Move supplier assurance off spreadsheets. Private pilot opening soon.→ Join the pilot
SHARDSCybersecurityDriving Security Forward
Supply Chain Assurance

Move supplier assurance off spreadsheets.

Map your suppliers, automate evidence collection and give your board an audit-ready view of NIS2 risk — without staffing a security team. Built on Microsoft 365, hosted in the EU.

NIS2-aligned controlsMicrosoft 365 nativeEU-hosted
Join the pilotBook a demo
Supply-chain depth trace: Tier 1 → Tier 2 → Tier 3 with one risky path traced through 3 levels
Hidden risk three hops deep — traced from your direct suppliers down. Preview.
What it does

Three jobs, one product.

Secure

Continuously assess every supplier against NIS2 controls. The risk questionnaire produces a structured tier — by worst dimension — so you can spot the supplier that puts you in scope of a fine before the auditor does.

Reuse

Collect a supplier’s evidence once and reuse it across every assurance request. The library finds prior uploads automatically — no re-keying the same answers across customer spreadsheets.

Export

One-click board packs and regulator-ready bundles. Decision history, evidence pack, posture letter — every approval, rejection and resubmission stamped with actor, rationale and timestamp.

How it works

From spreadsheet chaos to audit-ready, in four steps.

Supplier review lifecycle — five stages: Scope, Risk tier, Request pack, Evidence (67%), Decision
Live review status — Scope → Risk tier → Request pack → Evidence → Decision. Preview.
Step 1
Onboard

Import your supplier list. Auto-classified by tier and lineage traced where data permits.

Step 2
Collect

Evidence requests sent. Replies tracked, library matches surfaced, and reuse offered.

Step 3
Assess

Risk questionnaire produces a tier "by worst dimension". Posture scored against NIS2 in real time.

Step 4
Report

Board pack and regulator export — one click. Decision trace exportable for any audit request.

Inside the product

Three screens. Three stories.

Real product, redacted. The numbers and supplier names are placeholders; the product is real.

Secure

Risk scored by worst dimension.

The questionnaire walks through scope, impact, geography, resilience and assurance. Each answer is colour-coded — Low / Medium / High / Critical — and the supplier’s overall tier is set by their worst dimension, not an average. So one weak answer is never hidden behind nine good ones.

PreviewRisk questionnaire showing geography question with EU/UK/Switzerland selected and computed risk tier "High by worst dimension"
Reuse

The library pulls prior evidence forward.

When a buyer asks for a sub-processor declaration, the library spots that you uploaded one for a different customer two weeks ago — and offers to reuse it. Re-keying the same answers across customer spreadsheets stops here.

PreviewActive request: sub-processor declaration with library match banner offering to reuse evidence already uploaded
Export

Every decision, stamped and exportable.

Every approval, rejection and resubmission is logged with the actor, the reason and the timestamp. Auditors get a chronological export that closes regulator questions in minutes, not weeks.

PreviewDecision trace audit log showing approvals, rejections, and resubmissions with timestamps and rationales
Who it’s for

If you’re in scope of NIS2, or sell to someone who is.

Profile 1
Essential entities (Annex I)

Energy, transport, banking, financial market infrastructure, healthcare, drinking water, digital infrastructure. Direct NIS2 obligations from October 2024.

Profile 2
Important entities (Annex II)

Postal, waste, food production and distribution, manufacturing of critical products, digital providers, research. Same controls, same supply-chain scrutiny.

Profile 3
Suppliers in scope by association

You don’t need to be NIS2-regulated yourself. If you sell to anyone in Annex I or II, your customers are obligated to assess your posture — and increasingly, automate that ask.

Why it's different

We didn't shrink an enterprise tool. We rebuilt the job.

Built for SMBs

Most assurance tools target enterprise procurement teams. We built ours for the businesses inside the supply chain.

Time back to your team

Reuse the evidence you already collected. Stop filling in another vendor questionnaire from scratch every month.

NIS2 by default

Controls, evidence schemas and exports are all pre-aligned to NIS2. No configuration project required.

Built on

The boring stuff done right.

Hosting, integrations, controls and audit-trail — table stakes for any buyer who reads their own DPA.

Microsoft 365 native

Connects directly to Defender, Entra ID, Purview and Intune so your existing tenancy is the source of truth — no parallel database to drift.

EU-hosted by default

Data stays inside the EU. Single-tenant and customer-managed encryption available for regulated workloads.

Audit-trail by design

Every approval, rejection and resubmission is logged with the actor, the rationale and the timestamp. Exportable for any auditor request.

Aligned to NIS2 + ISO 27001

Controls, evidence schemas and exports are pre-mapped to NIS2 and ISO 27001 Annex A. No bespoke configuration project to start.

Private pilot

Get a look before general availability.

We’re onboarding a small group of NIS2-scoped SMBs and their key suppliers. Pilot members shape the roadmap and lock in launch pricing.

Request pilot access
  • White-glove onboarding from the founding team
  • Direct line to product for feature requests
  • Locked-in pilot pricing through general availability
  • Quarterly business review with your account lead
FAQ

Common questions

Is the product available today?+

Supply Chain Assurance is in private pilot. Join the pilot from the contact form to get access ahead of general availability.

Do I need to be NIS2-regulated to use it?+

No. Many of our pilot customers are suppliers to NIS2-regulated firms and use it to demonstrate posture in assurance requests they receive.

How is data hosted?+

EU-hosted by default in the Slovak Republic / wider EU. Single-tenant deployments available on request.

How is this different from your managed security services?+

Managed Services secure your business. Supply Chain Assurance secures the suppliers your business depends on. The two are complementary — many customers run both.

How does the lineage tracing work?+

Where a supplier discloses its sub-processors and downstream providers, we map the chain and surface the highest-risk path. Most supplier lists only show your direct (Tier 1) relationships; the real risk often hides two or three hops deeper.

How is evidence reused across requests?+

Once a supplier uploads policies, certificates or attestations to their library, future assurance requests pull the existing evidence forward automatically. Re-keying the same answers across spreadsheets stops.

Who built this

Built by practitioners, not salespeople.

Shards Cybersecurity was founded by Pavel Láska, who spent over a decade in cybersecurity — including nine years on the security team at the Bank of England.

Shards started as a managed security services provider for SMBs. Watching client after client struggle with the same broken supplier-assurance workflow — spreadsheets, emailed PDFs, lost evidence trails — convinced us to build Supply Chain Assurance to solve it properly.

The product itself was shaped by quiet conversations with practising CISOs and security leads across regulated industries — people who've sat in the audit chair, defended supplier decisions to boards, and lived with the consequences. They're not named on this page, but they're in the product.

Bratislava-based. Microsoft Partner. NIS2 specialists.

Ready to see it on your data?

Book a 30-minute demo and we'll show you what your supply chain posture looks like today.

Join the pilotBook a 30-min demo