// METHODOLOGY //
A transparent, deterministic methodology aligned with ISO 27001, NIS2 and DORA. Same answers → same rating, every time.
Score aggregated across 3 cybersecurity frameworks.
// OVERVIEW //
Finnovia assesses organizations against three European cybersecurity frameworks: ISO 27001, NIS2, and DORA. Each assessment is based on a structured questionnaire organized by domains, where answers are converted into weighted scores to produce an overall FR-Rating.
Our methodology is designed to be transparent, reproducible, and aligned with European regulatory requirements. Domain weights reflect each framework's regulatory priorities.
DORA
38 questions · 7 domains
ISO 27001
56 questions · 10 domains
NIS2
37 questions · 7 domains
// HOW IT WORKS //
For each domain, the score is the average of provided answers, converted to a percentage. "Not Applicable" answers are excluded. A domain where all questions score level 3 (Managed) will have a 75% score.
The overall score is calculated as the weighted sum of each domain score. Each domain contributes proportionally to its weight, which reflects its importance within the framework.
The overall score is converted to an FR Rating using a fixed 8-level scale, from FR-Ca (score below 20%) to FR-Aaa (score of 90% or above). Each level carries a precise threshold defined in code (FR_RATING_THRESHOLDS) — never adjusted post-hoc.
// MATURITY SCALE //
Each question is assessed on a 5-level maturity scale, from 0 (no measures in place) to 4 (optimized process with continuous improvement).
| Level | Maturity | Score |
|---|---|---|
| 0 | None | 0% |
| 1 | Initial | 25% |
| 2 | Defined | 50% |
| 3 | Managed | 75% |
| 4 | Optimized | 100% |
| N/A | Not applicable | excluded |
// FR RATING SCALE //
The FR-Rating translates the overall score into a comparable grade, inspired by financial credit ratings. It provides an immediate reading of compliance maturity.
// RISK BANDS //
The 8 FR Rating levels aggregate into three risk bands for high-level reporting and benchmarking — defined in Methodology Book §5.1.
≥ 70%
FR-Aaa · FR-Aa · FR-A
Strong cybersecurity posture with measured, documented and consistently applied controls.
50 – 69%
FR-Baa · FR-Ba
Satisfactory posture with identified improvement areas and known residual risks.
< 50%
FR-B · FR-Caa · FR-Ca
Significant gaps requiring immediate attention; controls are partial, ad hoc or absent.
// DOMAIN WEIGHTS //
Each framework assigns different weights to its domains, reflecting regulatory priorities. Higher-weighted domains have a greater impact on the final rating.
38 questions · 7 domains
56 questions · 10 domains
37 questions · 7 domains
// VALIDITY //
Every rating carries a fixed validity window. Once expired, it stops counting as a current credential and is no longer listed on the public ratings page.
12 months
From submission date
Reflects answers submitted by the organisation. No analyst review at this stage.
24 months
From analyst sign-off date
Audited control-by-control by a Finnovia analyst. Only verified ratings are published.
// OUR COMMITMENTS //
Finnovia's methodology is built on transparency and rigor:
Public weights — domain weights are openly communicated.
Deterministic scoring — identical answers always produce identical scores. No subjective factors.
Regulatory alignment — questionnaires exhaustively cover each framework's requirements.
Independent verification — submitted assessments can be verified by a Finnovia analyst before publication.
// READY TO GET YOUR RATING //
Start with the free Discovery tier. Upgrade to a verified rating whenever you're ready.