Supply chain security is not a compliance checkbox. It is a geopolitical necessity. The gap between what organisations document and what they actually know is too large to ignore.
Europe’s critical infrastructure depends on supply chains that most organisations cannot fully see. Vendors are assumed to be trustworthy. Sub-suppliers are assumed to be safe. Dependencies are assumed to be understood. Most of the time, those assumptions are never tested. until something goes wrong.
We believe that the standard approach to supply chain security: questionnaires, policy documentation, annual assessments. does not close this gap. It creates the appearance of control without producing the evidence to back it. A completed questionnaire is not proof that a supply chain is secure. It is proof that someone filled in a form.
Zitha & Houwen was founded to do this differently. Not because we have done it at scale before. we are at the start of that journey. but because we are convinced the methodology is right, the need is urgent, and someone has to build this properly. This is our contribution.
Europe is more exposed than it recognises. The dependencies that run through our critical infrastructure are not just technical. they are geopolitical. Who owns the platform. Where the code is written. Which state has leverage over the vendor.
The regulatory frameworks. NIS2, DORA, CRA. are a start. But regulation alone does not produce resilience. Organisations need the capacity to actually understand what they depend on, and to make decisions grounded in evidence rather than assumption. That is the gap we are here to close.
The regulatory obligation matters. But the deeper motivation is simpler: organisations across Europe are relying on supply chains they do not fully understand, at a moment when understanding them has never been more consequential. We want to change that.
Processes and policies describe intent. Evidence describes reality. We are interested in the latter: a picture of the supply chain grounded in signals, not self-reports, maintained continuously rather than assembled at audit time.
A completed questionnaire is evidence that someone filled in a form. We build instruments that demonstrate what an organisation actually knows about its dependencies. It can be defended under scrutiny, to a board, to a regulator, or to the organisation itself.
We built the methodology, the framework, and the thinking from the ground up. We work directly with the organisations we engage. No layers, no handoffs.
If you recognise the problem we are describing and want to understand how our methodology applies to your organisation, we welcome the conversation.