
Win and deliver NIS2 work
without building it from scratch.
Around 6,000 entities are in scope, with a 24-month window. Each must audit the cybersecurity of its supplier chain, continuously. foraudits is the engine your team uses to deliver it, under your brand.
The demand exists. The capacity to serve it doesn't.
Supply-chain security has entered the mandatory minimum measures of Portugal's cybersecurity law. Every one of these entities will need someone to run it. The question is who has the engine to do it at scale.
End-to-end automation, from reports to follow-up.
The same audit engine already running in production in the energy sector, now applied to supply-chain cybersecurity controls. Every step leaves an audit trail.
Onboarding and criticality
Your team imports the client's supplier list and classifies them by criticality. The engine enriches and organises the chain, and prioritises where to begin.
AI questionnaire
Each supplier answers an AI-generated questionnaire mapped to the QNRCS controls. The AI explains each control in plain language, so the supplier can answer without a specialist on their side.
Evidence repository
Suppliers upload evidence to a vault with an audit trail. Every document carries a validation status, so you always know what's confirmed, pending or missing.
Continuous scoring
Each supplier gets a risk tier, for example substantial, and gaps are detected automatically, such as missing MFA. The score updates as evidence comes in.
Board-ready report
The engine produces a per-supplier gap report, a chain dashboard and an aggregated board-ready report. Your brand on top, our engine underneath.
We assessed 54 direct suppliers. 38 at substantial tier, 11 remediating and 5 with material gaps. Aggregate exposure fell from medium-high to medium last quarter.
Who delivers NIS2 supply-chain compliance.
If you have clients in scope or the standing to advise them, the engine fits into your practice.
The mandate is yours. The engine is ours.
Your team runs the platform end to end, under your brand. Your clients and their suppliers never talk to us. We're the infrastructure beneath your practice, never the operator.
Mapped to what authorities and buyers already use.
Controls are mapped to recognised frameworks, so the evidence your team collects serves more than one audit. Authority: CNCS. Accredited certification: IPAC.
Per project or per platform subscription.
Two models, whether you run one-off projects or build a recurring practice. We design the terms with you in the partnership conversation.
What partners ask.

Move on NIS2 before your competitors.
Book a demo and we'll show how your team delivers supply-chain audits with the engine, under your brand.
This content is informational and does not constitute legal advice. The concrete qualification of each entity depends on its activity and size. foraudits is not an accredited certification body: it prepares, maps and organises evidence and produces readiness reports. For formal certification it refers to bodies accredited by IPAC. foraudits provides the technology the auditor operates; it does not run assessments nor hold any relationship with the auditor's clients.