Exposure report · supply chain (NIS2)

See where your chain
is exposed.

Portugal's new cybersecurity law requires essential and important entities to assess the risk of every direct supplier. Before you build the process, ask for an initial picture: where your chain is weakest, which QNRCS controls weigh most in your sector, and where to start.

Partner firm of the Portuguese Quality Institute
ÁÁguas do Atlânticoapp.foraudits.ai
Exposure report
Sector: energy · initial picture
Exposure: medium-high
Access & MFA70
Incidents45
2nd-tier chain80
Continuity38
Top risk
12 critical suppliers with no proven MFA.
~0entities in scope in Portugal
0months for the minimum measures
0minutes to interpret with you
why now

The obligation is already in force, and it flows down the chain.

Decree-Law 125/2025, of 4 December, approved Portugal's cybersecurity law and transposed the NIS2 directive. It has been in force since 3 April 2026. Supply-chain security is one of the mandatory minimum measures: every essential or important entity must assess the vulnerabilities of each direct supplier and the maturity of its chain, continuously.

In force since 3 Apr 2026
24 months for the minimum measures
Full sanctions from 3 Apr 2027

The exposure report is the starting point: it shows you the size of the problem before you spend time or budget.

what you get

Four concrete things, not a brochure.

The report is built on the data you give us and on the audit engine already running in production in the energy sector.

01
Where your chain is exposed
An initial picture of third-party risk, from the size and profile of your supplier base. Shows where the most material risk concentrates.
02
The QNRCS controls that weigh in your sector
A selection of the controls most relevant to your sector, explained in plain language, so you know what will be asked of your suppliers.
03
Where to start the chain obligation
The first practical steps: classify suppliers by criticality, collect evidence and set up continuous monitoring.
04
30 minutes to interpret the results
A 30-minute call with our team to read the report with you, answer questions and decide whether it makes sense to go on. No sales script.
how it works

From the form to the report, in three steps.

No install, no mandatory meeting to get started.

01

Fill in the form

It asks for your name, work email, company, role, the approximate number of suppliers and the sector. It takes under two minutes.

Report request
Ana Ferreira
ana@aguasdoatlantico.pt
Energia
50–100
Request report
ÁQuestionnaire · Cloudtech, Lda12/18
Mapped to the QNRCS, AI-generated
Access control and MFAGC.AC-3
Business continuityRC.RP-1
The AI explains: this control requires multi-factor authentication on all remote and admin access.
Data-at-rest encryptionPR.DS-1
02

We prepare the exposure report

We cross what you gave us with the QNRCS controls relevant to your sector and produce an initial picture of your chain's risk.

03

We read the results with you

We send the report and book the 30 minutes to interpret it and design the first steps. The decision to go on is yours.

ÁRisk · PagaJá, S.A.
72/100
Tier
Substantial
Gap detected: MFA missing on 2 admin accesses.
Remediation plan
01Enable MFA on remote accessHigh
02Incident response planMedium
what it's built on

Mapped to the frameworks authorities and buyers already use.

The report's controls follow the same frameworks that will be asked for in an audit, so the evidence serves more than once.

QNRCSNIST CSF 2.0ISO/IEC 27001ISO/IEC 27036Regulamento n.º 756/2026
who it's for

It makes sense if you're on this side of the chain.

Regulated entities
You're an essential or important entity and need to know, first of all, the size of the risk in your supplier base.
Request report
Procurement leads and CISOs
You'll have to ask evidence of dozens of suppliers. Start by understanding which are most critical and which controls to require first.
Request report
Firms and consultancies
You have regulated clients who will need this. Use the exposure report as a way in and deliver compliance with the engine underneath.
See the partner page
what to expect, honestly

Indicative, not a formal assessment.

The exposure report is an initial picture, built from the information you provide. It serves to size the problem and decide next steps, not to replace the formal assessment of each supplier nor the registration of entities on the MyCiber platform. foraudits is not an accredited certification body: we prepare, map and organise the evidence and produce readiness reports. Formal certification is done by bodies accredited by IPAC, to whom we refer.

We use your data only to prepare the report and contact you, no spam.
No commitment: the report and the 30-minute call are the starting point, not a contract.

Request your exposure report.

A few details about your organisation and we return an initial picture of your chain's risk, the QNRCS controls most relevant to your sector, and a 30-minute call, with no commitment.

No cost and no commitment
Under two minutes
No supplier lists at this stage
We use these details only to prepare the report and contact you. No spam.
frequently asked

Frequently asked.

The exposure report is indicative and depends on the information provided. It does not replace the formal assessment of each supplier nor the registration of entities. foraudits is not an accredited certification body; formal certification is done by bodies accredited by IPAC. This content is informational and does not constitute legal advice.