The honest disadvantages of an open-source ISMS
Trust is built by naming the downsides, not hiding them.
The case against our own model
We build open-source compliance software, so we have a reason to be honest about where it is weaker. Naming the downsides is how trust is earned.
Here are the four that matter, and what we do about each.
If you self-host, you carry the operational load: updates, backups, availability and security of the server. Many Mittelstand companies do not have spare capacity for that.
Our answer: a hosted option removes the operational burden, while self-hosting stays available for those who want full control of the data.
Open source rarely ships with an enterprise support agreement. Community support varies in speed, and the free tier is best effort by nature.
Our answer: paid support and hosting tiers exist for teams that need a guaranteed response, and we say plainly that the free tier is not an SLA.
A well-funded US SaaS will often have more certified integrations and more polish. Some features that take engineering time are premium tier rather than free.
Our answer: for most Mittelstand companies the bottleneck under NIS 2 is structure and a clean audit trail, not the number of integrations. We build for that need first.
Open source is a tool, not a consultant. It structures the work and records the evidence, but the judgement calls remain yours: whether a risk is acceptable, whether a measure is proportionate under Article 21(1) NIS 2.
That is true of every tool, open or closed. No software discharges the duty that Section 30 BSIG places on the entity.
Frequently asked questions
Is the free version really free, or a trial?
It is free to use, not a time-limited trial. We plan to fund the project through training, hosting and partner offerings rather than per-seat licences.
What happens if the project is abandoned?
Because the code is open (AGPL), you keep it and can self-host or fork it. You are not stranded the way you can be when a closed vendor shuts down.
Do I need IT staff to run it?
Only if you self-host. The hosted option removes the operational burden; self-hosting is there for teams that want full control.
Is it audit-ready out of the box?
It produces the structure and the audit trail an auditor expects. You still make and document the substantive decisions.
Is open source riskier for sensitive compliance data?
Open code does not mean open data. The data sits where you host it; with EU hosting or self-hosting it can stay fully under your control.