Market audit · 17 May 2026

We audited 136 commercial GRC/ISMS platforms. 103 won't tell you what they cost.

We captured every vendor's pricing page verbatim. Where pricing is hidden behind a demo form we record 'Demo call required'. No estimates, no third-party sources. Nine open-source alternatives (verinice, CISO Assistant, Deming, ISMS Builder, Unicis CE, ourselves and others) are excluded from this list because they don't sell you a subscription.

Start free Methodology

136

Vendors audited

Public pricing

Starting price only

103

Demo call required

NIS2 as framework

Countries

As of: 2026-05-17

Why this market is ripe for disruption

76% of these 136 commercial GRC/ISMS vendors hide their prices. The products are forms, templates and checklists on top of a database. The marginal cost of one more customer is near zero. The price is not. Here are the receipts.

Five-figure annual contracts for a form

Vanta, Drata, Secureframe, OneTrust, MetricStream, IBM OpenPages, ServiceNow GRC, Archer, Diligent — every enterprise GRC suite hides pricing and charges €30,000+/year for a workflow tool with templates.

Eastern EU vendors are 10x cheaper and transparent

Copla (LT) sells NIS2 for €3,500/year as a dedicated SKU. NIS2 Manager (CZ) at ~€980/month. Conformio (HR) at €145/month. Same product category, different pricing decision.

OSS competition is growing from Germany and France

ISMS Builder (DE, AGPL), CISO Assistant (FR, AGPLv3, 130+ frameworks), Little-ISMS-Helper (DACH), Deming (FR) — all free self-hosted, all NIS2 explicit.

Market consolidation is accelerating

AuditBoard → Optro. CONTECHNET → i-doit. DocSetMinder → Allgeier. 3rdRisk → Diligent. RISMA + Wired Relations + ComplyCloud → Cerivo. StandardFusion → Wolters Kluwer. Galvanize → Diligent. Tugboat → OneTrust. Archer → Cinven.

NIS2 vendors onlyHas free option

Vendor	Country	Pricing	Data export	NIS2	Free	Source	Entry
3rdRisk (Diligent)	NL	Demo call	—	Yes	—	Open pricing page	Demo call required; acquired by Diligent Jan 2026
6clicks	AU	Demo call	—	No	—	Open pricing page	Demo call required; Hub-and-Spoke MSP GRC, 1,000+ frameworks
AdaptiveGRC (C&F)	PL	Demo call	—	Yes	—	Open pricing page	Demo call required
Akitra	US	Demo call	—	No	—	Open pricing page	Demo call required; agentic-AI compliance
Anecdotes	IL	Demo call	—	Yes	—	Open pricing page	Demo call required; 'One Platform, Simple Pricing' but no €
Anitian	US	Demo call	—	No	—	Open pricing page	Demo call required; FedRAMP focus
Apptega	US	Demo call	—	No	Trial	Open pricing page	Demo call required; 14-day trial on Essentials
Aptien	CZ	Demo call	—	No	Free	Open pricing page	Vendor displays '$-' placeholder; per-user model but no number
Archer (Cinven PE)	US	Demo call	—	No	—	Open pricing page	Demo call required; category-defining form/workflow IRM
Atena Governance	IT	Demo call	—	Yes	Trial	Open pricing page	Demo call required; 30-day trial, no CC
Athereon GRC	DE	Demo call	—	Yes	—	Open pricing page	Demo call required; 4 size classes S/M/L/XL
AuditBoard (now Optro)	US	Demo call	—	No	—	Open pricing page	Demo call required; rebranded March 2026 AuditBoard → Optro
Auditool (June Factory)	FR	Demo call	—	Yes	Trial	Open pricing page	Demo call for full version; 7-day sandbox free with 50+ NIS2 actions
BitSight	US	Demo call	—	No	—	Open pricing page	Demo call required; cyber ratings + TPRM + ASM
Black Kite	US	Demo call	—	No	—	Open pricing page	Demo call required; cyber ratings/TPRM
Centraleyes	US	Demo call	—	No	—	Open pricing page	Demo call required; 180+ frameworks
Cerrix	NL	Demo call	—	Yes	—	Open pricing page	Demo call required; enterprise GRC
Cibgest	PT	Demo call	—	Yes	Trial	Open pricing page	Demo call required; 14-day trial, no CC
Complidoo (Asystel-BDF)	IT	Demo call	—	Yes	—	Open pricing page	Demo call required; low-code GRC
Complyance	US	Demo call	—	Yes	—	Open pricing page	Demo call required; $20M Series A Feb 2026 (GV, EU VCs Creandum/HV/Speedinvest)
ComplyCloud (Cerivo)	DK	Demo call	—	Yes	Trial	Open pricing page	Demo call required; part of Cerivo merger 2025/2026
ComplyDo	DE	Demo call	Nothing documented	Yes	—	Open pricing page	Demo call required; YC F25, Berlin
Compyl	US	Demo call	—	No	—	Open pricing page	Demo call required; 20+ frameworks
CONTECHNET (i-doit)	DE	Demo call	—	Yes	Trial	Open pricing page	Demo call required; CONTECHNET 301-redirects to i-doit
CyberArrow	AE	Demo call	—	No	—	Open pricing page	Demo call required; /pricing returns 403
CyberSaint CyberStrong	US	Demo call	—	No	—	Open pricing page	Demo call required; annual or multi-year only
Cypago	IL	Demo call	—	No	—	Open pricing page	Demo call required; AWS Marketplace from $60k/yr
DataGuard	DE	Demo call	Nothing documented	Yes	—	Open pricing page	Demo call required; Base/Pro/Enterprise — all 'Get a quote'
Datalog (Zucchetti)	IT	Demo call	—	Yes	—	Open pricing page	Demo call required; Zucchetti group
Delve (collapsed)	US	Demo call	—	No	—	Open pricing page	April 2026: YC dropped them for fake SOC 2 audits + code theft
Diligent (incl. Galvanize, 3rdRisk)	US	Demo call	—	No	—	Open pricing page	Demo call required; ~23,000 clients post-mergers
DocSetMinder	DE	Demo call	—	No	—	Open pricing page	Demo call required; acquired by Allgeier CyRis
Drata	US	Demo call	Partial	No	—	Open pricing page	Demo call required; NIS2 not listed on pricing page
Enactia	CY	Demo call	—	No	Trial	Open pricing page	Demo call required; 14-day free trial
Formalize	DK	Demo call	—	Yes	Trial	Open pricing page	Demo call required; 14-day limited trial
fuentis	DE	Demo call	—	Yes	—	Open pricing page	Demo call required; 'Free start' CTAs route to contact form
G DATA Business	DE	Demo call	—	Yes	Trial	Open pricing page	Demo call for business products; consumer line public
GBTEC (BIC GRC)	DE	Demo call	—	Yes	—	Open pricing page	Demo call required; product page 404
GlobalSuite Solutions	ES	Demo call	—	Yes	—	Open pricing page	Demo call required; no /pricing page
GovernX	RO	Demo call	—	Yes	Trial	Open pricing page	Demo call required (prices behind login); 'Made in Romania, for Europe'
GRCTools (ESG Innova)	ES	Demo call	—	Yes	—	Open pricing page	Demo call required
Heimdal	DK	Demo call	—	Yes	—	Open pricing page	Demo call required; /pricing 404
HiScout	DE	Demo call	Reports only	Yes	—	Open pricing page	Demo call required; no public pricing page
Holm Security	SE	Demo call	—	Yes	Trial	Open pricing page	Demo call required; 1-3 year minimum contract
Hybridity (Hy5)	SE	Demo call	—	Yes	—	Open pricing page	Demo call required; €2M raise Feb 2026
HyperComply	CA	Demo call	—	No	—	Open pricing page	Demo call required; TPRM/questionnaire automation
Hyperproof	US	Demo call	—	Yes	—	Open pricing page	Demo call required; 'AI-powered GRC' marketing
IBM OpenPages	US	Demo call	—	No	—	Open pricing page	Demo call required; enterprise GRC + AI
INFODAS (SAVe)	DE	Demo call	—	No	—	Open pricing page	Demo call required; explicitly bundled with consulting
ISMS.online	UK	Demo call	—	Yes	—	Open pricing page	Demo call required; 'Bespoke, customized pricing'; NIS2 as 'optional extra'
Kertos	DE	Demo call	—	Yes	—	Open pricing page	Demo call required
Kiteworks	US	Demo call	—	Yes	—	Open pricing page	Demo call required; 'CALL FOR PRICING' Enterprise
Kymatio	ES	Demo call	—	Yes	—	Open pricing page	Demo call required; no /pricing page
Legiscope	FR	Demo call	—	Yes	—	Open pricing page	Demo call required; /pricing 404
LexCyberAI	PL	Demo call	—	Yes	Free	Open pricing page	Demo call required; free NIS 2 bootcamp
LogicGate Risk Cloud	US	Demo call	—	No	—	Open pricing page	Demo call required; no-code workflow builder for GRC
LogicManager	US	Demo call	—	No	—	Open pricing page	Demo call required; 'Job-to-be-Done pricing'
Make IT Safe	FR	Demo call	—	Yes	—	Open pricing page	Demo call required; via ReCyF referential
MetricStream	US	Demo call	—	No	—	Open pricing page	Demo call required; IRM mega-suite, AppStudio = form builder
NIS2 Control (Virtual IT)	SI	Demo call	—	Yes	—	Open pricing page	Demo call required; ZInfV-1 Slovenia
Norm Ai	US	Demo call	—	No	—	Open pricing page	Demo call required; $87M total funding (Coatue, Bain, Blackstone)
NorthGRC	NO	Demo call	—	Yes	—	Open pricing page	Demo call required; no /pricing page
OMNITRACKER	DE	Demo call	Reports only	Yes	—	Open pricing page	Demo call required; 'KOSTENFREI TESTEN' is demo request
Oneleet	US	Demo call	—	No	—	Open pricing page	Demo call required; $33M Series A, GRC + pentest
OneTrust	US	Demo call	—	No	—	Open pricing page	Demo call required; 6 separate solution suites, all modular
Onspring	US	Demo call	—	No	—	Open pricing page	Demo call required; Bronze/Silver/Gold/Platinum without prices
otris	DE	Demo call	—	No	Trial	Open pricing page	Demo call required; phone-first sales
Perium	NL	Demo call	—	Yes	Trial	Open pricing page	Demo call required; 30-min setup claim
ProcessUnity	US	Demo call	—	No	—	Open pricing page	Demo call required; pure questionnaire platform
QSEC (Nexis)	DE	Demo call	—	Yes	—	Open pricing page	Demo call required; claims 'transparent', shows no €
Resolver (Kroll)	CA	Demo call	—	No	—	Open pricing page	Demo call required; 3-factor quote (modules + customization + active users)
RIG NIS (Wolters Kluwer PL)	PL	Demo call	—	Yes	—	Open pricing page	Demo call required
Riskonnect	US	Demo call	—	No	—	Open pricing page	Demo call required; IRM on Salesforce
RISMA Systems (Cerivo)	DK	Demo call	—	Yes	—	Open pricing page	Demo call required; only /price-request, no /pricing
Robin Data	DE	Demo call	—	Yes	Trial	Open pricing page	Demo call required; /preise page returns 404
SAI360	US	Demo call	—	No	—	Open pricing page	Demo call required; Compliance + Risk bundles, all 'Request Quote'
Schleupen GRC	DE	Demo call	—	Yes	—	Open pricing page	Demo call required; concurrent user / enterprise license
Scytale	IL	Demo call	—	No	—	Open pricing page	Demo call required; 5 tier names without prices
Secfix	DE	Demo call	—	Yes	—	Open pricing page	Demo call required; no /pricing page
SECJUR	DE	Demo call	—	Yes	—	Open pricing page	Demo call required; no /pricing page
Secrato	BE	Demo call	—	Yes	—	Open pricing page	Plan names public, prices not; launched March 2026
secunet	DE	Demo call	—	Yes	—	Open pricing page	Project-based custom quote; government/defense vendor
Secureframe	US	Demo call	Partial	No	—	Open pricing page	Demo call required; 'Get a quote' on every tier
SecurityScorecard	US	Demo call	—	No	Free	Open pricing page	Free Forever tier (limited); Core/Premium/Elite/TITAN MAX all demo-gated
ServiceNow GRC	US	Demo call	—	No	—	Open pricing page	Demo call required; GRC on Now Platform = forms + workflows
ShieldIQ	IE	Demo call	—	Yes	Free	Open pricing page	Freemium, 'no card no setup calls'; tier prices demo-gated
SoSafe	DE	Demo call	—	Yes	—	Open pricing page	Demo call required; tier names only, no prices
Sprinto	IN	Demo call	Partial	No	—	Open pricing page	Demo call required; pricing page is JS SPA, no prices visible
StandardFusion (Wolters Kluwer TeamMate)	NL	Demo call	—	No	—	Open pricing page	Demo call required; 308-redirects to Wolters Kluwer TeamMate
Steryon	ES	Demo call	—	Yes	—	Open pricing page	Demo call required; €1M seed, OT/industrial, NIS2 explicit
SureCloud	UK	Demo call	—	Yes	—	Open pricing page	Demo call required; 'Talk to us about pricing'
SwissGRC	CH	Demo call	—	Yes	—	Open pricing page	Demo call required; no /pricing page
Syteca (ex-Ekran)	US	Demo call	—	Yes	Trial	Open pricing page	Demo call required; SaaS / On-prem / AWS / Azure SKUs all gated
Tenacy	FR	Demo call	—	Yes	—	Open pricing page	Demo call required; 'sovereign' France-hosted
Teseo NIS2 GRC	IT	Demo call	—	Yes	—	Open pricing page	Demo call required; 'demo di 20 minuti'
Thoropass (was Laika)	US	Demo call	—	No	—	Open pricing page	Demo call required; audit + platform bundle
TrustCloud	US	Demo call	—	No	—	Open pricing page	Demo call required; 'Every GRC journey is different'
Trustero	US	Demo call	—	No	—	Open pricing page	Demo call required; AI GRC
Vanta	US	Demo call	Reports only	No	Trial	Open pricing page	Demo call required (4 tiers: Essentials, Plus, Professional, Enterprise — no prices shown)
Whistic	US	Demo call	—	No	Free	Open pricing page	Demo call required; free profile, paid all gated
Wiz	US	Demo call	—	No	—	Open pricing page	Demo call required; cloud-security CNAPP, not pure GRC
Workiva	US	Demo call	—	No	—	Open pricing page	Demo call required; ESG/CSRD focus
ZenGRC/RiskOptics	US	Demo call	—	No	—	Open pricing page	Demo call required; ECONNREFUSED on direct fetch
Compliance Aspekte	DE	Unverifiable	Reports only	No	—	Open pricing page	Website was unreachable (HTTP 522) at audit time
heyData	DE	Partial	—	Yes	—	Open pricing page	Starter from €59/mo, Pro from €99/mo, Enterprise from €169/mo; 2-year minimum contract
Proliance	DE	Partial	—	Yes	—	Open pricing page	Data Protection from €125-€233/mo; ISMS Light from €500/mo; ISMS Core from €1,000/mo; NIS2 Executive Training €600
kronsoft (opus i)	DE	Partial	—	No	Free	Open pricing page	From €259/year (entry: 2 modules + support + updates); full price list as downloadable PDF
ConnectSecure	US	Partial	—	Yes	Trial	Open pricing page	From $300/mo (MSP only, usage-based); tier prices gated
Docusnap	DE	Partial	—	Yes	Trial	Open pricing page	From €465/year (on-prem or SaaS); scales by inventory size
BOC Group ADOGRC	AT	Partial	—	Yes	—	Open pricing page	Focus Editions from €520/mo (5 seats); Core from €1,195/mo (3 scenarios); Extended from €2,100/mo (7 scenarios); detailed quotes password-protected
Wired Relations	DK	Partial	—	Yes	Free	Open pricing page	Free (150 elements); Pro €670/mo (annual billing only); Enterprise quote
VComply	US	Partial	—	No	—	Open pricing page	Pro GRC Suite from $1,000/mo per module; annual only, 12-mo minimum; 20% nonprofit discount
UpGuard	US	Partial	—	No	—	Open pricing page	Standard $1,750/mo (annual, 50 vendors); higher tiers gated; extra vendors $79/mo
Cybervize	DE	Partial	—	Yes	Trial	Open pricing page	vCISO Basic €3,600/mo (≤20h); Standard €4,900/mo (≤40h); Interim CISO €8,000-€15,000/mo; platform license modular, undisclosed
Strike Graph	US	Partial	—	Yes	Free	Open pricing page	Launch free; Certify from $10,000/yr; Scale from $21,500/yr; Enterprise from $35,000/yr; framework add-ons $2K-$8K
Mitratech Alyne	DE	Partial	—	No	—	Open pricing page	Enterprise plan from €25,000/year (publicly stated); 1,500+ control library
Orbiq	DE	Transparent	—	Yes	Free	Open pricing page	Free €0; Team €85/mo (€850/yr); Business €190/mo (€1,900/yr); Enterprise custom; 17% annual discount
NIS2Compass	DE	Transparent	—	Yes	—	Open pricing page	From €29/month (NIS2-only, 'no consultants')
ISOPlanner	NL	Transparent	—	Yes	Trial	Open pricing page	NIS2 €39/mo standalone; ISO €59-€118 per management user/mo (yearly)
EDIRA (ETES)	DE	Transparent	—	Yes	—	Open pricing page	€49/month + €150 setup (NIS-2 add-on on existing framework)
Conformio (Advisera)	HR	Transparent	—	No	Trial	Open pricing page	Starter €145/mo, Pro €245/mo, Advanced €299/mo (annual)
GRASP German GRC	DE	Transparent	Reports only	Yes	Trial	Open pricing page	€159–€179/month NIS2 module (3-yr lock 159; 1-yr 179); 1 user incl.
Outlex	PT	Transparent	—	No	—	Open pricing page	Core from €249/mo, Growth from €549/mo + per-credit lawyer consultations
Compleye	NL	Transparent	—	Yes	—	Open pricing page	Platform €275/mo; NIS2 Verification (2-day) €1,600; Training (4-day) per request
activeMind.cloud	DE	Transparent	—	Yes	—	Open pricing page	€290/month per module + €49 per additional norm; Whistleblowing €99-€390/mo; extra users €20/mo
Defendsphere	EU	Transparent	—	Yes	—	Open pricing page	Basic €299/mo (5 infra licenses); Standard €499/mo; Premium custom
Venvera	NL	Transparent	—	Yes	Trial	Open pricing page	Basic €399/mo (4 frameworks: DORA, NIS2, GDPR, Cyber Essentials); Pro €899/mo (6 incl. ISO 27001, EU AI Act); 11% annual discount
Matproof	NL	Transparent	—	Yes	Trial	Open pricing page	Starter €480/mo (1 framework, 10 members); Professional €1,200/mo (3 frameworks); 20% annual discount
Privado.ai	US	Transparent	—	No	—	Open pricing page	Web Auditor from $600/website/mo; App Auditor from $800/app/mo; Wren AI Privacy Agent from $4,200/mo (annual)
NIS2 Portugal (Isofficer)	PT	Transparent	—	Yes	Free	Open pricing page	Service catalog: gap analysis from €1,500; training €990/participant; doc kit from €2,500/yr; external CISO from €750/mo
Ratisbona Compliance	DE	Transparent	Nothing documented	Yes	—	Open pricing page	RC_NIS2 €799/month (workshops + ISMS); GF-Schulung €999 one-off
NIS2 Manager / CYBER Manager	CZ	Transparent	—	Yes	Trial	Open pricing page	24,900 CZK/month (~€980) excl. VAT, single tier, 12-mo commitment, 30+ modules
Cyberday	FI	Transparent	—	Yes	Trial	Open pricing page	Employee band: <20 €2,500/yr; 20-49 €3,200; 50-99 €4,500; 100-199 €6,800; 200-499 €9,900; up to 2,999 €19,900
Eramba	CH	Transparent	—	No	Free	Open pricing page	Community free (non-OSI license); self-host Enterprise €2,500/yr; SaaS Enterprise €5,000/yr
Copla (ex-CyberUpgrade)	LT	Transparent	—	Yes	—	Open pricing page	NIS2 €3,500/year + €499 onboarding (own SKU); ISO 27001 €2,999/yr; DORA €4,500/yr; 20% off each additional framework
NIS2Vision	EU	Transparent	Nothing documented	Yes	—	Open pricing page	Basic €4,999 yr 1 (setup €2,599 + €200/mo, 5 users); Important €8,800 yr 1; Essential €17,600 yr 1

Methodology

Verified on 2026-05-17

•We visited each pricing page manually.
•Prices are quoted verbatim from the vendor's website.
•No extrapolation from G2, Capterra, third-party blogs or LinkedIn.
•Where prices are hidden behind a demo form: 'Demo call required'.
•Where prices are only quoted as 'from €X': 'Partial transparency'.
•Quarterly re-audit. Vendors can submit corrections.

Submit a correction

Is our data about your product wrong? Email simon@nisd2.eu with your pricing page URL. We update within 48 hours and keep a change log.

Free + Open Source + no lock-in

We don't sell NIS2 compliance. We make it accessible. Free, open source, no sales team calling you.

Launch platform