Built by security professionals, for security professionals

We are Finnish security practitioners. Doing the supplier and attack-surface due diligence that NIS2 demands, we kept hitting the same wall: the credible tooling was built for Fortune-500 budgets, leaned on questionnaires and once-a-year snapshots, lived in US clouds and spoke only English. The lightweight alternatives were little more than a one-off scan. Nothing combined continuous, automated, evidence-based monitoring with a genuinely European foundation — so we built it for our own work, and decided to share it.

Third-party risk tooling clusters at two extremes. At one end, the global rating and TPRM platforms: powerful, but priced for large enterprises, heavy on questionnaires, and built around a single letter grade. At the other, point tools that scan once and stop. For a European company that has to demonstrate ongoing diligence over its supply chain — in its own language, with data kept in the EU — neither fits. norppa.io is deliberately the missing middle: automated daily monitoring with 100+ checks per supplier, dark-web and ransomware exposure re-checked every few hours, the evidence behind every finding instead of an opaque score, eight languages, EU hosting in Finland and Germany, and pricing per supplier — so a twenty-person firm runs on the same platform as a multinational.

We build norppa.io the way we would want a tool built for us: evidence over hype, no fear-selling, and honest about what a scan can and cannot tell you. Every finding comes with the proof behind it and a plain explanation of why it matters for NIS2 — not a number you have to take on faith.