Sample report (fictional company data. Every norppa.io plan includes 100+ automated checks on all monitored domains) passive OSINT and HTTP security checks, running daily automatically.

NIS2 Supply Chain Intelligence Report

Acme Manufacturing Oy

Reporting period: March 2026 · Generated 1 April 2026

61/100

NIS2 Risk Score

Needs attention

-13 (vs 74 last month)

Summary

Critical

High

Medium

Info

5 suppliers monitored across 100+ automated checks daily. 2 critical findings require immediate action: one supplier appeared on an active threat actor victim list and another has employee credentials circulating in dark web markets. 4 high-severity infrastructure issues and 2 medium findings require remediation within 7 days. Active findings map to NIS2 articles 21(2)(b), (d), (e) and (h).

AI Executive Summary

Acme Manufacturing's NIS2 supply chain risk posture has deteriorated this period, with a score decline from 74 to 62 driven by two critical-severity findings requiring immediate executive attention.

The most significant threat is the active ransomware victim listing for Acme Logistics Oy. The threat actor group behind this campaign is known for maintaining persistent access and selling network entry to secondary actors when primary ransom negotiations fail. All integration points (APIs, file transfers, shared authentication systems) between your organisation and Acme Logistics should be treated as potentially compromised until the supplier provides a verified containment report. Simultaneously, 14 employee credentials from Nordic Cloud Services are circulating in dark web infostealer markets, creating a multi-vector exposure risk for any shared cloud environments or VPN endpoints.

From a NIS2 compliance perspective, several articles carry active findings this period. The two critical findings both fall under Art. 21(2)(b) (incident handling): a supplier on an active ransomware victim list and 14 leaked employee credentials must each be treated as a security incident (contained, responded to and documented. Art. 21(2)(d) (supply chain risk management) is triggered by high-risk-country infrastructure; Art. 21(2)(e) (security in development and maintenance, including vulnerability handling and disclosure) by the detected CVEs, the expiring TLS certificate, the missing DMARC policy and the absent security.txt; and Art. 21(2)(h) (cryptography) by missing DNSSEC. The TLS certificate expiry on databridge.fi in 6 days is a hard deadline) failure to renew will cause service disruption.

Grounded in the raw findings below: every claim is auditable.

Priority actions

Acme Logistics Oy, ransomware victim listing: contact supplier immediately and review data flows. Engage incident response.

Critical

Nordic Cloud Services, 14 employee credentials on dark web: notify supplier, require password rotation and MFA enforcement.

Critical

DataBridge Finland, TLS certificate expires in 6 days: ask the supplier to renew immediately to avoid service disruption.

High

Acme Logistics Oy, high-risk country infrastructure: request supplier's infrastructure documentation and review NIS2 Art. 21(2)(d) obligations.

High

Nordic Cloud Services, DMARC missing: ask the supplier to publish a DMARC record to prevent domain spoofing.

High

NIS2 article compliance status

Art. 21(2)(b)

Incident handling

Incident handling: detection, response and recovery

2 findings

Art. 21(2)(d)

Supply chain

Supply chain security & third-party measures

1 finding

Art. 21(2)(e)

Development & maintenance

Security in systems acquisition, development & maintenance (incl. vulnerability handling and disclosure)

4 findings

Art. 21(2)(h)

Cryptography

Cryptography (DNSSEC, TLS and certificate hygiene)

1 finding

Active findings (9)

CriticalActive ransomware victim listing detectedArt. 21(2)(b)

Acme Logistics Oy · acme-logistics.fi · Detected 15 Mar 2026

AI threat context

First observed: 15 Mar 2026

Key indicators: The supplier domain appeared on an active threat actor victim list. Data exfiltration is claimed by the threat group.

Exploit scenario: The threat group maintains active access to the supplier's systems and is likely deploying additional payloads or staging further exfiltration. Ransomware groups routinely sell network access to other threat actors if primary negotiations fail.

Impact: Any system your organisation shares with this supplier (APIs, file transfers, VPNs) must be treated as potentially compromised until the supplier confirms containment. Under NIS2 Art. 21(2)(b) (incident handling), assess the impact, contain shared access and document your response.

Recommended action: Contact the supplier immediately. Engage an incident response team. Assume services may be partially compromised and review data flows between your organisation and this supplier.

CriticalDark web: employee credentials leakedArt. 21(2)(b)

Nordic Cloud Services · nordiccloud.fi · Detected 18 Mar 2026

AI threat context

First observed: 18 Mar 2026

Key indicators: Employee credentials for this domain are circulating in dark web markets, captured by an infostealer campaign. 14 unique accounts identified.

Exploit scenario: Infostealer-harvested credentials are sold on dark web markets within hours of capture and used for credential stuffing, session hijacking, and pivoting into corporate VPNs or cloud environments. With 14 accounts exposed, attackers have multiple vectors into the supplier's infrastructure.

Impact: If this supplier uses compromised credentials to access shared systems, your environment may already be at risk. Treat this as an incident under NIS2 Art. 21(2)(b) (incident handling): have the supplier rotate the affected credentials and revoke active sessions, and document the response.

Recommended action: Notify the supplier. Request immediate password rotation and MFA enforcement for all accounts. Verify no shared credentials are used in integrations with your systems.

HighInfrastructure in high-risk countryArt. 21(2)(d)

Acme Logistics Oy · acme-logistics.fi · Detected 1 Mar 2026

Supplier's primary IP resolves to infrastructure registered in a jurisdiction on the EU high-risk third country list. This may represent a supply chain risk under NIS2 Art. 21(2)(d).

Impact: Concentrating supplier infrastructure in a high-risk jurisdiction raises supply-chain and data-sovereignty exposure.

Evidence

IP / Host:203.0.113.45ASN:AS64500: ExampleNet

Recommended action: Request the supplier's infrastructure documentation. Review contractual obligations and data processing agreements in light of NIS2 Art. 21(2)(d) supply chain security requirements.

HighTLS certificate expires in 6 daysArt. 21(2)(e)

DataBridge Finland · databridge.fi · Detected 24 Mar 2026

The TLS certificate for databridge.fi expires on 30 March 2026. Services will become unreachable or show browser security warnings to end users after expiry.

Impact: An expired certificate breaks HTTPS for users and integrations, causing outages and a cryptography-control gap.

Evidence

Host:databridge.fiExpires in:6 d

Recommended action: Ask the supplier to renew the TLS certificate immediately. Automated renewal via ACME/Let's Encrypt is recommended to prevent future expiry.

HighDMARC policy missingArt. 21(2)(e)

Nordic Cloud Services · nordiccloud.fi · Detected 1 Mar 2026

No DMARC record is published for this domain. The domain can be spoofed in phishing campaigns targeting your organisation and the supplier's customers.

Impact: Without DMARC the domain can be spoofed in phishing against you and the supplier's customers.

Evidence

DMARC policy:none

Recommended action: Ask the supplier to publish a DMARC record. Start with p=none to collect aggregate reports, then tighten to p=quarantine or p=reject.

HighKnown vulnerabilities detected (CVE)Art. 21(2)(e)

Acme Logistics Oy · acme-logistics.fi · Detected 2 Mar 2026

2 CVEs detected on internet-facing infrastructure. CVE-2023-44487 (HTTP/2 Rapid Reset, CVSS 7.5) is rated high and has known public exploits.

Impact: Known, exploitable vulnerabilities on internet-facing infrastructure are a direct entry point for attackers.

Evidence

IP / Host:203.0.113.45Host:acme-logistics.fiCVE:CVE-2023-44487CVSS:7.5EPSS:94%KEV:Actively exploitedAffected products:nginx 1.24.0

Recommended action: Ask the supplier to apply available security patches for the identified CVEs immediately, prioritising vulnerabilities with known public exploits.

MediumDNSSEC not enabledArt. 21(2)(h)

SupplyLink Partners · supplylink.eu · Detected 1 Mar 2026

DNSSEC is not configured. DNS responses cannot be cryptographically authenticated, leaving the domain exposed to DNS spoofing attacks.

Impact: Without DNSSEC, DNS answers can be forged, enabling traffic redirection and interception.

Evidence

DNSSEC:Unsigned

Recommended action: Ask the supplier to enable DNSSEC at their domain registrar to authenticate DNS responses against tampering.

Mediumsecurity.txt missing (NIS2 Art. 21(2)(e))Art. 21(2)(e)

DataBridge Finland · databridge.fi · Detected 1 Mar 2026

No security.txt file found at /.well-known/security.txt. NIS2 Art. 21(2)(e) requires organisations to have a reachable vulnerability disclosure channel.

Impact: No published disclosure channel slows how fast a reported vulnerability reaches the right contact.

Evidence

Path:/.well-known/security.txtsecurity.txt:Missing

Recommended action: Ask the supplier to create a security.txt file at /.well-known/security.txt with a security contact address and policy URL.

InfoHTTP security header missing

SupplyLink Partners · supplylink.eu · Detected 1 Mar 2026

Content-Security-Policy header is absent on the main web property. This increases exposure to cross-site scripting and content injection attacks.

Impact: A missing Content-Security-Policy increases exposure to cross-site scripting and content injection.

Evidence

Missing:Content-Security-Policy

Recommended action: Ask the supplier to configure HTTP security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security.

Want this report for your own supplier network?

Start free trial: no credit card

Supplier risk overview

Supplier	Domain	Security score	Critical	High
Acme Logistics Oy	acme-logistics.fi	22	2	1
Nordic Cloud Services	nordiccloud.fi	48	1	1
DataBridge Finland	databridge.fi	64	—	1
SupplyLink Partners	supplylink.eu	81	—	—
Vantage IT Oy	vantage-it.fi	97	—	—

Your own environment

acme-manufacturing.fi

Last scanned: 31 Mar 2026

78/100

Security score

Mediumsecurity.txt missing (NIS2 Art. 21(2)(e))Art. 21(2)(e)

No security.txt file found at /.well-known/security.txt. NIS2 Art. 21(2)(e) requires a reachable vulnerability disclosure channel.

Impact: No published disclosure channel slows how fast a reported vulnerability reaches the right contact.

Evidence

Path:/.well-known/security.txtsecurity.txt:Missing

Recommended action: Create a security.txt at /.well-known/security.txt with a security contact address and policy URL.

MediumDNSSEC not enabledArt. 21(2)(h)

DNSSEC is not configured for your domain. DNS responses cannot be cryptographically authenticated.

Impact: Without DNSSEC, DNS answers can be forged, enabling traffic redirection and interception.

Evidence

DNSSEC:Unsigned

Recommended action: Enable DNSSEC at your domain registrar to authenticate DNS responses against tampering.

Your own domain receives the same 100+ automated checks as your suppliers: passive OSINT and HTTP security checks daily. Full Scan add-on (if enabled) adds a monthly external security assessment on this domain.

Supplier Self-Assessments (SAQ)

Suppliers complete a 28-question NIS2 self-assessment. Responses are scored automatically and visible here alongside automated findings: two layers of compliance evidence in one report.

Supplier	SAQ score	Status
Acme Logistics Oy	—	Awaiting response
Nordic Cloud Services	61/100	Submitted · 20 Mar 2026
DataBridge Finland	74/100	Submitted · 8 Mar 2026
SupplyLink Partners	—	Not sent
Vantage IT Oy	91/100	Submitted · 5 Mar 2026

Nordic Cloud Services

j.virtanen@nordiccloud.fi · 20 Mar 2026

61/100

SAQ score

Section breakdown

Governance & Security Policies

Art. 21(2)(a)

Access Control & Authentication

Art. 21(2)(i)(j)

Incident Response & Disclosure

Art. 21(2)(b), Art. 23

Data Protection & Cryptography

Art. 21(2)(h)

Business Continuity

Art. 21(2)(c)

Supply Chain & Third Parties

Art. 21(2)(d)

Vulnerability Management

Art. 21(2)(e)(g)

Analyst note: SAQ reveals MFA not enforced on all accounts and no tested incident response plan: consistent with the dark web credential leak detected in automated monitoring.

Monitoring methodology

Over 100 automated checks run daily on all monitored domains, with ransomware and dark-web monitoring every 6 hours. Checks cover: ransomware victim lists (multiple threat intelligence feeds), dark web infostealer credential leaks, TLS/certificate health and expiry, DNS integrity (SPF, DMARC, DKIM, DNSSEC), DNSSEC validation chain, MX server DNS blacklist status, email security posture and spoofability scoring (TLS-RPT, MTA-STS, BIMI, composite BEC risk), cookie security flags (Secure, HttpOnly, SameSite), robots.txt and sitemap sensitive path exposure, IP geolocation and high-risk country detection, known vulnerability exposure (CVE/EPSS), AiTM phishing infrastructure detection via Certificate Transparency logs, RPKI/BGP route origin validation, business registry and LEI status (PRH, GLEIF), dangling CNAME and MX record detection, SBOM/CSAF reference detection, security.txt presence, security headers, HTTPS redirect verification, and website change detection. New for 2026, post-quantum TLS readiness fingerprinting (NIST FIPS 203 ML-KEM hybrid suites), Model Context Protocol (MCP) endpoint exposure detection, JavaScript bundle secret scanning (API keys, tokens), AI vendor inventory for EU AI Act Art. 26 deployer obligations, GraphQL introspection and OpenAPI exposure checks, and DORA Register of Information export (Annex III B_02.03 + B_05.01). All findings mapped to NIS2 articles automatically.

Scans run daily. Last scan: 31 March 2026 23:00 UTC.

Get this report for your supplier network

New suppliers are queued for scanning immediately. Monthly NIS2 compliance reports generated automatically after each scan cycle: with AI executive summary. No agents to install.

See pricing →

See the sample dashboard