Move supplier assurance off spreadsheets. Private pilot opening soon.→ Join the pilot
SHARDSCybersecuritySupply Chain Assurance · NIS2
Pilot open now · V1 Q4 2026Free for the first cohort

Most NIS2 obligations have a playbook. Supply chain security doesn't.

Supply Chain Assurance turns supplier proof into structured, audit-ready records — without the spreadsheet sprawl. Built for the mid-market that bigger players ignored, in central Europe by a cybersecurity practitioner who's been in your shoes.

Join the pilotSee the product
0.1 / Why this exists

Walk through the NIS2 obligations as a CISO or Head of IT. Awareness training has a playbook. Incident response has a runbook. Patch management is procedural. Supply chain security isn't. The evidence sits with external parties. It arrives in a dozen formats. It expires unevenly. And someone has to defend the decisions later. That's why Supply Chain Assurance is its own product — because the obligation deserves its own tool.

01 / Commitment
EU-built, EU-hosted

Microsoft Azure, EU regions only.

Read the long-form
02 / Commitment
Sub-processors published, DPA before contract

Full list, updated on every change. DPA template available before the deal.

Read the long-form
03 / Commitment
Audit-grade evidence model

Hash-anchored, signed, decision-traced. Stands up six months later, unchanged.

Read the long-form
1.0 / Platform

Structured supplier evidence — without the spreadsheet sprawl.

Supply Chain Assurance turns supplier proof — certificates, audit reports, contract clauses, policy documents — into Evidence records with expiry context and a full decision trace. When a supplier has an incident, an auditor asks a hard question, or a regulator sends an inquiry, you have the answer in minutes, not hours.

  • Process-driven supplier scoping
  • Structured assessment with AI assist
  • Evidence records with review history
  • NIS2-shaped audit exports — structured, hash-anchored, defensible
See the productJoin the pilot
PreviewSupply Chain Assurance dashboard — supplier posture overview
2.0 / The same job, two workflows

When a supplier discloses an incident.

One scenario. Two ways it goes. The difference is what you signed up for the day before it happened.

01 / ThenThe familiar workflow

Open the supplier register spreadsheet. Search SharePoint for their last assessment, your inbox for the contract clauses, a different folder for the evidence files, your calendar for the last review date. Half a day per supplier. Longer if the original reviewer has left. By the time you've reconstructed who reviewed what and when, you're not sure you have the latest version of anything.

4–6 hrs / supplier5 systemsReviewer dependent
02 / NowThe Supply Chain Assurance workflow

One record per supplier. Current evidence, review history, contract clauses, in-scope services — linked, dated, exportable. The CEO gets the answer the same morning. The auditor gets the same answer six months later, unchanged.

Minutes / supplierOne recordReviewer-attributed
↳ The artifactWhat waits at the end of it
Supplier evidence becomes questionnaire answersFour supplier-provided evidence artefacts on the left — ISO 27001 certificate, SOC 2 Type II report, sub-processor list, DPA — each mapped to specific items in the buyer's supplier questionnaire on the right, with one item marked manual to show that AI never closes the loop.Supplier evidenceYour supplier questionnaireISO 27001 certificateValid · 2025–2027SOC 2 Type II reportAudit · Mar 2025Sub-processor listv2 · Apr 2026DPASigned · Jan 2026Are sub-processors disclosed?ISO 27001 certified — current?SOC 2 Type II in date?DPA in place with you?Incident notification SLA?BC/DR test results · last 12 mo?MANUALTheir certs.Your answers — with citations and a reviewer sign-off.
3.0 / What you get

The product nouns, plainly.

No 24/7 SOC. No managed endpoint. We build the supplier-assurance tooling that should have existed when the founder was the practitioner filling the spreadsheets — and we're honest about what it's for.

How it fits together
Evidence records

Sub-processor lists, certificates, audit reports — linked, dated, hash-anchored, with reviewer attribution. Always the latest version.

Decision trace

Every approval, rejection, and escalation timestamped and signed. Auditor asks "why was that rejected" — you hand over the trace.

Audit-ready exports

Machine-readable export of every approved evidence record, every reviewer decision, every signed dossier — built to match the structure a NIS2 auditor expects.

Decision trace ready for the regulatorAuditor question answered by a signed, hash-anchored decision trace with five entries from risk tier through final approval.?Auditor question"How did you assess Cirrus Edge Networks for NIS2 21(2)(d)?"Decision traceEdge ingress · REV-2026-014Risk tier set: Tier 2 / HighApr 12 · You8/8 questionsISO 27001 + SoA approvedApr 18 · Yousha256:f1c…Sub-processor list v2 approvedApr 22 · Yousha256:7d2…Privileged access review approvedApr 22 · Yousha256:b8e…Approved · valid until Oct 26, 2026Apr 26 · YousealedEvery entry timestamped, signed, hash-anchored.Hand it over. Walk away.
Pavel Láska — founder of Shards Cybersecurity

Pavel Láska.

Founder · Bratislava

Built by the practitioner.

Shards Cybersecurity was founded by Pavel Láska — a CISSP- and CISM-certified cybersecurity practitioner with over a decade across banking, pharma, and education.

Eight years in the banking sector progressing from senior engineer to senior risk manager. Time on critical financial infrastructure. Reporting to board level. Then a global security services team in pharma across three continents. The credibility chain runs practitioner → witness → builder: he was the one filling the spreadsheets, defending the supplier decisions, prepping for the audits. Supply Chain Assurance is the tooling that should have existed back then.

The product was shaped by quiet conversations with practising CISOs and security leads across regulated industries — people who've sat in the audit chair, defended supplier decisions to boards, and lived with the consequences. They're not named on this page, but they're in the product.

Bratislava · CISSP · CISM · Microsoft Partner

Microsoft Partner
Microsoft Partner

Built on Microsoft Azure, with a Microsoft-first architecture and security model. Available on the Microsoft commercial marketplace.

EU-based

Bratislava-headquartered, EU-hosted. Working with regulated buyers across the EU and UK.

NIS2-focused

Designed for NIS2 supply-chain obligations from day one — not retrofitted from a generic GRC suite.

4.0 / Join the pilot

Pilot open today. Free for the first cohort.

The pilot is open now — we are onboarding the first cohort of design partners today. The live production version (V1) is planned for Q4 2026 via the Microsoft Marketplace.

Pilot customers join free or at compute cost. Mutual exchange — we help you, you help us. The first cohort gets the lifetime of input on what we build next.

Join the pilotRead the practitioner brief