Security trust center · CRA · NIS2 · DORA · EO 14028

The last security questionnaire you'll ever answer.

Ship one branded portal where every customer, auditor and procurement team self-serves your compliance proof, SBOMs, advisories and gated security docs. Live in minutes. Maintained automatically.

See the compliance map

No credit card · Cancel anytime · Your subdomain, your brand

🔒acme.s2c.app
Acme
Search across all content…
Overview Documents Security Vulnerabilities Compliance
Acme
Security & Compliance Trust Center
Transparency portal for our security posture, compliance certifications, vulnerability disclosures and product SBOMs.
Compliance & Certifications View all
ISO 27001
SOC 2 Type II
CRA-ready
NIS2
Products
Acme Vault
Supported SBOM 2 open vulns
CRITICAL
CVE-2025-12811
HTTP request smuggling in auth layer
In Progress
Before 60-page security questionnaires. PDFs scattered across Drive, email and SharePoint. A week of back-and-forth per deal.
After One URL you send to procurement. Customers self-serve SBOMs, advisories and compliance evidence. You close faster.
Free tool · no signup · no spam

Score any company's CRA & NIS2 posture in under a minute

Drop in a domain. We probe its public security signals (security.txt, CSAF, MTA-STS, TLS, DMARC, HSTS, headers, disclosure pages), fetch the actual policy text, and grade the substance with AI against the EU Cyber Resilience Act and NIS2 Directive. Use it on yourself, your vendors, or your competitors — we'll email the report to you when it's ready.

Free forever. We pay the AI bill. No credit card, no hidden upsell, no marketing list.

Run a free scan 5 scans / hour / IP · cached for 48 h · results are public

Everything in one portal

Branded trust center

Your own subdomain where customers see compliance certifications, security practices, and company security posture — no more back-and-forth over email.

Document access management

Share security documentation with access controls. Customers request access, you approve or deny. Bulk access, magic links, full audit trail.

Product security

Publish SBOMs in CycloneDX and SPDX, generate CSAF advisories and VEX documents, and maintain a public vulnerability disclosure page — all machine-readable. Share SBOMs and vulnerability feeds privately with specific customers via scoped, token-gated access grants — no email flow required.

Vulnerability and incident tracking

Track vulnerabilities through their full lifecycle. Manage incidents with coordinated disclosure. Customers can subscribe to security update notifications — keeping them informed and your transparency obligations met.

CRA and ENISA reporting

ENISA incident workflow with 24h / 72h / 14-day (actively exploited vuln) or 30-day (severe incident) timelines. CRA readiness scoring, Declaration of Conformity generator, and 5-year support lifecycle tracking. Read the CRA guide →

NIS2 readiness and CSIRT reporting

Article 21 compliance scoring across all ten required measures. CSIRT notification templates for 24h/72h/1-month incident reporting. Read the NIS2 guide →

DORA-ready for financial sector vendors

If banks and insurers are your customers, they need to assess your ICT risk. Your trust center is the proof they need — no more 60-page questionnaires. Read the DORA guide →

US federal SBOM delivery (EO 14028)

Selling software to US agencies? They require SBOMs. Distribute them through your trust center — publicly or access-controlled per contract. Read the EO 14028 guide →

AI-powered setup

Point it at your company website and the onboarding AI auto-detects your products, relevant frameworks, and prefills your trust center. Live in minutes.

CRA or NIS2? Most sell-side teams are in scope for both.

CRA regulates what you ship. NIS2 regulates how you operate. If you build a product and run the service behind it, both apply — and the evidence they demand overlaps heavily. One portal covers the overlap.

EU · Product regulation

CRA — Cyber Resilience Act

For any vendor placing connected products or commercial software on the EU market

The CRA applies to the thing you sell. Every product with digital elements needs baseline cybersecurity, a Declaration of Conformity, CE marking, an SBOM, and at least five years of security updates. First hard deadline: vulnerability and incident reporting starts 11 September 2026. Full applicability: 11 December 2027.

What the CRA asks for

  • Vulnerability handling across the full support lifecycle (Annex I, Part II)
  • Machine-readable SBOM for every shipped version (CycloneDX or SPDX)
  • ENISA notification: 24h early warning · 72h update · 14-day final report
  • EU Declaration of Conformity (Annex V) and CE marking
  • Documented secure-by-default & secure-by-design evidence

We generate the Declaration of Conformity, track the 5-year support window per product version, and ship the ENISA-format incident workflow out of the box. SBOMs, CSAF advisories and VEX go to your customers the same way you ship your product.

Full CRA guide →
EU · Organisational regulation

NIS2 — Network & Information Security Directive

For essential and important entities operating services in the EU (cloud, SaaS, digital infra, manufacturing, energy…)

NIS2 applies to how you run the company. If you're in scope, you implement the ten Article 21 measures, train your team, demonstrate supply-chain due diligence, and notify your national CSIRT: 24h early warning, 72h full notification, one-month final report. Already in force across member states since October 2024.

What NIS2 asks for

  • Risk management and cybersecurity policies, signed off by leadership
  • Incident handling, business continuity and crisis management
  • Supply-chain security — including your own sub-processors
  • MFA, access control, cryptography and asset-management policy
  • Basic cyber hygiene, training, and regular effectiveness testing

The Article 21 readiness scorecard tells you what's missing across all ten measures. CSIRT templates cover every notification stage. A live audit trail sits behind every customer-facing action — that's your supply-chain evidence done.

Full NIS2 guide →

Also selling into banks or US federal agencies? We cover DORA for the financial sector and EO 14028 for federal SBOM delivery in the same portal.

Built for the regulations your customers care about

CRA, NIS2, DORA, EO 14028 — each feature maps directly to a specific obligation. CRA guide · NIS2 guide · DORA guide · EO 14028 guide

CRA obligation SBOM documentation
Security2Center Manage SBOMs in CycloneDX and SPDX. Distribute to customers and auditors — publicly or access-controlled.
CRA obligation Vulnerability disclosure
Security2Center Notify affected users with CSAF advisories and VEX documents. Control visibility — public or restricted to verified customers.
CRA obligation ENISA incident reporting
Security2Center Built-in workflow with 24h / 72h / 14-day (actively exploited vuln) or 30-day (severe incident) timeline tracking. Generates ENISA reports in the required format.
CRA obligation Transparency and conformity
Security2Center Branded portal on your subdomain. CRA readiness scoring tells you what's missing.
NIS2 obligation Article 21 ten cybersecurity measures
Security2Center NIS2 readiness dashboard scores all ten measures. CSIRT templates for 24h/72h/1-month reporting.
DORA — Art. 28 Register of ICT third-party providers — documented security practices
Security2Center Your trust center is the live ICT documentation. Financial customers access your security practices, certifications, and architecture overview — no questionnaire needed.
DORA — Art. 19 ICT-related incident reporting and notification
Security2Center Incident tracking with coordinated disclosure. Customers can follow your public transparency feed. Full audit trail available for regulatory inquiries.
DORA — Art. 30 Contractual provisions for ICT services — sub-processor transparency
Security2Center Document sub-processors, supply chain components, and SBOMs for your software stack. Gated access for verified financial customers only.
EO 14028 obligation SBOM delivery for federal procurement (CycloneDX / SPDX)
Security2Center Distribute machine-readable SBOMs to agencies — publicly or via Customer Access grants (scoped token, per contract, optional expiry). Supports CycloneDX and SPDX. No shared login required.
EO 14028 / NIST SSDF Secure software development attestation (SP 800-218)
Security2Center Publish your SSDF-aligned security practices on your trust center. Provides auditable evidence of secure development to contracting officers.
EO 14028 obligation Vulnerability disclosure and coordinated remediation
Security2Center Public vulnerability disclosure page with CSAF advisories and VEX documents. Demonstrates the transparent remediation process federal agencies require.

CRA incident reporting obligations begin September 11, 2026 from now. DORA is already in force. NIS2 audits are underway. Non-compliance penalties: €15 million or 2.5% of turnover (CRA), €10 million or 2% (NIS2 essential entities), or up to 10% of global revenue (DORA).

One plan. Everything included.

Try the full platform for 3 months, free. No credit card, no feature gates, no surprises. If it works for you, stay.

3 months free
€149 /month after trial
or €1,428/year save 20%
  • Branded trust center on your subdomain
  • Compliance and security practice pages
  • Document access management
  • Unlimited products, SBOMs, and advisories
  • Vulnerability and incident tracking
  • Per-customer SBOM & vulnerability access grants
  • CRA, NIS2, and DORA readiness
  • ENISA, CSIRT, and EO 14028 reporting
  • AI-powered onboarding
  • Full audit trail
Cancel anytime during trial. No questions asked.