Move supplier assurance off spreadsheets. Private pilot opening soon.→ Join the pilot
SHARDSCybersecuritySupply Chain Assurance · NIS2
Productized advisory · Two to three weeks

NIS2 Supplier Exposure Assessment. Fixed scope. Fixed deliverable. Fixed price.

A practitioner walks your supplier portfolio against NIS2 Article 21(2)(d), risk-tiers every supplier by their worst dimension, and hands you back an audit-ready exposure report with a prioritised remediation list. Two to three weeks. €3,500. No quote cycle, no consultancy day rate, no upsell at the end.

NDA-first engagementUp to 100 suppliersCISSP · CISM practitioner
Book the discovery callHow it works
1.0 / How it works

Five stages, two to three weeks.

No vague consultancy "phases." Each stage has a defined input, a defined output, and a fixed slot in the timeline.

  1. 01 · 30 min

    Discovery call

    Quick scoping conversation. We confirm sector, regulator, supplier portfolio size, and the question you most need answered.

  2. 02 · Week 1

    Portfolio walk-through

    You hand over the supplier list, current contracts, and any evidence already collected. We work through it against NIS2 Article 21(2)(d) and the relevant sector-specific guidance.

  3. 03 · Week 2

    Practitioner analysis

    Risk-tier the suppliers by worst dimension. Identify exposure gaps — missing evidence, expired certificates, undisclosed sub-processors, contract-clause omissions. Map each gap to a specific NIS2 obligation.

  4. 04 · 60 min

    Walk-through call

    We sit with you — and your CISO, GRC lead, or owner-CEO — to walk the report. Questions answered. Decisions sense-checked. Remediation priorities agreed.

  5. 05 · Week 2-3

    Hand-over

    You receive the signed Exposure Report, the prioritised remediation list, and the supplier risk-tier matrix. All audit-grade. All yours.

2.0 / What you walk away with

Four deliverables. All yours. All defensible.

The deliverables are the product. The engagement isn't complete until they're in your hands and they hold up in the next room you walk into — board, auditor, regulator.

NIS2 Supplier Exposure Report

A 15–25 page written report. Every supplier on your list, scored against the NIS2 control set. Article-by-article gap analysis. Defensible the day a regulator asks.

Prioritised remediation plan

Ranked actions — which suppliers to chase, which contracts to amend, which evidence to collect first. Sized by exposure, not alphabet.

Reusable risk-tier matrix

Your supplier portfolio mapped Low / Medium / High / Critical, by worst dimension. Reusable for next year, next audit, next inspection.

Optional pilot kick-off

If the platform fits, we onboard you straight into the Supply Chain Assurance pilot — your assessment data carries forward, no re-keying.

3.0 / Who it's for

Mid-market buyers in scope of NIS2 — without a GRC team to throw at it.

  • Mid-market buyers (50–500 staff) newly in scope of NIS2
  • Regulated companies without a dedicated GRC team
  • Companies whose suppliers have started asking different questions
  • Boards that want a defensible written answer to "where are we exposed?"

Not for Fortune 500 procurement teams running thousands of vendors — they have GRC suites and dedicated staff for that. This engagement is for the segment in between: companies that suddenly need defensible answers, fast, without a six-figure platform contract or a six-month implementation.

4.0 / Pricing

€3,500. The price is the price.

Fixed price. Up to 100 in-scope suppliers. No quote cycle. No consultancy day rate. No scope-creep mid-engagement. Larger portfolios are scoped separately.

The price reflects roughly two weeks of dedicated practitioner time plus the written deliverables. Compare it to a typical Big-Four supplier-risk engagement — you'll see the gap. We're built for the mid-market segment that bigger advisors price out and ignore.

If the platform fits

The Assessment also functions as a low-friction way into the Supply Chain Assurance pilot. Pilot customers join free or at compute cost; the data we capture during the Assessment carries forward into the platform — no re-keying.

5.0 / Common questions

FAQ

How is this different from Supply Chain Assurance the SaaS?+

The Assessment is a one-off advisory engagement — a practitioner walks your portfolio and hands back a written report. Supply Chain Assurance is the ongoing platform you operate after that. Many buyers do the Assessment first to get the picture, then onboard the platform to keep that picture current.

Is this managed services / MSSP / SOC?+

No. We don't run your security operations, manage your endpoints, or operate a 24/7 SOC. We deliver a fixed-scope advisory: a written exposure report and a remediation plan you act on yourself (or feed into our platform).

How long does it take?+

Two to three weeks from the discovery call to hand-over. Faster if your supplier portfolio is under 30; slightly longer if it's above 100.

Will you sign an NDA?+

Yes. Standard mutual NDA at the start of the discovery call. Your supplier list, contracts, and evidence stay with you — we work on copies and securely delete after hand-over.

Can the assessment be scoped just to our top suppliers?+

Yes. The fixed price covers up to 100 suppliers; engagements concentrating on the top 20–40 are common and finish faster. Larger portfolios are scoped separately.

What if we don't want the platform afterwards?+

Fine. The report and remediation plan are yours to use however you like — including with another tool. We're explicit about that going in.

6.0 / Get started

Where are you exposed today? Find out in two to three weeks.

Book a 30-minute discovery call. NDA-first. Honest scoping. We tell you up front whether the Assessment is the right fit.

Book the discovery callTry the readiness self-assessment first