You stop chasing and start governing
Campaigns launch on a schedule, distribute themselves, track who has and has not responded, and remind non-responders automatically. Your team watches a dashboard, not a thread.
Your vendor risk is probably in a spreadsheet, or in a standalone tool that talks to nothing else. Either way it sits in a silo, away from the controls and risk register you actually run your programme on. Supplier Shield scores every vendor, grades their security daily, and keeps a regulator-ready trail, on the same records as the rest of your compliance work.
Third-party chain · TPRM module
What is Supplier Shield?
Supplier Shield is Acuna's third-party risk management (TPRM) software, built for regulated companies in the EU and Switzerland. It scores every vendor across three risk dimensions, runs daily OSINT security grading on every vendor, runs AI-assisted assessment campaigns with a human evaluator confirming every result, and keeps an immutable audit trail for DORA, NIS2, and ISO 27001. It is one module of the Swiss-hosted Acuna GRC platform, which maps to 50+ frameworks, so vendor evidence you collect here is reusable across your wider compliance programme rather than locked to one standard.
Your vendor risk is probably in one of two places: a spreadsheet you maintain by hand, or a standalone tool you bought that lives in its own login. Either way it’s disconnected from your controls and your risk register, and that disconnect costs you twice.
A vendor’s security can slide for months before their next questionnaire is due. And when the auditor samples your programme, you reconcile across systems by hand. Supplier Shield closes both gaps, on records your compliance programme already uses.
Most TPRM programmes only move when someone runs a questionnaire. Everything between cycles goes stale, the work lands on one person, and audit season becomes a reconstruction project. Here is what changes.
You stop chasing and start governing
Campaigns launch on a schedule, distribute themselves, track who has and has not responded, and remind non-responders automatically. Your team watches a dashboard, not a thread.
You catch a vendor slipping before they self-report
Every active vendor carries a security grade that refreshes daily on its own, with no action from the vendor and none from you. A drop shows on the register long before the next questionnaire is due.
Audit prep becomes a report, not a rebuild
Every change is logged with a name and a timestamp. When an auditor samples your vendor governance, the answer already exists.
A known vendor onboards in minutes
Common providers come pre-loaded with saved answers and evidence, so your first assessment of a major vendor starts with context instead of a blank form.
“Which vendor, if breached tomorrow, takes the most of us down with it?”
Click the vendor. The supply-chain map walks its subcontractors, and theirs, surfacing every process, data store, and fourth or fifth party exposed. The answer is a click, not a quarter.
This is the concentration-risk view DORA and NIS2 now expect you to hold, and the one most TPRM tools do not show you at all.
Nth-party exposure · live view
Concentration risk surfaced level by level · DORA and NIS2 aligned
Most third-party risk tools are standalone. They give you a vendor list in a separate login, disconnected from your compliance programme. For a company running DORA, NIS2, or ISO 27001, that is a second silo to reconcile at audit time.
Supplier Shield puts each vendor on the same record your ISMS and risk register already use, so vendor risk rolls straight into your enterprise risk picture instead of sitting in its own tool.
And for EU and Swiss buyers it adds what US-built platforms structurally cannot: Swiss data residency and native DORA and NIS2 alignment.
Supplier Shield · Connected
Standalone TPRM tool · Silo
Already mid-contract on another tool? You don’t need a big-bang migration. Run your next audit cycle on Supplier Shield while the current tool sunsets, then switch when it’s done.
Every capability ships in one subscription. No add-on modules for the core TPRM workflow.
Supplier register
A searchable register of every vendor, classified Critical, Important, or Standard, with service description, owner, and review frequency. Bring an existing vendor list in by import and map the fields once.
Three-dimension risk scoring
Every supplier is scored on how much you depend on them, how deeply they reach into your systems and data, and how much damage their failure would cause. The result is a single colour-coded risk tier your procurement, risk, and compliance teams can align on, reviewed at least annually or whenever scope changes.
Continuous OSINT security grading
Acuna grades each vendor's public-facing security posture from A to F and refreshes it daily. This is OSINT, open-source intelligence: an outside-in signal, drawn entirely from a vendor's public footprint, that you hold against what they claim in their questionnaire.
Assessment campaigns
Launch one questionnaire to many suppliers at once, schedule it for a future date, and let Acuna handle distribution, status tracking, and reminders. The dashboard shows completion and ratings at a glance.
AI-assisted evaluation with Aiko
Aiko reviews supplier responses and their uploaded evidence, including documents, images, and PDFs, and proposes a per-question evaluation with a confidence score. A human evaluator reviews every suggestion and confirms or overrides it. The AI does the first pass; the accountable judgment stays with your team.
Supplier portal
Vendors respond and upload documents through a dedicated portal with no account required. Evidence stays out of inboxes and arrives as a documented, defensible response chain.
One supplier panel
Each supplier opens into a single panel holding identity, security grade, risk posture, contacts, linked processes and controls, assessment history with AI suggestions, and a full activity log.
Multiple contacts per vendor
Store as many contacts as you need with role assignments, and choose who receives each campaign. Archiving preserves history rather than erasing it.
Approval gates on critical vendors
Require sign-off before a risk change takes effect on a high-tier supplier, so reclassification is a governed decision, not a quiet edit.
Nth-party exposure
The supply-chain map unfolds level by level, so you can trace a vendor's subcontractors and theirs, and see fourth- and fifth-party concentration risk the way DORA and NIS2 expect.
Multilingual questionnaires
Send assessments in English, German, French, or Spanish to reduce friction and lift completion rates on cross-border vendors.
Lifecycle and re-assessment
Every supplier has a next-review date. Overdue vendors are flagged on the register and in any control that depends on them, so a calendar-driven rhythm replaces the annual scramble. Historical responses are retained for trend analysis and audit.
The three roll into a single colour-coded risk tier, so everyone assesses vendors the same way without a spreadsheet behind it.
Dependency
How critical is this supplier to keeping the business running? Core services rank high; easily replaced ones rank low.
Reach
How deeply is the supplier integrated into your systems, data, and processes? Deep access ranks high; isolated services can rank low.
Impact
What would a breach, outage, or failure cost you, across financial, operational, and reputational terms?
Acuna grades each vendor's public-facing security posture from A to F and refreshes it daily. This is OSINT, open-source intelligence: an outside-in signal, drawn entirely from a vendor's public footprint, that you hold against what they claim in their questionnaire. Grades are colour-coded everywhere they appear, and you can open any OSINT security grade to see what drove it.
Email and domain security
Whether the vendor protects its domain against spoofing and impersonation.
Encryption
Whether the vendor's connections use current, valid, well-configured encryption.
Web security
Whether the vendor's public sites carry the protections that defend against common web attacks.
Breach exposure
Whether the vendor's domain appears in known breaches, with severity and timeline.
Reputation
Trust and threat signals that indicate the vendor's overall standing.
Open any grade to see the findings and evidence behind each dimension.
Supplier Shield owns scoring, security grading, assessments, and the audit trail. Two dedicated modules add further depth.
Supplier Shield already reflects breach exposure in its security grade. Breach Scanner is the dedicated module for deeper, ongoing breach monitoring across your full supplier base.
supplier breach exposure ›D&B Credit ScoreFinancial-health signal that complements security and compliance risk on a vendor profile. Links to the supplier record for a fuller picture of overall vendor health.
supplier financial risk ›One unified view holds everything about a vendor: who they are, their security grade, their risk posture, their contacts, the processes and controls they touch, their assessment history with AI suggestions, and a full activity log.
Identity and risk posture
Supplier name, classification, risk tier, review frequency, service description, and owner.
OSINT security grade
External security posture graded A-F, refreshed daily. Open any grade to see what drove it.
Assessment history
All campaigns sent, responses received, and AI-suggested evaluations your team confirmed.
Contacts and linked objects
Every contact, linked process, control, and risk, in one view without leaving the panel.
Every action on a supplier is logged in an immutable, tamper-proof trail, each entry carrying the name of who made the change and when: field updates, contact changes, assessment actions, score adjustments. This is the primary audit artifact for the Register of Information and ICT third-party risk under DORA, and for supplier controls A.5.19 to A.5.23 under ISO 27001.
The activity log is the primary audit artifact for the Register of Information and ICT third-party risk under DORA, and for supplier controls A.5.19 to A.5.23 under ISO 27001.
Both views serve your TPRM programme. Use them together for full coverage.
Structured TPRM workflows
Compliance context linking
Built for practitioners who own vendor risk.
Centralise vendor risk next to your controls and risk register.
Security grades refreshed daily, consistent scoring across every vendor, impact chains through linked processes, and approval gates so critical-tier reclassification is governed.
Run repeatable assessment cycles without chasing email.
Batch-launch with templates and deadlines, let Aiko propose evaluations your team confirms, collect answers through the portal, and import existing vendor lists once.
Demonstrate a structured programme with a clear trail.
Grades and freshness visible on the register, historical responses retained, evidence exportable for NIS2, DORA, and ISO 27001, and the activity log ready when an auditor samples.
Related answers
Supplier Shield is Acuna's third-party risk management (TPRM) software. It gives you a scored vendor register, a daily-refreshed external security grade on every supplier, AI-assisted assessment campaigns that a human evaluator confirms, a supplier portal for external responses, and an immutable activity log that serves as your audit artifact for DORA, NIS2, and ISO 27001. Vendors are scored across three dimensions, dependency, reach, and impact, into one colour-coded risk tier. It is one module of the Swiss-hosted Acuna GRC platform, which maps to 50+ frameworks, so vendor evidence collected here is reusable across your wider compliance programme.
Acuna grades each vendor's public-facing security posture from A to F and refreshes it daily. This is OSINT, open-source intelligence: an outside-in signal, drawn entirely from a vendor's public footprint, that you hold against what they claim in their questionnaire. The OSINT security grade reflects five areas: email and domain security, encryption, web security, breach exposure, and reputation. You can open any grade to see what drove it. The grade sits alongside the three-dimension risk tier (dependency, reach, impact) on the supplier's profile.
The DORA register of information is the record, required by Article 28 of Regulation (EU) 2022/2554, of all your contractual arrangements for the use of ICT services provided by third parties. Every financial entity must keep it current, maintain it at entity and, where relevant, sub-consolidated and consolidated group level, and make it available to its competent authority on request. It is the backbone of DORA's third-party risk regime: supervisors use it to see, across the financial sector, which providers the system depends on. The register is not a one-time inventory. It is a living record that has to reflect your ICT supply chain as it actually is, including which arrangements support critical or important functions, because those carry stricter contractual and oversight requirements. That distinction, critical-or-important versus the rest, drives much of what DORA asks of the relationship. The register documents each ICT contractual arrangement: the provider, the service, whether it supports a critical or important function, and the contractual terms DORA requires. The European Supervisory Authorities set the detailed template and fields through technical standards, so the precise columns are defined centrally rather than left to each entity. The register has to be complete and consistent enough that a supervisor can read your ICT dependency map from it. A register maintained as a spreadsheet, separate from the vendor relationships it describes, is accurate the day it is built and wrong the week a contract changes and nobody updates the file. That is the failure mode DORA's "keep it current" requirement is aimed at, and it is why the register cannot be a document you refresh before an inspection.
DORA applies to a broad range of financial entities established in the EU, including credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings and intermediaries, crypto-asset service providers, fund managers, trading venues, and more. It also reaches the ICT third-party service providers those entities depend on, and it creates a dedicated oversight regime for providers designated as critical, who become subject to direct supervision by a lead overseer. Scope is deliberately wide, so an EU financial entity should assume it is in scope until it confirms otherwise. DORA is not one-size-fits-all. Smaller and less complex entities apply a simplified version of the ICT risk management framework, calibrated to their scale and risk. Simplified is not exempt: the obligation still applies, at a proportionate depth. The largest and most systemically important entities carry the fullest requirements, including advanced testing. Certain ICT providers, judged critical to the EU financial system, are designated and brought under direct oversight by a lead overseer among the European Supervisory Authorities. This extends supervision to firms that are not themselves financial entities but on which the sector depends. For a financial entity, it means the concentration risk in your ICT supply chain is now a supervisory concern, not only a commercial one, which is exactly why the [third-party risk management](/supplier-shield) register matters.
We will score it, grade it, and walk its Nth-party exposure live, on your data.