- Your personal web demo – Get to know NEXIS 4 in more detail!
- Details and registration
Follow Us On:
Introducing QSEC 8.1, the latest GRC release of the NEXIS Platform
Regulators across Europe are raising the bar. NIS2, DORA and the EU AI Act don’t just ask organizations to have governance policies in place. They expect those organizations to demonstrate how decisions were made, who was accountable, and how risks evolved over time.
For most governance teams, that’s where the real pressure lies. Not in understanding the regulations. In proving, at any given moment, that your organization is actually living by them.
The NEXIS Platform has governance, risk and compliance capabilities, commonly referred to as GRC, that brings together risk management, regulatory obligations, identity controls and audit documentation in one connected environment. QSEC 8.1, the GRC part of the platform is the latest release, and it delivers five concrete areas of new functionality directly shaped by NIS2, DORA, ISO/IEC 27001:2022 and the EU AI Act.
The EU AI Act requires organizations to identify, assess and document the AI systems they use, including their intended purpose, risk level and the roles responsible for them. In practice, many organizations are handling this in isolation: a spreadsheet here, a separate project there, disconnected from the rest of their governance structure.
The problem with that approach is fragmentation. When an auditor asks how a particular AI system was assessed and who approved it, the answer shouldn’t require hunting across three different tools.
With QSEC 8.1, a new AI assessment form is available directly within the asset register and can be activated on request. When a new AI-enabled tool is introduced, evaluating it becomes part of the standard governance workflow rather than a separate exercise. The form engine itself has also been extended, with new logical field calculations, dependencies and easier field positioning, making it simpler to adapt assessments to your specific requirements.
The practical result: less duplicated documentation, more consistent evaluations, and a much cleaner audit trail.
Regulators increasingly want to understand not just where you stand today, but how you got there. What was the risk rating six months ago? Who changed it, and why? Was that access policy approved before or after the incident?
Reconstructing that kind of history manually, from emails, meeting notes and version-controlled documents, is slow and error-prone.
QSEC 8.1 introduces a new history function at the level of core governance objects, providing change overviews that show what was modified and when. The release also improves how employee data is anonymized and refines the overall deletion concept, supporting GDPR-aligned data lifecycle management alongside audit traceability.
If an auditor asks why a particular decision was made eighteen months ago, the answer is already in the system. Audit preparation stops being a sprint and starts being a routine.
A medium-severity vulnerability in a payment processing system is not the same as a medium-severity vulnerability in an internal scheduling tool. But many risk frameworks treat them identically because they share the same technical score.
That creates a problem when you need to explain to leadership why certain risks are being addressed first, or when resource constraints force difficult prioritization decisions.
QSEC 8.1 significantly extends the ISMS risk module across two dimensions. First, it introduces new core mechanisms including priority lists, protection-needs-oriented assessment depth and workflow functions for risk treatment strategies. Second, and equally important, it strengthens the connection between risk management and the business: Business Impact Analysis results are now automatically incorporated into risk prioritization, DORA-defined critical business functions can be integrated directly, and risks can be assessed across multiple levels including processes, projects, assets and service relationships.
This gives governance leaders a more defensible basis for prioritization and a clearer way to connect risk decisions to business priorities, which is precisely what DORA and NIS2 regulators expect.
DORA and NIS2 both impose strict timelines for reporting certain incidents to regulators. Miss a deadline, or report to the wrong authority, and the compliance failure can be as damaging as the incident itself.
Many organizations still manage these notification obligations outside their main governance environment, in shared documents, inboxes or manually maintained trackers. That works until it doesn’t.
QSEC 8.1 introduces a genuinely new capability here: customer and project data can now be managed directly within the ISMS and integrated into risk management workflows. Regulatory notification obligations are documented in the same system where the underlying risks and controls already live, with clear responsibility assignment and timelines.
When a real incident occurs, the question of what to report, to whom, and by when has a clear answer rather than becoming another source of pressure in an already high-stakes situation.
A significant share of compliance exposure today originates in identity structures, the systems that control who has access to what across your organization. Segregation of duties conflicts, excessive privileges and orphaned accounts left behind by former employees are common findings in audits and security incidents alike.
These are typically managed by IT and identity teams using dedicated Identity and Access Management (IAM) tools. But they are fundamentally governance risks, not just technical ones.
NEXIS is designed around a unified architecture that connects GRC and identity governance. QSEC 8.1 takes this further with new standard interfaces and adapters, specifically for Microsoft Entra ID, SharePoint and SAP LeanIX. This means identity data from Entra ID can flow more directly into governance dashboards and risk assessments, access risks become visible alongside the controls and policies they relate to, and enterprise architecture data from LeanIX can inform governance decisions in context.
For organizations already using Microsoft infrastructure or LeanIX for application portfolio management, this is a meaningful step toward a connected control model where identity decisions and governance oversight reinforce each other, rather than operating in separate systems that rarely talk.
QSEC 8.1 doesn’t introduce features for their own sake. Each of these new capabilities addresses a specific gap between how governance is documented and how it actually operates under pressure: AI assessments embedded in existing workflows, history functions that make traceability automatic, business-aligned risk prioritization, structured notification management and tighter integration with the identity and enterprise tools organizations already use.
Taken together, they move governance from a reporting function into something closer to operational infrastructure, always current, always traceable, and defensible at any point in time rather than only at the moment of an audit.
For organizations navigating the growing complexity of European regulatory requirements, that shift isn’t optional. It’s the direction the regulatory environment is pushing everyone toward.
QSEC 8.1 is built to help you get there on your own terms, before external pressure forces the issue.
You are currently viewing a placeholder content from Vimeo. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More Information
Comments are closed