Kardu

NIS2 compliance builtfor the European SME

Turn your security into a sales asset: automated, reliable, and trusted.

app.kardu.eu/dashboard
User

MedTech Europa SL

Overview

+4 this week
ME

67

Controls implemented

of 93 applicable

12

In progress

awaiting completion

43

Evidence files

31 controls covered

8

Open tasks

2 overdue

Can't afford to skip

26 essential controls still pending

View all →

Background checks for new hires

A.6.1 · People security

Security of end-user devices

A.8.1 · Asset management

Security policy

A.5.1 · Organizational

Security responsibilities in employment

A.6.2 · People security

Goldfinch

Goldfinch

Dashboard

40% of your pending controls are in Organizational — this is your biggest compliance gap right now.
Start with Security policy and Background checks — both are quick wins that unblock 6 other controls downstream.
Ask anything about your compliance...
What sector does your company operate in?
How many employees do you have?
What personal data do you process?
Have you been asked to comply with NIS2?
Do you have a documented security policy?
How many vendors access your systems?
Have you experienced a security incident?
What critical assets do you need to protect?
What sector does your company operate in?
How many employees do you have?
What personal data do you process?
Have you been asked to comply with NIS2?
Do you have a documented security policy?
How many vendors access your systems?
Have you experienced a security incident?
What critical assets do you need to protect?
How long have you been managing compliance in spreadsheets?
Who owns compliance in your company?
Do your customers require ISO 27001?
When is your next audit?
Where do you store control evidence?
Do you have an up-to-date risk register?
Do you need ENS to contract with public sector?
How many regulatory frameworks apply to you?
How long have you been managing compliance in spreadsheets?
Who owns compliance in your company?
Do your customers require ISO 27001?
When is your next audit?
Where do you store control evidence?
Do you have an up-to-date risk register?
Do you need ENS to contract with public sector?
How many regulatory frameworks apply to you?

Compliance shouldn'tslow your business down.

Kardu automates risk management and regulatory compliance, turning a legal obligation into a competitive advantage with your clients and partners.

Request accessSee the product

The backbone of your security

ISO 27001 as the core. All your programme's controls, evidence and risks in one system. No spreadsheets, no duplication.

Read more
ISO 27001INT
ISO/IEC 27001:2022 Information Security Management
74%
coverage
11/15
areas done
68/93 controls
Information security policies and governance
3/4
External engagement and threat intelligence
2/4
Asset and information management
6/6
Identity and access management
4/4
Supplier and cloud security
3/5
Incident management
4/5
Business continuity
2/2
Compliance and records management
5/7
People security
6/8

Evidence vault

Every control has its evidence attached. Automatic expiries, proactive reminders and full lifecycle traceability for any audit.

Read more
Evidence Vault
The proof that your security controls are actually in place.
Files
Policies
Questionnaires
6 files · 5 linked to controls
Search evidence...
PDF
ISO27001_Risk_Assessment_2024.pdfA.8.2Mar 122.4 MB
DOC
Access_Control_Policy_v3.docxA.9.1Mar 08340 KB
PDF
Firewall_Config_Audit.pdfA.13.1Feb 281.1 MB
IMG
Employee_Security_Training.pngA.7.2Feb 20890 KB
PDF
Incident_Response_Plan_v2.pdfA.16.1Feb 141.8 MB
PDF
Supplier_NDA_Acme_SL.pdfA.15.1Jan 30220 KB

Focus Mode

Your personal dashboard of pending tasks. Kardu prioritises what needs attention today so you never lose track of your Compliance Score.

Read more
Focus queue8 controls pending
Security policyISO27001Today
Security roles and responsibilitiesISO27001Today
Separation of dutiesISO27001Tomorrow
Management commitment to securityISO27001Tomorrow
Access control policy reviewNIS2Apr 30
Supplier risk assessmentISO27001May 2
Business continuity plan updateISO27001May 5
Incident response drill documentationNIS2May 8

European AI assistant

Draft policies, analyse gaps and generate audit-ready documentation. Powered by European AI — your data never leaves the EEA.

Read more
Goldfinch
Goldfinch
Dashboard

Ask me anything about your compliance program.

What should I focus on first?
Which controls are missing evidence?
How do I improve my score?
Ask anything about your compliance...
User

All your frameworkscoordinated in one system.

Mandatory

NIS2

Mandatory European cybersecurity directive.

21 risk management measures

View official documentation →

Certifiable

ISO 27001

International information security standard.

93 controls across 4 themes

View official documentation →

Spain

ENS

National Security Scheme for public entities and private companies working with the public sector.

75 security measures

View official documentation →

Financial

DORA

Digital operational resilience for the financial sector.

ICT risk management

View official documentation →

Privacy

GDPR

European regulation on the protection of personal data.

99 articles, 6 legal bases

View official documentation →

FAQ

Frequently asked questions.

Kardu is a compliance platform built for European companies that need to demonstrate security to clients and investors. It does not replace a certification audit, a security consultant, or legal advice — nor does it claim to. It is software that guides you step by step so that compliance becomes a visible commercial asset, not an administrative burden.

For European companies with 10 to 250 employees — fintech, healthtech, B2B SaaS, public administration suppliers — that have received a compliance requirement (NIS2, ISO 27001, DORA, ENS) from a client, investor or auditor and do not know where to start.

The initial onboarding takes less than 15 minutes. Kardu asks you 4 questions about your company and automatically generates a personalised compliance programme. In your first session you already have a real compliance score and know exactly what to prioritise.

All your data is stored exclusively on servers in the European Union (Frankfurt). Kardu has no servers outside the EU, without exception. We comply with the GDPR and have a signed DPA with every infrastructure provider.

No. Kardu is designed precisely for companies without an internal security team. The Goldfinch AI assistant explains each control in plain language, suggests what evidence to attach and alerts you when something needs attention. If you have any questions at any point, it is there to answer them.

During the beta, Kardu is free by invitation. No credit card or commitment required. Invited companies get full access to the platform and direct access to the founding team to give feedback that shapes the product. Spots are limited — you can request access from this page.

Kardu reflects what your company actually implements and documents — not what you make up. The Trust Center shows your real score based on controls you have completed with attached evidence: a document, a policy, a log. If someone uploads false evidence, the problem is not Kardu — it is document fraud, with the same legal consequences as falsifying a contract. That said, Kardu does not replace an external auditor. For formal certifications (ISO 27001, ENS), an independent certification body always steps in to physically verify what you declare. The Trust Center is an honest progress signal, not an official stamp.See Kardu's Trust Center →

Compliance, explained

View all articles
GRC3 min · December 2025

What is Kardu

Kardu is a Governance, Risk and Compliance platform built for European SMEs and MSPs. We explain what it is, who it is for and why it exists.

GRC5 min · December 2025

Your security posture as a competitive advantage: how the Trust Center changes sales conversations

Companies that can demonstrate their security in real time win more contracts. Here is how a public Trust Center turns compliance into a sales argument.

GRC7 min · December 2025

GRC for European SMEs: what it is, why it matters and how to start without going crazy

Governance, Risk and Compliance is not just for large enterprises. We explain what GRC means in practice for a European SME and how to tackle it without a dedicated team.

Beta Access:Until August 24, 2026.

Full product access from day one, no credit card required. When paid plans launch in August, beta users will receive special early adopter pricing.

  • Full Kardu access: controls, evidence, risks, tasks and assets
  • 5 simultaneous frameworks: ISO 27001, NIS2, DORA, ENS and GDPR
  • Up to 50 users and 100 evidence files
  • EU data residency · Frankfurt, Germany

0/500

You'll receive your login password by email within 48 hours.