Know when a supplier or your own domain becomes a risk. Every day.
Add a supplier domain and get 100+ automated daily checks — DNS/TLS health, sanctions, breach data and more — plus ransomware and dark-web monitoring every 6 hours. Every finding mapped to NIS2 Art. 21. Monthly PDF report included. No agents, no IT project.
NIS2 Compliance Score
3 suppliers monitored
Suppliers
Critical: Infostealer credential detected
Acme Oy — 4 hours ago
What you get as a subscriber
No manual effort, no integration required — add a domain and norppa.io handles the rest.
Daily automated monitoring
Every supplier is checked automatically, every day. Add a supplier in 30 seconds — no scheduling, no manual reviews, no follow-up required.
Same-day alerts for critical events
Ransomware victim listing, active credential leak, expiring certificate — you receive an email alert the same day it is detected. Not weeks later.
Monthly compliance report — ready to use
An automatically generated PDF with an AI executive summary, NIS2 scores by article, and a prioritised remediation list. Every monitoring cycle is logged — providing a continuous, documented record of your supply chain oversight.
Verified, not just collected
Supplier questionnaire answers are cross-checked against what we observe — verified, contradicted, or clearly marked as attestation-only. Uncertain findings are flagged as potential false positives, so your team acts on what's real, not noise.
Built for the EU — 8 languages
Dashboard, monthly reports and supplier questionnaires in eight EU languages. Serve and assess suppliers across Europe in their own language.
See your first NIS2 findings today.
Enter your work email — we scan your company domain automatically and send you a sign-in link. No password, no credit card, no configuration.
Key external risk areas covered — technical exposure, dark web, company registry and actively exploited vulnerabilities.
Daily across every monitored supplier. No agents, no integration.
Technical Security Checks
TLS certificates, DNS integrity (SPF/DKIM/DMARC/DNSSEC), HTTP security headers, HTTPS enforcement, email spoofing risk (MTA-STS, BIMI, BEC composite), subdomain discovery, exposed services and open ports, website change detection, security.txt, AiTM phishing infrastructure detection, RPKI/BGP route origin validation, public code repository analysis (GitHub/GitLab, npm, Docker Hub), and fourth-party supply chain risk. Mapped to NIS2 Art. 21(2)(e)(h)(i).
Dark Web Intelligence
Daily dark web monitoring — if your supplier's employees have credentials circulating in dark web markets, you're alerted promptly so you can act. Mapped to NIS2 Art. 21(2)(b).
Ransomware Victim Tracking
Multiple ransomware intelligence feeds checked daily against all your suppliers. Active threat groups tracked daily. Immediate email alert if a supplier appears on a victim list. Mapped to NIS2 Art. 21(2)(b).
Certificate & Infrastructure
TLS certificates, DNS health, DNSSEC, email security (SPF/DKIM/DMARC), exposed services and subdomain discovery monitored daily. Email alert when a certificate expires in under 14 days.
Breach & Exposure Monitoring
Breach databases, paste sites and credential exposure checked daily. Know if your suppliers' accounts or data have appeared in public leaks — before it becomes your problem.
IP Address Monitoring
Track supplier IPs and CIDR ranges that aren't behind a main domain — VPN gateways, mail relays, dedicated hosts. CVE exposure detection (Shodan / CISA KEV), high-risk country alerts, shared-hosting classification. Included per supplier in every plan. Mapped to NIS2 Art. 21(2)(d) supply chain asset inventory.
Two layers of NIS2 evidence — cross-checked against each other
Automated monitoring catches what suppliers don't disclose. The questionnaire captures what tools can't see. norppa cross-checks one against the other — so each attestation is backed by evidence, not taken on trust.
Automated monitoring — 100+ daily checks
100+ checks run daily per monitored domain — ransomware victim lists, dark web credential leaks, DNS/TLS health, post-quantum TLS readiness, AI vendor inventory (EU AI Act), MCP endpoint exposure, IP geolocation, breach exposure, HTTP security headers, website change detection, company intelligence (business registry, LEI status, bankruptcy detection), and public code repository analysis. No supplier involvement required.
Supplier self-assessment (SAQ)
Send each supplier a one-click questionnaire link. 28 questions across 7 NIS2 sections — governance, access control, incident response, cryptography, business continuity and more. Scored automatically, visible in your dashboard. Send it to each supplier in their own language — available in 8 EU languages — for higher response rates.
Evidence-Backed Attestation
NIS2 Art. 21(2)(d) — Where a control is externally observable, we check the supplier's answer against what we actually see — a clean TLS scan verifies a 'TLS 1.2+' attestation; exposed vulnerabilities contradict a 'we patch promptly' one. Controls we can't observe from outside are clearly marked as attestation. We never imply verification we cannot back.
Every answer carries its status: verified, contradicted, questioned, or attestation-only.
Built for lean security teams
100+
automated checks per domain
Ransomware · Dark web · DNS/TLS · Post-quantum TLS · AI vendors · MCP · Company intel · Code repos · Breach data
daily
scan frequency
Continuous monitoring, not a one-time snapshot
100%
EU data residency
Finland + Germany · GDPR by architecture
NIS2
articles mapped automatically
All NIS2 Art. 21(2) subparagraphs covered — automatically mapped and documented
Up and running in five minutes. Your first compliance report in 30 days.
Add your suppliers
Enter the company name and domain. Your entire supplier list in 5 minutes — no integrations, no API keys, no IT project.
Monitoring starts immediately
Ransomware victim tracking, dark web credential leaks, certificate health, company registry status and CVE exposure — checked daily across your supplier network and your own domain. No configuration required.
Critical findings trigger instant alerts
Email alert within 24 hours of detecting a ransomware listing, dark web credential exposure, or certificate expiry under 14 days. Act on risks as they emerge.
Monthly NIS2 compliance report
Monthly PDF report — every finding mapped to its NIS2 article, with risk scores, supplier rankings and an AI-generated executive summary. Audit-supporting from month one.
NIS2 supply chain security from €249/month — without the enterprise complexity.
| Feature | norppa.io |
|---|---|
| Supply chain monitoring | Included |
| Dark web & infostealer monitoring | Daily |
| Ransomware victim tracking | Daily |
| NIS2 article-mapped report | Monthly PDF |
| Certificate & subdomain monitoring | Continuous |
| EU data residency | Yes |
| Full scan add-on | OSINT + HTTP checks included · Full scan: add-on |
| Supplier self-assessment questionnaire (SAQ) | Included |
| Company intelligence (business registry, bankruptcy detection) | Included |
| Public code repository analysis (GitHub/GitLab, npm, Docker Hub) | Included |
| Identity provider risk detection (Entra ID, ADFS, Okta) + BEC composite risk scoring | Included |
| AI/ML tool exposure and LLM API secret scanning | Included |
| Art. 23 — Incident reporting readiness (24h) | Daily — know immediately |
| Cross-validate supplier attestations against scan evidence | Automatic |
| Feature | norppa.io | Traditional EASM tools | Manual process |
|---|---|---|---|
| Supply chain monitoring | Included | Not included | Manual spreadsheet |
| Dark web & infostealer monitoring | Daily | Not included | Not feasible |
| Ransomware victim tracking | Daily | Not included | Manual |
| NIS2 article-mapped report | Monthly PDF | Not included | Manual |
| Certificate & subdomain monitoring | Continuous | Continuous | Manual |
| EU data residency | Yes | Partial | Depends |
| Full scan add-on | OSINT + HTTP checks included · Full scan: add-on | Higher tiers only | N/A |
| Supplier self-assessment questionnaire (SAQ) | Included | Not included | Manual |
| Company intelligence (business registry, bankruptcy detection) | Included | Partial | Manual |
| Public code repository analysis (GitHub/GitLab, npm, Docker Hub) | Included | Not included | Not feasible |
| Identity provider risk detection (Entra ID, ADFS, Okta) + BEC composite risk scoring | Included | Not included | Not feasible |
| AI/ML tool exposure and LLM API secret scanning | Included | Not included | Not feasible |
| Art. 23 — Incident reporting readiness (24h) | Daily — know immediately | Doesn't cover supplier incidents | Impossible with annual review |
| Cross-validate supplier attestations against scan evidence | Automatic | Not included | Not feasible |
Why a spreadsheet may not satisfy NIS2 Art. 21
Annual questionnaires tell you what a supplier planned to do — not whether their systems are actually secure today. NIS2's 'appropriate measures' standard is unlikely to be met by annual snapshots alone.
Based on publicly available feature comparisons. Subject to change.
We don't use customer names in our marketing. We don't ask for references or case studies. What you share with norppa stays with you.
NIS2 is enforced. Can you demonstrate your supply chain is under control — every day, not once a year?
The EU NIS2 Directive (effective October 2024) requires medium and large companies in critical sectors to actively manage cybersecurity risks in their supply chains. Article 21(2)(d) specifically mandates supply chain security measures. Non-compliance can result in fines up to €10M or 2% of global turnover.
160,000–200,000 companies across the EU are directly obligated
Finance, energy, healthcare, transport, digital infrastructure — NIS2 applies EU-wide with the same requirements in every member state.
Annual assessments alone are unlikely to be sufficient
An annual questionnaire tells you what things looked like then — NIS2 expects you to demonstrate what they look like today. norppa cross-checks each supplier's answers against live scan evidence, so an attestation is backed by what we actually observe.
Under audit, you must be able to demonstrate ongoing monitoring
Supervisory authorities can request concrete evidence of supply chain risk management — and management is personally accountable. An annual questionnaire is a weak defence. norppa.io generates dated, finding-level evidence automatically — every day, for every supplier.
A fraction of the cost
Continuous monitoring of up to 10 suppliers from €249/month — under €25 per supplier — against fines of up to €10M or 2% of global turnover.