Built by security professionals, for security professionals
norppa.io began as a tool we needed ourselves — then we opened it up.
Why we built it
We are Finnish security professionals with years of hands-on work across security operations and consulting. When NIS2 turned continuous supply-chain and attack-surface diligence into a standing obligation, we kept hitting the same wall: the credible tooling was built for Fortune-500 budgets, leaned on questionnaires and once-a-year snapshots, was hosted outside the EU and spoke only English. The lightweight alternatives were little more than a one-off scan. Nothing combined continuous, automated, evidence-based monitoring with a genuinely European foundation — so we built it for our own work, and opened it up.
The gap we set out to fill
Third-party risk tooling clusters at two extremes. At one end, the global rating and TPRM platforms: powerful, but priced for large enterprises, heavy on questionnaires, and built around a single letter grade. At the other, point tools that scan once and stop. For a European company that has to demonstrate ongoing diligence over its supply chain — in its own language, with data kept in the EU — neither fits. norppa.io is deliberately the missing middle: automated daily monitoring with 100+ checks per supplier, dark-web and ransomware exposure re-checked every few hours, the evidence behind every finding instead of an opaque score, eight languages, EU hosting in Finland and Germany, and pricing per supplier — so a twenty-person firm runs on the same platform as a multinational.
Built in Europe, for Europe
norppa.io is a European company — Norteris Oy, based in Helsinki — and your data is stored in the EU, in Finland and Germany. That matters for supply-chain monitoring, where the data we hold is in effect a map of your dependencies and weak points. The platform speaks eight EU languages, maps every finding to the relevant NIS2 article, and is built around the regulation European companies actually answer to — rather than retro-fitted from a US framework. Where the established supply-chain-risk platforms are US companies, norppa is European: your contract, your data residency and your support all sit in the EU.
Why 'norppa'?
Our name, norppa, is Finnish for the Saimaa ringed seal — one of the rarest seals in the world, found only in Finland's inland waters. It makes a fitting namesake. A seal spends its life watching its surroundings: patient and alert, surfacing quietly to take stock, then slipping back below to keep watch. It sees clearly in dark, murky water where others cannot. And it is distinctly European — a rare, protected native species. That is how we want the platform to work: a calm, constant watch over your supply chain rather than an alarm that sounds only after the fact; clarity in the murk of exposed services, leaked credentials and expiring certificates; and a European home for your data, looked after with care.
From professionals to professionals
We build norppa.io the way we would want a tool built for us: evidence over hype, no fear-selling, and honest about what a scan can and cannot tell you. Every finding comes with the proof behind it and a plain explanation of why it matters for NIS2 — not a number you have to take on faith.