• CNI Assessment - Critical National Infrastructure classification and assessment

10. NDPA - Nigeria Data Protection Act 2023

Dashboard

• Gap assessment score ring (60 questions, 10 chapters)
• 6 stat cards: Processing Activities (Sec. 24), DPIAs Completed (Sec. 28), Open DSRs (Sec. 34–38, with overdue flag), Open Breaches (Sec. 40), Active Cross-Border Transfers (Sec. 41–43), Compliance Audits Submitted (Sec. 44–45)
• 8 module cards with section references
• Cross-framework references panel (policies, incidents, risks)

Modules

• Gap Assessment - 60 questions across 10 chapters
• Processing Activities - processing register per Sec. 24
• DPIAs - Data Protection Impact Assessments per Sec. 28
• Data Subject Requests - rights requests tracker per Sec. 34–38
• Breach Register - breach notifications per Sec. 40
• Cross-Border Transfers - transfer mechanisms per Sec. 41–43
• Compliance Audits (CARs) - Compliance Audit Reports per Sec. 44–45, required for organisations of major importance

Security & Architecture

Venvera is built with security as a foundational principle, not an afterthought. Here is how your data is protected:

Layer	How It Works
Authentication	Microsoft Entra ID (Azure AD) Single Sign-On - no separate passwords to manage
Tenant Isolation	PostgreSQL Row-Level Security (RLS) - every query is scoped to your organisation at the database level; no code bug can leak data between tenants
Access Control	Role-Based Access Control (Admin / Editor / Viewer) with per-framework gating
Defence-in-Depth	Edge middleware → API route guards → Database RLS - three layers of protection
File Encryption	AES-256-GCM per-tenant encryption for all uploaded files
Audit Trail	Append-only, immutable audit log of every mutation
Backups	Automated encrypted backups every 6 hours with 30-day retention
Hosting	EU-based infrastructure (Amsterdam, Netherlands) - your data stays in the EU
Network Security	TLS 1.2/1.3 only, UFW firewall, fail2ban (5 jails), hardened SSH

Typical Workflow - From Zero to Compliant

Here is how a typical organisation uses Venvera, end to end:

Phase 1: Discover

1. Run Gap Assessments for each framework you need to comply with. This gives you an instant compliance score and a clear picture of where you stand.
2. Connect cloud integrations (Azure/M365) to automatically discover assets and ingest security findings.
3. Review the Compliance Roadmap on each dashboard - it tells you exactly what to do next, in order.

Phase 2: Build

1. Register your ICT providers and contracts - especially critical for DORA, but also feeds into NIS2 supply chain requirements and ISO 27001 Annex A supplier controls.
2. Map your processing activities (GDPR ROPA) and inventory your AI systems (AI Act).
3. Implement controls - use the Controls Library to map controls across frameworks. A single control can satisfy ISO 27001, SOC 2, and NIST CSF requirements simultaneously.
4. Generate policies with one click - templates are pre-populated with your company data and regulatory references.
5. Document risks in the Risk Register with treatment plans, owners, and linked controls.

Phase 3: Operate

1. Track incidents in the unified Incident Register - Venvera handles the framework-specific reporting workflows (DORA, NIS2 Art. 23, GDPR Art. 33, etc.).
2. Manage tasks - assign compliance work to team members with deadlines and priorities. Auto-generate tasks from the Compliance Roadmap.
3. Monitor regulatory updates - stay on top of new guidance, amended rules, and supervisory expectations.
4. Run internal audits and record management reviews - required evidence for ISO 27001, SOC 2, and several other frameworks.

Phase 4: Report

1. Generate board reports with one click for any framework - ready-to-present DOCX documents.
2. Export the DORA xBRL-CSV register for ESA supervisory submission.
3. Download risk management data exports (XLSX) for external consultants or auditors.
4. Use the Audit Trail to demonstrate to regulators that you have a complete, tamper-proof record of all compliance activities.

Cross-Framework Efficiency

One of Venvera's biggest advantages is eliminating duplicate work across frameworks. Here are some examples:

You Enter Once...	Venvera Uses It In...
ICT providers & contracts	DORA ROI, NIS2 supply chain, ISO 27001 Annex A.15, TPRM questionnaire campaigns
An incident	DORA incident management, NIS2 Art. 23 notifications, GDPR breach register, UAE IA aeCERT, AI Act Art. 62
A security control	ISO 27001 SoA, SOC 2 TSC, NIST CSF subcategories, Cyber Essentials themes, risk treatment plans
A policy document	All 10 frameworks - the Policy Library shows relevant policies per framework via filter tabs
A risk	Risk Register, risk heatmap, risk snapshots, board reports, control linkages

Frequently Asked Questions

How many users can I add?

There is no limit on users. Add as many team members as you need, each with their own role and framework access permissions.

Can I use Venvera for just one framework?

Yes. Framework access is gated per organisation. You can start with just DORA, for example, and add GDPR or NIS2 later. The shared modules (Risk Management, Incidents, Policies, Tasks) are always available.

Where is my data stored?

All data is stored on EU-based infrastructure in Amsterdam, Netherlands. Files are encrypted with AES-256-GCM using per-tenant encryption keys. Automated encrypted backups run every 6 hours with 30-day retention.

Does Venvera support SSO?

Yes. Venvera uses Microsoft Entra ID (Azure AD) for Single Sign-On. Your team logs in with their existing Microsoft credentials - no separate passwords to manage.

Can I generate regulatory submissions?

Yes. For DORA, Venvera generates the xBRL-CSV export required by the European Supervisory Authorities. For all frameworks, you can generate board reports in DOCX format. NDPA includes Compliance Audit Report (CAR) tracking for NDPC submissions.

Does Venvera integrate with my cloud environment?

Yes. The Azure / Microsoft 365 integration is live - it discovers cloud resources, ingests Defender for Cloud findings, and maps them to compliance controls automatically. AWS and GCP integrations are coming soon.

Is there an AI assistant?

Yes. Venvera includes a configurable AI assistant (Virtual CISO) powered by your choice of Claude (Anthropic) or ChatGPT (OpenAI). It is context-aware of your organisation's compliance posture and can answer questions about regulatory requirements, next steps, and best practices.

How does the Compliance Roadmap work?

Each framework dashboard features an ordered, step-by-step roadmap. Completion is auto-detected from your data - when you register providers, the "Register ICT Providers" step automatically checks off. Click "Generate Tasks" to create tasks for all remaining steps in one click.

Can multiple frameworks share the same controls?

Yes. The Controls Library is cross-framework. A single control can satisfy requirements from ISO 27001, SOC 2, NIST CSF, and Cyber Essentials simultaneously - reducing duplicate implementation work.

Venvera - Unified Compliance Management venvera.com