For suppliers
Assess yourself once, prove it to any client.
Your regulated clients now require cybersecurity evidence from suppliers, by contract. Instead of answering dozens of different questionnaires, assess yourself once against the QNRCS, fix the gaps and reuse the same evidence pack with everyone.
What changed for you
One questionnaire per client does not scale.
Decree-Law 125/2025 of 4 December approved the Legal Regime for Cybersecurity and transposed NIS2, in force since 3 April 2026. Supply chain security is one of the mandatory minimum measures, so your regulated clients must assess each direct supplier. In practice that obligation reaches you by contract: each client sends its own questionnaire, with different deadlines and formats. Without a process this drains the team, delays renewals and puts contracts at risk.
The pressure comes by contract
You do not need to be directly in scope. If you sell software, maintenance, logistics or services to a bank, hospital or energy company, you must now demonstrate equivalent measures to keep the contract.
Every client asks differently
Their own formats, their own controls, their own deadlines. Answering each request from scratch is repeated work that never ends and that no one on the team wants to do.
Whoever answers first wins the contract
In tenders and due diligence, the supplier with evidence already organised answers in hours. The others ask for more time, and time is not always on offer.
The product
From zero to evidence pack, in one path.
The same audit engine already running in production in the energy sector, now applied to the cybersecurity controls your clients require. No dedicated cybersecurity team needed.
The scorecard
Know your level before the client asks.
The initial assessment is free. It returns a risk level, the most material gaps and what to do first. No commitment, no card.
A number you can show
Each control feeds a clear risk level. Instead of a vague sense, you have a measurable position that improves as you close gaps.
Where you are exposed, specifically
The assessment detects specific gaps, such as missing MFA, untested backups or no access management, rather than generic recommendations.
Explained for non-specialists
AI translates each cybersecurity control into business language, with the reason behind each requirement. You answer with confidence, even without a technical team.
Remediation
Know what to fix first.
You do not have to do everything at once. foraudits orders the gaps by impact and shows the shortest path to move up a level.
What you take with you
An evidence pack that works for any client.
Evidence lives in a repository with an audit trail and validation statuses. Update once, share always.
Why foraudits
Compliance that becomes a selling point.
Once, not per client
You build your cybersecurity posture once and answer any client from the same base. The work stops repeating itself with every tender.
Without needing a CISO
AI explains the controls for non-specialists. Small and medium businesses can answer with the same seriousness as large ones.
Stand out in tenders
Arriving with evidence ready speeds up due diligence and shows the client you are a low-risk supplier. Compliance starts winning contracts, not just keeping them.
Start free. Pay only when you need the pack.
No card to start. Indicative pricing, under validation.
Initial scorecard
The guided self-assessment and your risk level, with the gaps detected. No cost and no commitment, to know where you stand today.Ongoing report and pack
The full report and evidence pack, always up to date and ready to share with any client, as your posture evolves.One-off
Prefer not to subscribe? Generate the report and evidence pack as a one-off, from € 300.Mapped to the frameworks your clients already use.
The evidence you produce serves more than one client: we map controls to the frameworks authorities and buyers recognise.
Frequently asked questions
I am a small company. Do I really have to do this?
Directly, as a rule, you are only in scope if you operate in a covered sector and reach the medium-enterprise threshold. But if you supply regulated entities, you are reached by contract: your clients have an obligation to assess their supply chain and will ask you for evidence, regardless of your size.
Do I need a cybersecurity team to use foraudits?
No. The path is guided and AI explains each control in plain language, with the reason behind each requirement. It is designed so small and medium businesses can assess themselves without a dedicated specialist.
Does one assessment serve several clients?
Yes. You assess yourself once against the QNRCS and generate a reusable evidence pack. You update it in one place and present the same pack to any regulated client, instead of answering each questionnaire from scratch.
Does foraudits issue a compliance certificate?
No. Formal certification is done by bodies accredited by IPAC. foraudits prepares, maps and organises evidence and produces a readiness report. For formal certification, we refer to accredited partners.
Is the initial scorecard really free?
Yes. The guided self-assessment and your risk level, with the gaps detected, are free and with no commitment. You only pay if you want the full report and evidence pack.
This content is informational and does not constitute legal advice. Each entity's actual qualification depends on its activity and size. foraudits is not an accredited certification body: it prepares and organises evidence and produces readiness reports. Indicative pricing, under validation.
Start with the free assessment.
See what level you are at today and what is missing to be ready for your clients. No card, no commitment.