Welcome to Asphalia Analytics

Discover your
Cybersecurity Weaknesses
before Hackers do.

Contact by Phone Contact by Mail
Screenshot of the Asphalia Analytics app
Security1 min readFebruary 16, 2026

CRA Scope Assessment Tool — Promotional Post Outlines

Is your product subject to the EU Cyber Resilience Act?

The CRA (Regulation EU 2024/2847) applies to virtually all products with digital elements sold in the EU — with full compliance required by 11 December 2027 and reporting obligations starting 11 September 2026.

We built a free, privacy-first assessment tool that tells you in under 5 minutes:

  • Whether your product is in scope
  • Your classification (Default, Important, Critical)
  • Which conformity path applies
  • Your obligations based on your role in the supply chain

No registration. No data collection. Works offline.

Try it now: cra.asphaliaconsulting.be

Image

Security1 min readJanuary 29, 2026

Cyber Security Act 2

Seven years after the original Cybersecurity Act, the EU is ready for version 2.0. CSA2 brings mandatory supply chain security measures, stronger ENISA capabilities, and the ability to force the removal of high-risk components from critical infrastructure — even retroactively.

CSA2 is here, and it's not just an update — it's a reset. The European Commission's January 2026 proposal tackles supply chain risks head-on, with new powers to ban high-risk vendors from 5G networks and critical sectors, a reinforced ENISA, and a certification framework that finally moves beyond voluntary adoption.

Image

Security1 min readJanuary 29, 2026

NIS2 2026 Amendments

If you've just finished mapping your NIS2 obligations, you might not want to hear this — but the directive was explicitly designed to evolve, and the first major review cycle is already approaching in 2026.

Understanding what the European Commission will be evaluating, from sector coverage to cross-border coordination mechanisms, can help you build a compliance programme that won't need a complete overhaul when the amendments arrive. Here's a breakdown of what to watch for.

Image

Security1 min readJanuary 29, 2026

NIS2 2026 Updates

The European Commission just announced targeted amendments to NIS2 that promise to simplify compliance for 28,700 companies - but does 'simplification' really mean easier, or just different hoops to jump through?

Image

Security1 min readDecember 6, 2025

Use Case 1

NIS2 Compliance: Know Your Attack Surface

The Challenge

Since October 2024, NIS2 requires essential and important entities to "take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems" (Article 21). This explicitly includes vulnerability management and knowledge of your exposed assets.

For many SMEs, this represents a significant challenge: how do you identify what attackers can see of your infrastructure without an in-house security team or expensive enterprise tools?

Our Solution

Asphalia Analytics provides a complete inventory of your external attack surface with risk prioritization aligned to NIS2 requirements:

  • Asset Discovery: Identification of all your exposed assets (domains, subdomains, IPs, services)
  • Shadow IT Detection: Uncovering forgotten or unknown assets that could be exploited
  • Vulnerability Assessment: Detection of exploitable vulnerabilities on exposed services
  • Compliance-Ready Reporting: Report directly usable for your compliance audits
  • Prioritized Remediation: Actionable recommendations ranked by risk level

Expected Outcome

Documentation ready to demonstrate your compliance with Article 21.2 (vulnerability management) during regulatory inspections or audits.

Security1 min readDecember 6, 2025

Use Case 2

Cyber Resilience Act: Assess Your Risks Before Market Launch

The Challenge

The Cyber Resilience Act (CRA) requires manufacturers of products with digital elements to perform a cybersecurity risk assessment before placing products on the market. This assessment must cover potential vulnerabilities and exploitation risks throughout the product lifecycle.

For connected device manufacturers, this means not only securing the device itself but also the entire supporting infrastructure: update servers, management portals, APIs, and cloud backends.

Our Solution

Before launching a connected product, we analyze your external exposure:

  • Support Infrastructure Assessment: Security posture of your portals, APIs, and update servers
  • Credential Leak Detection: Discovery of potentially leaked credentials or secrets in public repositories
  • Cloud Configuration Review: Analysis of cloud services associated with your product
  • Certificate Chain Validation: Verification of certificates and their trust chain
  • Third-Party Dependency Analysis: Identification of external services your product relies on

Expected Outcome

An external assessment report documenting your due diligence, a key element of your CRA technical file demonstrating proactive security measures.

Security1 min readDecember 6, 2025

Use Case 3

M&A Due Diligence: Evaluate the Cyber Risk of Your Target

The Challenge

During an acquisition, the target's cyber risk becomes your risk. Undiscovered vulnerabilities, shadow IT assets, and poor security practices can represent significant hidden costs post-acquisition. Traditional due diligence often overlooks cyber exposure, leaving acquirers with unexpected remediation costs and potential liability.

The challenge is compounded by the need to assess security posture without alerting the target or requiring access to their internal systems during early-stage negotiations.

Our Solution

Without any access to the target's systems (100% external and non-invasive assessment), we provide:

  • Complete Attack Surface Inventory: Full mapping of the target's external footprint
  • Critical Risk Identification: Exposed services, known vulnerabilities, misconfigurations
  • Data Leak Detection: Discovery of existing credential leaks, exposed documents, or sensitive data
  • Comparative Security Score: Benchmarking against industry standards and peers
  • Historical Analysis: Changes in security posture over time where data is available

Expected Outcome

A cyber due diligence report enabling informed negotiation and post-acquisition remediation planning. Identify potential deal-breakers or negotiate price adjustments based on discovered security debt.

Security1 min readDecember 6, 2025

Use Case 4

Supply Chain Security: Vendor Risk Assessment

The Challenge

NIS2 and DORA mandate the assessment of your critical suppliers' security posture. Self-declaration questionnaires are no longer sufficient—regulators expect objective, verifiable evidence of supply chain risk management.

With supply chain attacks increasing dramatically, organizations need continuous visibility into their vendors' external security posture, not just point-in-time assessments based on questionnaires that may not reflect reality.

Our Solution

Objective and verifiable assessment of your suppliers' attack surface:

  • Independent Analysis: No reliance on vendor self-declaration
  • Sector Benchmarking: Comparison against industry security standards
  • Supply Chain Risk Mapping: Identification of shared dependencies and concentration risks
  • Continuous Monitoring Option: Periodic reassessment to track security posture changes
  • Evidence-Based Reporting: Documentation suitable for regulatory compliance

Expected Outcome

Documentation compliant with NIS2 Article 21.2(d) requirements on supply chain security. Defensible evidence of your vendor risk management program for auditors and regulators.

ISO 270011 min readNovember 4, 2025

5.01 - Policies for Information Security - OnePager

Image

Tags: security-policy
ISO 270011 min readNovember 4, 2025

5.02 - Information security roles and responsibilities - OnePager

Image

Page 1 of 11Next →