
See where your chain
is exposed.
Portugal's new cybersecurity law requires essential and important entities to assess the risk of every direct supplier. Before you build the process, ask for an initial picture: where your chain is weakest, which QNRCS controls weigh most in your sector, and where to start.
The obligation is already in force, and it flows down the chain.
Decree-Law 125/2025, of 4 December, approved Portugal's cybersecurity law and transposed the NIS2 directive. It has been in force since 3 April 2026. Supply-chain security is one of the mandatory minimum measures: every essential or important entity must assess the vulnerabilities of each direct supplier and the maturity of its chain, continuously.
The exposure report is the starting point: it shows you the size of the problem before you spend time or budget.
Four concrete things, not a brochure.
The report is built on the data you give us and on the audit engine already running in production in the energy sector.
From the form to the report, in three steps.
No install, no mandatory meeting to get started.
Fill in the form
It asks for your name, work email, company, role, the approximate number of suppliers and the sector. It takes under two minutes.
We prepare the exposure report
We cross what you gave us with the QNRCS controls relevant to your sector and produce an initial picture of your chain's risk.
We read the results with you
We send the report and book the 30 minutes to interpret it and design the first steps. The decision to go on is yours.
Mapped to the frameworks authorities and buyers already use.
The report's controls follow the same frameworks that will be asked for in an audit, so the evidence serves more than once.
It makes sense if you're on this side of the chain.
Indicative, not a formal assessment.
The exposure report is an initial picture, built from the information you provide. It serves to size the problem and decide next steps, not to replace the formal assessment of each supplier nor the registration of entities on the MyCiber platform. foraudits is not an accredited certification body: we prepare, map and organise the evidence and produce readiness reports. Formal certification is done by bodies accredited by IPAC, to whom we refer.
Request your exposure report.
A few details about your organisation and we return an initial picture of your chain's risk, the QNRCS controls most relevant to your sector, and a 30-minute call, with no commitment.
Frequently asked.
The exposure report is indicative and depends on the information provided. It does not replace the formal assessment of each supplier nor the registration of entities. foraudits is not an accredited certification body; formal certification is done by bodies accredited by IPAC. This content is informational and does not constitute legal advice.