Six issues. Six solutions. No deadline.

NIS2 / DORA (EU regulations)

You have European partners or subsidiaries. NIS2 and DORA apply.

NIS2 (implemented nationally since October 2024) mandates security and incident notification requirements. DORA (applicable January 2025) mandates operational resilience for the financial sector, including the management of critical ICT providers. FortaRisks natively covers NIS2 and DORA, mapped to the 1,342 SCF controls and your already validated ISO 27001 controls (typically 87% automatic coverage).

Benefit: NIS2 or DORA audit quickly, without rebuilding your evidence.

Bill 25 / PIPEDA (Canada)

Law 25 has been mandatory in Quebec since September 2023. Penalties up to $25 million or 4% of global revenue.
You handle the personal information of Quebec residents. Bill 25 imposes protection obligations, including incident notification within 72 hours and a Privacy Impact Assessment (PIA). FortaRisks natively covers Bill 25, integrated as a framework within the Posture module, and mapped to PIPEDA and GDPR controls for multi-jurisdictional organizations.

Benefit: demonstrable compliance with Law 25, EFVP generated from assessed controls.

SOC 2 / ISO 27001 (US and international customers)

Your clients require certification before signing. SOC 2 Type II and ISO 27001 are business prerequisites for selling to US, European, and increasingly Canadian companies. Typical preparation takes 9-12 months with a dedicated team. FortaRisks reduces this timeframe by pooling evidence across frameworks (1,341+ cross-reference mappings), generating audit-ready reports, and tracking the history of each control.

Benefit: SOC 2 Type II or ISO 27001 ready in 14 weeks, GRC effort reduced by 60%.

Targeted ransomware

Lockbit. BlackBasta. Cl0p. Akira. Royal. Black Suit. They are not hypothetical.
Targeted ransomware has become the number one threat to Canadian organizations in healthcare, finance, manufacturing, and the public sector. FortaRisks tracks over 1,500 actors, including active ransomware groups by sector, and correlates their TTPs (Time To Promises) with exposed vulnerabilities in your stack and your third-party systems. Detection occurs before encryption, not after.

Benefit: alert on sector-specific ransomware target as soon as the TTP emerges, remediation window preserved.

Supply chain / TPRM

30 to 60% of cyber risk comes through your suppliers. How do you monitor it?
Annual questionnaires are no longer sufficient. DORA, NIS2, and OSFI B-13 mandate continuous monitoring of critical service providers. FortaRisks continuously observes the actual posture of your third parties (attack surface, sector-specific CTI signals, alignment with declared frameworks), without requiring initial cooperation from the third party. Benefit: continuous monitoring of 60-100 providers, detection of degradation before an incident.

OT/ICS exposed

Is your Siemens PLC visible from the Internet? You probably don't know.
Consumer-grade EASMs do not scan industrial protocols. As a result, your PLCs that are accidentally exposed (due to incorrect NAT configuration, third-party VPN, or oversight after maintenance) remain invisible until an incident occurs. FortaRisks integrates a **native OT/ICS scanner** (Modbus, S7, BACnet, EtherNet/IP, IEC-104, DNP3, OPC UA, Niagara Fox — 15 industrial ports, read-only mode).

Benefit: Exposed automaton detected within 24 hours, demonstrable IEC 62443 / NERC CIP compliance.