Pavel Láska.

Practitioner across regulated sectors.

Pavel started in education-sector IT, moved through online gaming, then spent eight years in banking — progressing from senior engineer to senior risk manager, on critical financial infrastructure, reporting up to board level on cyber risk. From there into pharma, joining a global security services team operating across three continents.

The credibility chain isn't titles or certifications (though both — CISSP and CISM). It is the lived experience of being the person filling the supplier spreadsheets, defending the supplier decisions to boards, prepping the evidence packs for auditors, and explaining the same posture three different ways for three different stakeholders.

Supply Chain Assurance is the tooling that should have existed back then.

Eighteen years in London. Returned to Bratislava in 2022.

Most of Pavel's career happened in London — large UK and global enterprises with mature cybersecurity functions, GRC tooling running into seven figures annually, dedicated supplier-assurance teams, the full apparatus.

The return to Slovakia in 2022 surfaced something that had been invisible from inside the enterprise: the central-European mid-market doesn't have any of that infrastructure, but it is now subject to the same NIS2 supply-chain obligations as the global enterprises that do. Enterprise GRC suites are priced and structured for the kind of customer Shards' target market will never be. Generic SaaS tools either ignore the regulatory shape entirely or layer it on as an afterthought.

The mid-market in this region needs something built specifically for them — by someone who has done supplier assurance both at enterprise scale and from inside companies the enterprise vendors don't bother with. That is the gap Shards is built to close.

Close the supplier-assurance gap for the segment that bigger players priced out.

Mid-market companies — 50 to 500 staff, often without a dedicated CISO, often without a full GRC team — are now in scope of NIS2 if they sit in a regulated sector or operate critical-infrastructure-adjacent services. Their boards have woken up to Article 20 personal accountability. Their customers have started sending supplier-assurance questionnaires that didn't exist last year.

Most of these companies cannot afford the enterprise GRC machine, and most of their advisors will not productize an engagement small enough to make sense for them. They are stuck between a spreadsheet and a six-figure platform contract.

Shards builds the in-between. A productized advisory engagement when you need a written exposure picture. A fractional NIS2-qualified manager retainer when you need ongoing oversight. A SaaS platform when you need to operationalise the lot. All scoped to fit the segment that's been ignored.

Small team by intention. Built on Microsoft. Shaped by an advisory circle.

Shards is intentionally small — practitioner-led, with a tight delivery loop. The architecture is built on Microsoft Azure, EU regions only, and the company is a Microsoft Partner with the platform tested through the Microsoft ISV programme. The choice of Microsoft is deliberate: it is the platform our customers already trust, already procures from, and already knows how to evaluate for security.

The product itself was shaped by quiet conversations with practising CISOs and security leads across regulated industries — people who have sat in the audit chair, defended supplier decisions to boards, and lived with the consequences. They are not named on this page (their employers wouldn't want them to be), but they are in the product. We are happy to make introductions in person where it's useful.

We do not plan to scale headcount aggressively. The model is: small team, productized engagements, sustainable cadence, customers we can actually know.

Naming the scope earns trust.

The boundary matters as much as the offering. Five years from now, Shards will still not be:

• A managed-security or 24/7-SOC vendor — that is a different business with different economics
• A generalist GRC platform — Supply Chain Assurance stays scoped to the supplier-assurance obligation
• An open-ended consultancy — productized engagements, fixed scope, no day-rate sprawl
• A growth-at-all-costs venture — small team by intention, sustainable cadence

What it will be: better at the thing it already does — supplier assurance for the mid-market under NIS2 — for more of the customers that need it.

Three sensible next steps depending on where you are.