NIS2 Copilot | System information

Important Hosting Update (13/01/25)

Mid-december, we announced that as of February 1st, 2025, ISMS Copilot would no longer offer EU-hosted conversations due to the closure of our EU provider. In the meantime, we hosted conversations in the US, with GDPR compliance ensured through Standard Contractual Clauses (SCCs) and robust data protection measures.

But, we’re happy to announce that our ability to offer 100% EU hosted assistants is finally maintained.

So, we’ll keep supporting assistance for EU regulations (DORA, NIS2, EU AI ACT, Cyber Resilience Act, GDPR), and these assistants will be hosted in the EU. This information supersedes any other information about EU hosting. We confirm as of 13/01/2025 that ISMS Copilot EU is back in the game.

For more details, please visit our FAQ for EU users.

NIS2 Copilot Documentation

About This AI System

The NIS2 Copilot is an AI-powered chatbot designed to help organizations align with the Network and Information Security (NIS2) Directive. It provides actionable guidance for cybersecurity compliance, focusing on critical infrastructure and essential service providers in the EU. In accordance with EU AI Act transparency requirements, we inform you that you are interacting with an artificial intelligence system.

Classification Under EU AI Act

Risk Classification

NIS2 Copilot is classified as a limited risk AI system (chatbot) based on:

Intended Purpose: Offers guidance for aligning with the NIS2 Directive and addressing cybersecurity compliance.
Functionality: Provides detailed support for risk management, incident reporting, and critical infrastructure protection under NIS2.
Risk Level: As a limited risk chatbot, it focuses on supporting compliance without impacting fundamental rights.
Decision Making: Assists human decision-making by offering insights and recommendations for NIS2 compliance.
Data Processing: All conversation data is stored exclusively in the EU, ensuring compliance with EU data residency regulations.

Rationale for Classification

The system does not qualify as high-risk under Article 6 and Annex III because:

It does not make autonomous decisions affecting fundamental rights.
Human oversight is integral to all compliance and decision-making processes.
Data residency within the EU reduces risks related to privacy and security.
Its primary purpose is advisory, ensuring organizations can meet their cybersecurity obligations.