Executive Summary (The 30-Second Brief)

The Threat: DORA (22,000+ financial entities) and NIS2 (160,000+ entities across 18 sectors) mandate cybersecurity supply chain audits. Manufacturing has been the #1 ransomware target for 4 consecutive years with attacks up 87%. Penalties reach EUR 10M or 2% of global turnover.

The Friction: Carbon calculators have zero governance fields. Cybersecurity audits require incident response plans, access controls, penetration testing results, and business continuity documentation that no emission tool can produce.

The Marupass Solution: Marupass uses AI to extract data from raw PDFs and locks it on a Blockchain Audit Trail, instantly generating ESRS G1 governance-complete ESG reports without manual entry.

The Audit That Is Not About Carbon

Your buyer's compliance team sends an audit request. You expect the usual: Scope 1, Scope 2, energy consumption, waste generation.

Instead, the questionnaire asks:

Do you have a documented incident response plan?
What is your average time to detect and contain a security breach?
Do you conduct regular penetration testing of your systems?
What access controls exist for operational technology (OT) systems?
Do you have a business continuity plan for ransomware scenarios?

This is not an ESG questionnaire. This is a cybersecurity supply chain audit — mandated by two EU regulations that are already in force. And your carbon calculator has zero answers.

Two Laws. 182,000 Entities. Your Supply Chain.

Two EU regulations have made cybersecurity a supply chain compliance obligation:

DORA — Digital Operational Resilience Act

Effective: January 17, 2025
Scope: 22,000+ financial entities (banks, insurers, investment firms, payment processors) and their ICT service providers
Key requirement: Financial entities must maintain a register of all ICT third-party service providers, assess their risk annually, and ensure sub-contractor compliance through the supply chain

NIS2 — Network and Information Security Directive

Transposition deadline: October 17, 2024
Scope: 160,000+ entities across 18 sectors (energy, transport, banking, health, manufacturing, digital providers, food production, chemicals, waste management)
Key requirement: In-scope entities must incorporate cybersecurity risk management into contractual arrangements with direct suppliers

Neither law directly targets SME suppliers. But both require covered entities to assess and document the cybersecurity posture of their supply chain.

The mechanism is identical to CSRD: your buyer is subject to the regulation. The regulation requires them to audit their supply chain. The audit cascades to you.

The Numbers That Should Keep You Awake

Metric	Value	Source
Breaches involving third parties	30% (doubled from 15%)	Verizon DBIR 2025
Third-party breach cost	$4.91 million average	IBM/Ponemon 2025
Manufacturing ransomware attacks (Q3 2024)	394 (71% of all attacks)	Industry reports
Manufacturing ransomware increase	+87% year-over-year	4th consecutive year as #1 target
OT environments with insecure remote access	65%	Security assessments
Detection time for supply chain breaches	267 days	Nearly 9 months hidden
NIS2 penalties	€10M or 2% of global turnover	Plus C-level personal liability
NIS2 incident reporting	24 hours for early warning	Rapid disclosure required
New CISA ICS advisories (2024)	241 across 70 vendors	619 vulnerability disclosures

Manufacturing has been the #1 ransomware target for four consecutive years. Ransomware attacks against industrial targets spiked 87% in 2024. 65% of operational technology environments have insecure remote access conditions. Supply chain breaches take an average of 267 days to detect and contain.

The convergence is unmistakable: cybersecurity is no longer an IT problem. It is an ESG materiality issue.

Why MSCI Agrees: Cyber Is ESG

ESG rating agencies have recognized cybersecurity as a material ESG factor:

MSCI ESG Ratings: Cybersecurity can account for up to 29% of the ESG score for retail companies, 28% for telecom, and 20% for healthcare
Sustainalytics: "Data Privacy and Security" is a standalone Material ESG Issue assessed via 200+ indicators and 1,800+ data points

ESRS explicitly reinforces this:

ESRS G1 (Business Conduct): Covers financial stability through robust cybersecurity, proactive steps to prevent business interruptions, and digital asset protection
ESRS S1 (Own Workforce): Covers digital working conditions, data protection of employees, and digital rights

The "G" in ESG now includes digital governance. A company that reports excellent environmental performance but has no incident response plan, no access controls, and no business continuity documentation has answered E but left G partially blank.

The OT/IT Convergence Problem

Manufacturing faces a unique cybersecurity challenge that other sectors do not: the convergence of operational technology (OT) and information technology (IT).

Traditional IT environments — email servers, databases, cloud applications — have decades of security tooling. OT environments — programmable logic controllers (PLCs), SCADA systems, industrial sensors, robotic arms — were designed for reliability and uptime, not security.

Dimension	IT Systems	OT Systems
Design priority	Confidentiality, integrity	Availability, safety
Patching cycle	Weekly/monthly	Annual or never (uptime priority)
Network isolation	Standard practice	Increasingly connected for Industry 4.0
Average system lifespan	3-5 years	15-25 years
Authentication	Multi-factor standard	Shared passwords common

When these two worlds converge — as they must for Industry 4.0, IoT monitoring, and digital twin implementations — the attack surface explodes. 65% of OT environments have insecure remote access conditions. A ransomware attack that would merely encrypt files in an IT-only environment can halt production lines, damage equipment, or create safety hazards in a converged OT/IT environment.

This is why manufacturing has been the #1 ransomware target for four consecutive years. The payoff for attackers is higher — production downtime costs manufacturers $260,000 per hour on average — making them more likely to pay ransoms quickly.

Your Carbon Tool Has Zero Governance Fields

This is not a feature gap that can be fixed with a software update. It is an architectural limitation.

Carbon calculators ingest:

Utility bills → energy consumption → emission factors → tCO2e

Cybersecurity supply chain audits require:

Incident response plan documentation
Access control framework evidence
Penetration testing results
Business continuity plan documentation
OT/ICS security assessment results
Employee security training records
Vendor risk management procedures

These are governance and policy documents — not energy data. They come from IT departments, security teams, and compliance offices — not from utility bills or production logs. No amount of emission calculation sophistication can produce an incident response plan.

Active Defense Shield: When your buyer's DORA or NIS2 audit asks for cybersecurity governance documentation, the supplier who already has structured governance data — policies, procedures, training records, incident response plans — alongside their environmental data provides a complete ESG response. The supplier who only has carbon data has answered one pillar and left two blank.

The Complete ESG Equation

Consider the three pillars of ESG through the lens of supply chain compliance:

Pillar	Traditional Data	Emerging Data
Environmental	Emissions, energy, water, waste	Biodiversity, circular economy
Social	Workforce, safety, training	Modern slavery due diligence, just transition
Governance	Anti-corruption policy, board oversight	Cybersecurity posture, data protection, digital resilience

For the past decade, the sustainability industry focused overwhelmingly on E — building carbon calculators, emission tracking systems, and environmental reporting tools. Social (S) received attention through modern slavery legislation and human rights due diligence.

Governance (G) is the pillar that was left behind. And now, with DORA, NIS2, and the integration of cybersecurity into ESG ratings, governance is catching up — fast.

The supplier who has invested in environmental data infrastructure has a head start on E. But E alone is one-third of the ESG equation. The supplier who adds S and G to their data platform has a complete answer. The supplier with only E has a partial answer — and partial answers lose contracts.

Japan's Cybersecurity Landscape

Japan has its own cybersecurity regulatory momentum:

Economic Security Promotion Act (ESPA): Fully in force since May 2024. Four pillars covering critical materials, essential infrastructure, advanced technologies, and patent security
National Cybersecurity Office: Restructured from NISC in July 2025 under the Active Cyber Defense Act
Tightened vendor scrutiny: Japan now requires critical sectors to disclose procurement sources and undergo risk assessments for foreign ICT vendors
Incident notification expansion: Draft guidelines propose broader notification requirements including near-misses

For Japanese SMEs supplying EU-regulated financial institutions or NIS2-covered entities, the compliance pressure is dual-directional: Japanese domestic requirements AND EU supply chain cascades.

How Marupass Captures the Governance Dimension

図解を読み込み中...

Marupass was architecturally designed for three ESG pillars — not one. The Governance dimension is a core data layer.

Governance Policies Table

The Universal ESG Ledger captures governance policies alongside resource flows and social events:

Information security policies: Documented and timestamped
Business continuity plans: Version-controlled and verified
Access control frameworks: Structured and exportable
Incident response procedures: Recorded and auditable
Training records: Hours per employee, curriculum coverage, completion rates

ESRS G1 Adapter

Your buyer's CSRD disclosure requires ESRS G1 (Business Conduct) data — including digital governance. The ESRS adapter extracts governance policy data and formats it for buyer disclosure. You document your governance practices. Marupass handles the regulatory translation.

Adversarial Governance Verification

The Adversarial AI Auditor applies governance-specific verification:

Is the incident response plan documented with specific procedures?
Are training records consistent with headcount data?
Do access control policies reference current system architecture?
Is business continuity documentation current and complete?

Cryptographic Proof of Policy Documentation

Every governance policy entry in the ledger is anchored with a Cryptographic Proof Token — proving when the policy was documented and that it has not been modified since. In a NIS2 audit, this is not a verbal assurance. It is mathematical proof of documentation integrity.

The Complete ESG Response

30% of breaches from third parties. Manufacturing as the #1 ransomware target. DORA and NIS2 cascading to supply chains. MSCI weighting cybersecurity up to 29% of ESG scores. ESRS G1 requiring digital governance disclosure.

Your buyer's next audit will not ask just about emissions. It will ask about governance, security, and resilience. The supplier who provides a complete ESG response — E, S, and G — from a single verified data platform answers every question. The supplier who only has environmental data has answered one-third of the ESG equation.

30% third-party breaches. #1 ransomware target. €10 million penalties. The "G" in ESG now means cybersecurity governance. The supplier who documents information security policies alongside environmental data provides a complete ESG response. The supplier who only has carbon data leaves governance blank. That is not compliance. That is an active defense shield for the age of mandatory supply chain cyber resilience.

Watch the Magic Trick. You don't need another sales call. Watch our 3-minute interactive demo to see exactly how our AI turns a raw PDF into a verified governance-complete ESG report instantly.

Your enterprise buyers need verified data. You need to protect your operational time. The gap between their question and your answer is just one email forward.