foraudits

Exposure report, supply chain (NIS2)

See where your chain is exposed.

Portugal's new Cybersecurity Legal Regime requires essential and important entities to assess each direct supplier's risk. Before you build the process, request an initial picture. We tell you where your chain is weakest, which QNRCS controls weigh most in your sector and where to start. We ask for a few details, return the report and book 30 minutes to interpret it with you.

Request an exposure reportSee what you get
~6,000entities in scope in Portugal
24 monthsto implement the minimum measures
30 minutesof conversation to interpret the results

Why now

The obligation is already in force and it flows down the chain.

Decree-Law 125/2025 of 4 December approved the Cybersecurity Legal Regime and transposed NIS2. It has been in force since 3 April 2026. Supply-chain security is one of the mandatory minimum measures: every essential or important entity must assess each direct supplier's vulnerabilities and the maturity of its chain, on a continuous basis. There is a 24-month window to implement the minimum measures and full sanctions start on 3 April 2027. The exposure report is the starting point: it shows you the size of the problem before you spend time or budget.

What you get

Four concrete things, not a brochure.

The report is built on the details you give us and on the audit engine already running in production in the energy sector.

How it works

From form to report, in three steps.

No installation, no mandatory meeting to begin.

What it is built on

Mapped to the frameworks authorities and buyers already use.

The report's controls follow the same frameworks an audit will ask for, so the evidence serves more than once.

QNRCSNIST CSF 2.0ISO/IEC 27001ISO/IEC 27036Regulation 756/2026

Who it is for

It makes sense if you are on this side of the chain.

Regulated entities

You are an essential or important entity and need to know, first of all, the size of the risk in your supplier base. The exposure report is the first step.

Ver

Heads of procurement and CISOs

You will have to request evidence from dozens of suppliers. Start by understanding which ones are most critical and which controls to require first.

Ver

Firms and consultancies

You have regulated clients who will need this. Use the exposure report as the way in and deliver compliance with the engine underneath.

Ver

What to expect, honestly

Indicative, not a formal assessment.

The exposure report is an initial picture, built from the information you provide. It is meant to size the problem and decide the next steps, not to replace the formal assessment of each supplier or the registration of entities on the MyCiber platform. foraudits is not an accredited certification body: we prepare, map and organise evidence and produce readiness reports. Formal certification is done by bodies accredited by IPAC, to which we refer.

  • We use your details only to prepare the report and contact you, no spam.
  • No commitment: the report and the 30-minute conversation are the starting point, not a contract.

Request your exposure report.

A few details about your organisation and we return an initial picture of your chain's risk, the QNRCS controls most relevant to your sector and a 30-minute conversation, no commitment.

🇵🇹 +351

We use these details only to prepare the report and contact you. No spam.

Frequently asked questions

Is the report free?

Yes. The exposure report and the 30-minute conversation to interpret it are our starting point, with no commitment. Only those who want to move forward do.

What details do I need to give?

Name, work email, company, role, the approximate number of suppliers and your sector. No supplier lists or documents at this stage: those only come in if you decide to move to the assessment.

Does this certify my NIS2 compliance?

No. The report is indicative and helps size the chain's risk. Formal certification is done by bodies accredited by IPAC. foraudits prepares, maps and organises evidence and produces readiness reports, and refers to accredited partners when formal certification is needed.

I am not sure I am in scope. Is it worth requesting?

Yes. Even if you are not directly in scope, if you supply regulated entities you can be reached by contract, through your clients' supply-chain security obligation. The report helps you understand your position. The CNCS also provides a non-binding simulator on the MyCiber platform.

How long does the report take?

We get in touch shortly after your request to confirm the details and arrange the 30-minute conversation, where we read the exposure report with you.

The exposure report is indicative and depends on the information provided. It does not replace the formal assessment of each supplier or the registration of entities. foraudits is not an accredited certification body; formal certification is done by bodies accredited by IPAC. This content is informational and does not constitute legal advice.