For auditors, consultancies and firms

Win and deliver NIS2 work
without building it from scratch.

Around 6,000 entities are in scope, with a 24-month window. Each must audit the cybersecurity of its supplier chain, continuously. foraudits is the engine your team uses to deliver it, under your brand.

~0
entities in scope in Portugal
0
months for the minimum measures
€ 10M
maximum fine for non-compliance
#1
a mandatory minimum measure, now
SSentinela Complianceapp.foraudits.ai
DashboardYour chain at a glance
54
Suppliers
11
Assessing
5
With gaps
72%
Coverage
Distribution by tier
Substantial 70%Remediating 20%Gap 10%
the opportunity

The demand exists. The capacity to serve it doesn't.

Supply-chain security has entered the mandatory minimum measures of Portugal's cybersecurity law. Every one of these entities will need someone to run it. The question is who has the engine to do it at scale.

the market
Thousands of mandates, a ticking clock
The obligation is continuous, not a one-off project. Every entity in scope returns each year. Whoever holds the engine captures recurring demand, not one-off work.
the bottleneck
It doesn't scale with people
Assessing a supplier chain by hand takes weeks per client. Multiplying that across a whole portfolio means hiring specialists the market can't supply.
the channel risk
The big consultancies take the top
Without their own tooling, smaller auditors and firms are shut out of the larger mandates. An engine of your own reverses that disadvantage.
the engine

End-to-end automation, from reports to follow-up.

The same audit engine already running in production in the energy sector, now applied to supply-chain cybersecurity controls. Every step leaves an audit trail.

01

Onboarding and criticality

Your team imports the client's supplier list and classifies them by criticality. The engine enriches and organises the chain, and prioritises where to begin.

SSentinela ComplianceSuppliers
54 direct suppliers · 5 with material gaps+ Add
SupplierCriticalityTierStatus
Cloudtech, LdaCriticalSubstantialValidated
Logística NorteHighAssessingIn progress
PagaJá, S.A.CriticalGapMFA missing
Manut. IbéricaMediumSubstantialValidated
DataWarehouse PTHighBasicPending
SQuestionnaire · Cloudtech, Lda12/18
Mapped to the QNRCS, AI-generated
Access control and MFAGC.AC-3
Incident managementRS.MA-1
Business continuityRC.RP-1Answering
The AI explains: this control requires multi-factor authentication on all remote and admin access.
Data-at-rest encryptionPR.DS-1
02

AI questionnaire

Each supplier answers an AI-generated questionnaire mapped to the QNRCS controls. The AI explains each control in plain language, so the supplier can answer without a specialist on their side.

03

Evidence repository

Suppliers upload evidence to a vault with an audit trail. Every document carries a validation status, so you always know what's confirmed, pending or missing.

SEvidenceAuditable repository
Drop documents · PDF, DOCX, XLSX
DocumentControlSupplierStatus
politica-seguranca.pdfGC.AC-3CloudtechValidated
registo-acessos.xlsxGC.AC-3PagaJáIn review
plano-continuidade.docxRC.RP-1CloudtechValidated
iso27001-cert.pdfGV.PO-1Manut. IbéricaUploading
SRisk · PagaJá, S.A.
72/100
Tier
Substantial
Access
84
Incidents
71
Continuity
58
2nd-tier chain
64
Gap detected: MFA missing on 2 admin accesses.
Remediation plan
01Enable MFA on remote accessHigh impact
02Incident response planMedium
03Encrypt off-site backupsLow
04

Continuous scoring

Each supplier gets a risk tier, for example substantial, and gaps are detected automatically, such as missing MFA. The score updates as evidence comes in.

05

Board-ready report

The engine produces a per-supplier gap report, a chain dashboard and an aggregated board-ready report. Your brand on top, our engine underneath.

SReportsGenerating
Board report
Supply chain · NIS2 · 2026
Summary

We assessed 54 direct suppliers. 38 at substantial tier, 11 remediating and 5 with material gaps. Aggregate exposure fell from medium-high to medium last quarter.

38
substantial
11
remediating
5
with gaps
Export PDFwith your brand
who it's for

Who delivers NIS2 supply-chain compliance.

If you have clients in scope or the standing to advise them, the engine fits into your practice.

Law firms
You have the legal mandate and the trusted relationship. What's missing is the tooling to operationalise the supply-chain obligation. License the engine and deliver the execution, not just the opinion.
Cybersecurity consultancies
You know the controls and the QNRCS. The engine turns that knowledge into delivery at scale, with automated questionnaires, evidence and scoring.
Auditors and ICT companies
You already run audits and compliance assessments. Add NIS2 supply chain to the catalogue without building a platform from scratch.
the model

The mandate is yours. The engine is ours.

Your team runs the platform end to end, under your brand. Your clients and their suppliers never talk to us. We're the infrastructure beneath your practice, never the operator.

Your brand on top
Portal, questionnaires and reports in your logo and colour.
The relationship stays yours
The client and the margin are yours. We never talk to them.
Data in the EU
Isolated per auditor and GDPR-compliant by default.
Margin that stays yours
You bill the client for the project, the engine costs you a fraction. The difference is yours, with no revenue-share.
More projects, same team
Automated questionnaires, evidence and reports. Your team runs assessments in hours, not weeks, and takes on projects it would otherwise turn down.
built on the right frameworks

Mapped to what authorities and buyers already use.

Controls are mapped to recognised frameworks, so the evidence your team collects serves more than one audit. Authority: CNCS. Accredited certification: IPAC.

QNRCSnational frameworkNIST CSF 2.0ISO/IEC 27001ISO/IEC 27036Regulamento n.º 756/2026
commercial model

Per project or per platform subscription.

Two models, whether you run one-off projects or build a recurring practice. We design the terms with you in the partnership conversation.

Per project
Per entity
pricing by proposal
Pay for each entity run on the platform
No volume commitment, no revenue-share
Reports with your brand
Ideal to start and validate demand
Book a demo
recurring
White-label platform
Tailored
annual tier by volume
Annual access to the white-label platform
Usage tier by volume of entities and suppliers
The margin and the client relationship stay yours
Team onboarding and training included
Talk to us
frequently asked

What partners ask.

Move on NIS2 before your competitors.

Book a demo and we'll show how your team delivers supply-chain audits with the engine, under your brand.

This content is informational and does not constitute legal advice. The concrete qualification of each entity depends on its activity and size. foraudits is not an accredited certification body: it prepares, maps and organises evidence and produces readiness reports. For formal certification it refers to bodies accredited by IPAC. foraudits provides the technology the auditor operates; it does not run assessments nor hold any relationship with the auditor's clients.