Frequently asked questions

The FR Rating is an independent score that summarises an organisation's cybersecurity regulatory posture. It runs on 8 levels from FR-Aaa (highest) to FR-Ca (lowest), aggregating compliance maturity across 3 European frameworks: ISO 27001, NIS2 and DORA.

Finnovia Solutions, an independent European agency. The platform produces two outputs: a self-assessed FR Rating computed automatically from your responses, and a Verified FR Rating reviewed control-by-control by Finnovia analysts before publication. Only the verified rating — available on paying plans — is similar in spirit to financial rating agencies like Moody's or S&P, applied to cybersecurity.

Each control is scored on a maturity scale from 0 (none) to 4 (optimised), normalised to 0–100%, then aggregated per domain using domain weights. The overall score maps to one of 8 levels through fixed thresholds (FR-A from 70%, FR-Aaa from 90%). The full methodology is published on the methodology page.

Ratings group into three risk bands. Low risk: FR-Aaa, FR-Aa, FR-A (scores ≥ 70%). Medium risk: FR-Baa, FR-Ba (scores 50–69%). High risk: FR-B, FR-Caa, FR-Ca (scores below 50%). Each level reflects defined gaps and improvement priorities.

Three frameworks: ISO 27001 (international cybersecurity management standard), NIS2 (EU Network and Information Security Directive, applicable since 2024) and DORA (Digital Operational Resilience Act, mandatory for EU financial entities since 2025).

Live numbers from the assessment engine — DORA: 38 questions across 7 domains; ISO 27001: 56 questions across 10 domains; NIS2: 37 questions across 7 domains.

ISO 27001 is voluntary but globally recognised. NIS2 is mandatory for most large EU entities classified as essential or important. DORA is mandatory for EU financial entities and their critical ICT providers. Most organisations need at least two; Finnovia supports activation per framework.

An ISO 27001 questionnaire takes around 35–40 minutes for someone familiar with the controls. NIS2 and DORA each take around 25 minutes. You can save your progress and resume at any time.

A self-assessed rating is valid for 12 months from submission. A verified rating, after Finnovia analyst review, is valid for 24 months from sign-off. Both expire automatically — recurring assessments keep the rating current.

A self-assessed rating reflects the answers you submitted. A verified rating has been audited control-by-control by a Finnovia analyst who confirms the scoring is defensible. Verified ratings are the only ones listed publicly and recognised as official.

Self-assessed ratings are private to your organisation. Verified ratings are listed publicly on the ratings page and visible to anyone — that is the whole point of an independent agency. You stay in control of which frameworks you choose to publish.

Yes. You can request withdrawal at any time. The rating is no longer shown on the active ratings page; it remains in our archive for transparency, with a clear 'withdrawn' marker.

Paying clients can invite their suppliers to complete an assessment. The supplier sees a private link, completes the questionnaire, and Finnovia computes their FR Rating. You see a dashboard of all your suppliers with their ratings — a transparent third-party view of your supply chain cyber risk.

Three automated reminders are sent, 7 days apart. After that, the supplier appears as 'not responsive' in your dashboard, with no further outreach. Your supplier list shows at a glance who is evaluated, in progress, invited or unresponsive.

No. A supplier completing an assessment for you only sees their own questionnaire. They never see who else has invited them, nor any aggregated data across clients. Once verified, the rating is portable — meaning multiple clients of the same supplier share the same published rating.

Supplier monitoring is included in Founding Member and Enterprise. The free Discovery tier covers self-assessment only. Founding Member is capped at 25 suppliers; Enterprise removes the cap.

Yes — the Discovery tier is free and lets you complete self-assessments on ISO 27001 and NIS2. Partial domain scores are shown. The verified rating, supplier monitoring and the full results breakdown require an upgrade.

Founding Member unlocks: verified analyst-reviewed FR Ratings on the three frameworks, supplier monitoring, full dashboard, priority support roadmap. Pricing is locked in for 24 months. Limited to 50 organisations across Europe.

Enterprise is for organisations with larger supplier ecosystems, custom integrations, a dedicated CSM and contractual SLAs. Pricing is on quote. Contact our team for details.

Yes, anytime. You can move from Discovery to Founding Member while seats remain available, or from Founding Member to Enterprise. Downgrades are honoured at the next renewal.

Finnovia runs entirely in Europe. The application is hosted on Vercel's European regions; the PostgreSQL database lives on Supabase, also in the EU. No customer data leaves European jurisdiction.

Yes. Finnovia Solutions is a French company. We process personal data on a contractual basis (your subscription). Our full GDPR posture, data processing register and sub-processors are documented in the privacy policy.

Only you and your authorised colleagues by default. For verified ratings, an authorised Finnovia analyst reviews the responses control-by-control. We never share questionnaire content with third parties. Aggregated, fully anonymised statistics may be used for sector benchmarks — never per-org without consent.

Yes. Finnovia Solutions is privately held, has no consulting arm, sells no cybersecurity products and accepts no remuneration from rated organisations beyond the standard subscription. Our economic model is the rating subscription — not advice, not pen tests, not implementation. That structural independence is the whole point.