Supplier Shield · Third-party risk management

Third-party risk management software your auditor can't pick apart.

Your vendor risk is probably in a spreadsheet, or in a standalone tool that talks to nothing else. Either way it sits in a silo, away from the controls and risk register you actually run your programme on. Supplier Shield scores every vendor, grades their security daily, and keeps a regulator-ready trail, on the same records as the rest of your compliance work.

Swiss-hostedBuilt for DORA, NIS2, ISO 27001One subscription, core TPRM included

What is Supplier Shield?

Supplier Shield is Acuna's third-party risk management (TPRM) software, built for regulated companies in the EU and Switzerland. It scores every vendor across three risk dimensions, runs daily OSINT security grading on every vendor, runs AI-assisted assessment campaigns with a human evaluator confirming every result, and keeps an immutable audit trail for DORA, NIS2, and ISO 27001. It is one module of the Swiss-hosted Acuna GRC platform, which maps to 50+ frameworks, so vendor evidence you collect here is reusable across your wider compliance programme rather than locked to one standard.

You don’t have a tooling problem. You have a disconnect problem.

Your vendor risk is probably in one of two places: a spreadsheet you maintain by hand, or a standalone tool you bought that lives in its own login. Either way it’s disconnected from your controls and your risk register, and that disconnect costs you twice.

A vendor’s security can slide for months before their next questionnaire is due. And when the auditor samples your programme, you reconcile across systems by hand. Supplier Shield closes both gaps, on records your compliance programme already uses.

Less manual work. Fewer blind spots. Faster proof.

Most TPRM programmes only move when someone runs a questionnaire. Everything between cycles goes stale, the work lands on one person, and audit season becomes a reconstruction project. Here is what changes.

CAMPAIGN · Q2 VENDORSActive
14
Sent
11
Responded
3
Pending
3 reminders sent automatically

You stop chasing and start governing

Campaigns launch on a schedule, distribute themselves, track who has and has not responded, and remind non-responders automatically. Your team watches a dashboard, not a thread.

HR PLATFORM · DAILY RESCAN⚠ Changed
BC
DNS hygiene
degraded · next questionnaire 4 months away

You catch a vendor slipping before they self-report

Every active vendor carries a security grade that refreshes daily on its own, with no action from the vendor and none from you. A drop shows on the register long before the next questionnaire is due.

Activity log
09:14M.SchmidRisk tier → Critical
08:47L.BlancAssessment sent · 12 vendors
Jun 20SystemSecurity rescan complete

Audit prep becomes a report, not a rebuild

Every change is logged with a name and a timestamp. When an auditor samples your vendor governance, the answer already exists.

VENDOR LIBRARY → NEW SUPPLIER
📚
CRM Platform
Sales & CRM
Pre-filled
47 saved answers · assessment ready to launch

A known vendor onboards in minutes

Common providers come pre-loaded with saved answers and evidence, so your first assessment of a major vendor starts with context instead of a blank form.

Answer the board’s hardest vendor question in a click.

“Which vendor, if breached tomorrow, takes the most of us down with it?”

Click the vendor. The supply-chain map walks its subcontractors, and theirs, surfacing every process, data store, and fourth or fifth party exposed. The answer is a click, not a quarter.

This is the concentration-risk view DORA and NIS2 now expect you to hold, and the one most TPRM tools do not show you at all.

See the assessment workflow.

The best TPRM software for a regulated EU or Swiss company is the one already connected to your controls.

Most third-party risk tools are standalone. They give you a vendor list in a separate login, disconnected from your compliance programme. For a company running DORA, NIS2, or ISO 27001, that is a second silo to reconcile at audit time.

Supplier Shield puts each vendor on the same record your ISMS and risk register already use, so vendor risk rolls straight into your enterprise risk picture instead of sitting in its own tool.

And for EU and Swiss buyers it adds what US-built platforms structurally cannot: Swiss data residency and native DORA and NIS2 alignment.

Supplier Shield · Connected

Controls & ISMSvendor controls linked
Risk registervendor risk rolls up
Incident managementsame record
Audit evidenceno reconciliation

Standalone TPRM tool · Silo

Separate loginsecond system
No link to controlsmanual mapping
Audit reconciliationhand-built export
US data residencyfor most vendors

Already mid-contract on another tool? You don’t need a big-bang migration. Run your next audit cycle on Supplier Shield while the current tool sunsets, then switch when it’s done.

vs UpGuard ›vs Prevalent ›

Everything a vendor risk programme needs, in one subscription.

Every capability ships in one subscription. No add-on modules for the core TPRM workflow.

Supplier register

A searchable register of every vendor, classified Critical, Important, or Standard, with service description, owner, and review frequency. Bring an existing vendor list in by import and map the fields once.

Three-dimension risk scoring

Every supplier is scored on how much you depend on them, how deeply they reach into your systems and data, and how much damage their failure would cause. The result is a single colour-coded risk tier your procurement, risk, and compliance teams can align on, reviewed at least annually or whenever scope changes.

Continuous OSINT security grading

Acuna grades each vendor's public-facing security posture from A to F and refreshes it daily. This is OSINT, open-source intelligence: an outside-in signal, drawn entirely from a vendor's public footprint, that you hold against what they claim in their questionnaire.

Assessment campaigns

Launch one questionnaire to many suppliers at once, schedule it for a future date, and let Acuna handle distribution, status tracking, and reminders. The dashboard shows completion and ratings at a glance.

AI-assisted evaluation with Aiko

Aiko reviews supplier responses and their uploaded evidence, including documents, images, and PDFs, and proposes a per-question evaluation with a confidence score. A human evaluator reviews every suggestion and confirms or overrides it. The AI does the first pass; the accountable judgment stays with your team.

Supplier portal

Vendors respond and upload documents through a dedicated portal with no account required. Evidence stays out of inboxes and arrives as a documented, defensible response chain.

One supplier panel

Each supplier opens into a single panel holding identity, security grade, risk posture, contacts, linked processes and controls, assessment history with AI suggestions, and a full activity log.

Multiple contacts per vendor

Store as many contacts as you need with role assignments, and choose who receives each campaign. Archiving preserves history rather than erasing it.

Approval gates on critical vendors

Require sign-off before a risk change takes effect on a high-tier supplier, so reclassification is a governed decision, not a quiet edit.

Nth-party exposure

The supply-chain map unfolds level by level, so you can trace a vendor's subcontractors and theirs, and see fourth- and fifth-party concentration risk the way DORA and NIS2 expect.

Multilingual questionnaires

Send assessments in English, German, French, or Spanish to reduce friction and lift completion rates on cross-border vendors.

Lifecycle and re-assessment

Every supplier has a next-review date. Overdue vendors are flagged on the register and in any control that depends on them, so a calendar-driven rhythm replaces the annual scramble. Historical responses are retained for trend analysis and audit.

Three dimensions. One risk tier.

The three roll into a single colour-coded risk tier, so everyone assesses vendors the same way without a spreadsheet behind it.

Dependency

Dependency

How critical is this supplier to keeping the business running? Core services rank high; easily replaced ones rank low.

Reach

Reach

How deeply is the supplier integrated into your systems, data, and processes? Deep access ranks high; isolated services can rank low.

Impact

Impact

What would a breach, outage, or failure cost you, across financial, operational, and reputational terms?

Low
Easily replaced, limited access, contained impact
Medium
Important dependency, moderate integration
High
Critical service, deep access, significant impact

Five dimensions. One security grade.

Acuna grades each vendor's public-facing security posture from A to F and refreshes it daily. This is OSINT, open-source intelligence: an outside-in signal, drawn entirely from a vendor's public footprint, that you hold against what they claim in their questionnaire. Grades are colour-coded everywhere they appear, and you can open any OSINT security grade to see what drove it.

🌐

Email and domain security

Whether the vendor protects its domain against spoofing and impersonation.

🔒

Encryption

Whether the vendor's connections use current, valid, well-configured encryption.

🛡

Web security

Whether the vendor's public sites carry the protections that defend against common web attacks.

Breach exposure

Whether the vendor's domain appears in known breaches, with severity and timeline.

📊

Reputation

Trust and threat signals that indicate the vendor's overall standing.

AExcellent
BGood
CFair
DPoor
FCritical

Open any grade to see the findings and evidence behind each dimension.

The record an auditor asks for, already written.

One unified view holds everything about a vendor: who they are, their security grade, their risk posture, their contacts, the processes and controls they touch, their assessment history with AI suggestions, and a full activity log.

Identity and risk posture

Supplier name, classification, risk tier, review frequency, service description, and owner.

OSINT security grade

External security posture graded A-F, refreshed daily. Open any grade to see what drove it.

Assessment history

All campaigns sent, responses received, and AI-suggested evaluations your team confirmed.

Contacts and linked objects

Every contact, linked process, control, and risk, in one view without leaving the panel.

Immutable activity log

Every action on a supplier is logged in an immutable, tamper-proof trail, each entry carrying the name of who made the change and when: field updates, contact changes, assessment actions, score adjustments. This is the primary audit artifact for the Register of Information and ICT third-party risk under DORA, and for supplier controls A.5.19 to A.5.23 under ISO 27001.

The activity log is the primary audit artifact for the Register of Information and ICT third-party risk under DORA, and for supplier controls A.5.19 to A.5.23 under ISO 27001.

Field Updates
Name changes, risk level adjustments, dependency modifications, notes additions, review frequency changes
Contact Changes
Contact added, updated, or archived with timestamp and user attribution
Assessment Actions
Assessments launched, responses received, evaluations completed, process linkages changed

Supplier Shield + Third Parties register.

Both views serve your TPRM programme. Use them together for full coverage.

Supplier Shield

Structured TPRM workflows

  • External security grading, A-F, refreshed daily
  • Three-dimension risk scoring into one colour-coded tier
  • Scheduled assessment campaigns with AI-assisted evaluation
  • External supplier portal, no vendor account required
  • Immutable activity log for DORA and ISO 27001 audit evidence
Third Parties (Implement)

Compliance context linking

  • Document any external entity relevant to your framework
  • Type classification: Vendor, Service Provider, Contractor, Partner
  • Risk tiering: Critical, High, Medium, Low
  • Link to assets, risks, controls, and requirements
  • Status lifecycle: Active, Inactive, Under Review, Retired
View Implement ›

Built for practitioners who own vendor risk.

Built for practitioners who own vendor risk.

CISO / Head of Security

Centralise vendor risk next to your controls and risk register.

Security grades refreshed daily, consistent scoring across every vendor, impact chains through linked processes, and approval gates so critical-tier reclassification is governed.

  • External security grades refreshed daily across all active vendors
  • Score every supplier consistently on dependency, reach, and impact
  • Impact chains visible through processes and controls linked to each supplier
  • Approval gates so critical-tier reclassification is a governed decision, not a quiet edit
Third-Party Risk Manager

Run repeatable assessment cycles without chasing email.

Batch-launch with templates and deadlines, let Aiko propose evaluations your team confirms, collect answers through the portal, and import existing vendor lists once.

  • Batch-launch campaigns with scheduling, templates, and automatic reminders
  • Aiko proposes per-question evaluations with confidence scores; your team confirms
  • Vendors respond through the portal with no Acuna account required
  • Import existing vendor lists and map fields once
Compliance / Audit Team

Demonstrate a structured programme with a clear trail.

Grades and freshness visible on the register, historical responses retained, evidence exportable for NIS2, DORA, and ISO 27001, and the activity log ready when an auditor samples.

  • Security grades and assessment freshness visible at a glance on the register
  • Historical assessment responses retained for trend analysis and audit
  • Activity log is the primary audit artifact for DORA and ISO 27001 supplier controls
  • Export evidence packages for NIS2, DORA, and ISO 27001 audits

Common questions about Supplier Shield.

Related answers

Questions practitioners ask.

What is Supplier Shield?

Supplier Shield is Acuna's third-party risk management (TPRM) software. It gives you a scored vendor register, a daily-refreshed external security grade on every supplier, AI-assisted assessment campaigns that a human evaluator confirms, a supplier portal for external responses, and an immutable activity log that serves as your audit artifact for DORA, NIS2, and ISO 27001. Vendors are scored across three dimensions, dependency, reach, and impact, into one colour-coded risk tier. It is one module of the Swiss-hosted Acuna GRC platform, which maps to 50+ frameworks, so vendor evidence collected here is reusable across your wider compliance programme.

How does OSINT security grading work in Supplier Shield?

Acuna grades each vendor's public-facing security posture from A to F and refreshes it daily. This is OSINT, open-source intelligence: an outside-in signal, drawn entirely from a vendor's public footprint, that you hold against what they claim in their questionnaire. The OSINT security grade reflects five areas: email and domain security, encryption, web security, breach exposure, and reputation. You can open any grade to see what drove it. The grade sits alongside the three-dimension risk tier (dependency, reach, impact) on the supplier's profile.

What is the DORA ICT third-party register?

The DORA register of information is the record, required by Article 28 of Regulation (EU) 2022/2554, of all your contractual arrangements for the use of ICT services provided by third parties. Every financial entity must keep it current, maintain it at entity and, where relevant, sub-consolidated and consolidated group level, and make it available to its competent authority on request. It is the backbone of DORA's third-party risk regime: supervisors use it to see, across the financial sector, which providers the system depends on. The register is not a one-time inventory. It is a living record that has to reflect your ICT supply chain as it actually is, including which arrangements support critical or important functions, because those carry stricter contractual and oversight requirements. That distinction, critical-or-important versus the rest, drives much of what DORA asks of the relationship. The register documents each ICT contractual arrangement: the provider, the service, whether it supports a critical or important function, and the contractual terms DORA requires. The European Supervisory Authorities set the detailed template and fields through technical standards, so the precise columns are defined centrally rather than left to each entity. The register has to be complete and consistent enough that a supervisor can read your ICT dependency map from it. A register maintained as a spreadsheet, separate from the vendor relationships it describes, is accurate the day it is built and wrong the week a contract changes and nobody updates the file. That is the failure mode DORA's "keep it current" requirement is aimed at, and it is why the register cannot be a document you refresh before an inspection.

Who does DORA apply to?

DORA applies to a broad range of financial entities established in the EU, including credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings and intermediaries, crypto-asset service providers, fund managers, trading venues, and more. It also reaches the ICT third-party service providers those entities depend on, and it creates a dedicated oversight regime for providers designated as critical, who become subject to direct supervision by a lead overseer. Scope is deliberately wide, so an EU financial entity should assume it is in scope until it confirms otherwise. DORA is not one-size-fits-all. Smaller and less complex entities apply a simplified version of the ICT risk management framework, calibrated to their scale and risk. Simplified is not exempt: the obligation still applies, at a proportionate depth. The largest and most systemically important entities carry the fullest requirements, including advanced testing. Certain ICT providers, judged critical to the EU financial system, are designated and brought under direct oversight by a lead overseer among the European Supervisory Authorities. This extends supervision to firms that are not themselves financial entities but on which the sector depends. For a financial entity, it means the concentration risk in your ICT supply chain is now a supervisory concern, not only a commercial one, which is exactly why the [third-party risk management](/supplier-shield) register matters.

Ready to see Supplier Shield in action?

We will score it, grade it, and walk its Nth-party exposure live, on your data.

Get a demoSee the platform