Move supplier assurance off spreadsheets. Private pilot opening soon.→ Join the pilot
SHARDSCybersecuritySupply Chain Assurance · NIS2
Advisory · Two productized engagements

Two engagements. Both productized. Both honest about scope.

A one-off Supplier Exposure Assessment that hands you back an audit-ready picture in two to three weeks. A Qualified Manager retainer that puts a NIS2-qualified voice on your board papers month after month. Fixed scope, fixed price, no day rate either way.

1.0 / Side by side

The same practitioner. Two productized shapes.

We deliver one of two engagements. They share a practitioner and a discipline; they differ on shape, cadence, and where you are with NIS2.

One-off

NIS2 Supplier Exposure Assessment

A practitioner walks your supplier portfolio against Article 21(2)(d), risk-tiers each supplier, and hands back a written exposure report with a prioritised remediation plan. €3,500 fixed.

See the Assessment
Ongoing

NIS2 Qualified Manager retainer

A NIS2-qualified practitioner named on your board papers. Monthly board paper, quarterly risk-management review, annual audit-readiness sign-off. Fixed monthly fee, scope-driven, hard-capped at three to four simultaneous clients.

See the retainer
DimensionAssessmentQualified Manager retainer
ShapeOne-off engagementOngoing monthly retainer
DurationTwo to three weeksRolling term
Pricing€3,500 fixedFixed monthly fee, scope-driven
OutputWritten exposure report + remediation planMonthly board paper, quarterly review, annual sign-off
Named rolePractitioner — engagement-boundPractitioner — named on board papers
Best forBuyers asking "where are we exposed?"Buyers needing accountable oversight ongoing
2.0 / Which one is right for you

Three short scenarios.

If

Your board needs an answer to "where are we exposed under NIS2?" — and they need it on paper, fast.

Then

Start with the Assessment.

See the Assessment →
If

You have already done an assessment (or you know your gaps) and now you need a NIS2-qualified voice on monthly board papers.

Then

Engage the Qualified Manager.

See the retainer →
If

You need both — a written exposure picture now, and a named accountable manager to close the gap going forward.

Then

Start with the Assessment, continue with the retainer.

Talk through the combination →
3.0 / What both have in common

The discipline is the same either way.

  • Productized — fixed scope, no quote cycle, no proposal pantomime
  • Fixed price — set during the discovery call, held for the term
  • No day rate — we sell deliverables and named roles, not consultancy hours
  • Practitioner-delivered — CISSP, CISM, banking and pharma background
  • NDA-first — supplier lists, contracts, and evidence stay with you
4.0 / What this is not

Naming the scope earns trust.

Neither engagement is the things below. Saying so up front saves a quote cycle on both sides.

  • Managed security services or 24/7 SOC
  • Unbounded consultancy with day rates and scope creep
  • A subcontracted CISO badge for procurement to tick a box
  • Anything we do not have the standing to deliver under NIS2
5.0 / Get started

One discovery call covers either engagement. We tell you which one fits.

30 minutes. NDA-first. Honest scoping — including the cases where neither engagement is the right answer for where you are today.