A42-CC is Alliance42 Core Compliance - everything in A42-C plus the tools and processes you need to be fully NIS2-compliant. In one license, from one supplier.
One password manager for the whole organization. We deploy it, we train people on it, we make sure they actually use it. Most organizations have a password manager license - the problem is nobody makes sure people use it. That is the difference between "we have a tool" and "we have a solution".
Awareness training that actually changes behaviour. Monthly micro-lessons. Realistic phishing simulations calibrated to your industry. We track who clicks - not to shame anyone, but to know where to focus.
Daily encrypted backups. Documented recovery procedure. Tested quarterly - not "we assume it works". When something happens, we have rehearsed it.
Evidence builds as a byproduct of operations, not as an annual panic project. When the auditor asks, the pack is ready. When a customer asks if you are NIS2-ready, you have the documentation to show.
Risk assessments that update when your environment changes - not once a year because the auditor is coming. Policies your employees can actually read, not just lawyers.
2 times a year we run a realistic incident with your team - not a PowerPoint, but an actual exercise with timelines, decisions, and a debrief. Once a year is too little in a world where threats evolve this fast.
A42-CC bundles 7+ category-leading products in one license. If you were to buy the same separately - as category-leading solutions from the top vendors in each component - the bill would typically look like this. Numbers are industry standard for the SMB segment as of April 2026.
| Component | Typical separate price | What you get in A42-CC |
|---|---|---|
| 24/7 MDR + EDR | 250-400 DKK/license/mo | Included, category-leading threat detection with dedicated Threat Hunters |
| Vulnerability scanning + attack surface management | 30-50 DKK/license/mo | Included in the same stack |
| Password manager for the whole organization | 25-35 DKK/license/mo | Included, deployed and maintained |
| Awareness training + phishing simulation | 25-40 DKK/license/mo | Included, monthly micro-lessons, industry-calibrated |
| Backup & disaster recovery | 40-80 DKK/license/mo | Included, daily encrypted, quarterly tested |
| Risk assessment + policy platform | 30-50 DKK/license/mo | Included, updated when your environment changes |
| Tabletop exercises (facilitated) | 15,000-30,000 DKK per session x 2/year | Included, twice a year, with timelines and evaluation |
| Supplier compliance + DDQ handling | 20-40 DKK/license/mo | Included, automated |
Typical separate price: 250-400 DKK/license/mo
What you get in A42-CC: Included, category-leading threat detection with dedicated Threat Hunters
Typical separate price: 30-50 DKK/license/mo
What you get in A42-CC: Included in the same stack
Typical separate price: 25-35 DKK/license/mo
What you get in A42-CC: Included, deployed and maintained
Typical separate price: 25-40 DKK/license/mo
What you get in A42-CC: Included, monthly micro-lessons, industry-calibrated
Typical separate price: 40-80 DKK/license/mo
What you get in A42-CC: Included, daily encrypted, quarterly tested
Typical separate price: 30-50 DKK/license/mo
What you get in A42-CC: Included, updated when your environment changes
Typical separate price: 15,000-30,000 DKK per session x 2/year
What you get in A42-CC: Included, twice a year, with timelines and evaluation
Typical separate price: 20-40 DKK/license/mo
What you get in A42-CC: Included, automated
You typically save: Time - no 7 vendors to coordinate. Money - often 10-30% depending on your current stack. Risk - no gaps between tools that do not talk to each other.
The most important point is not the price. It is what you do not have to do: no 7 contracts to negotiate, no 7 invoices to approve, no 7 support contacts to remember, no 7 tools that do not talk to each other, no integration that becomes someone's "side project that never got finished". One vendor. One invoice. One person responsible. That is what A42-CC is about - not the savings, but the simplification.
The 24/7 MDR line alone costs as much as the entire A42-CC license on the market. The rest - backup, password manager, awareness, tabletop, evidence, all of it - you get on top.
Actual prices vary by agreement, volume and contract length. The numbers here are based on industry standard for the SMB segment as of April 2026. We update this comparison biannually or when significant market price changes occur. If our numbers are wrong, write to us - we will fix it immediately.
The numbers above are useful because they show that A42-CC is not expensive. But the price is actually the least interesting argument.
What is interesting is what you get back in time and focus. When NIS2 compliance, security operations, awareness training, backup, password management and incident response are handled as one unified service, your organization no longer needs to have opinions about individual components. No internal discussions about which backup vendor to choose. No quarterly reviews of whether the password manager is still the right one. No "let us make a decision about phishing training at the next management meeting".
You have one vendor, one person responsible and one service. That means your IT manager, your leadership team and your board can spend their time on what they actually need to decide: where your business is going, how you grow, how you differentiate. Not whether the backup solution should be upgraded to Pro tier next year.
Premium service should not cost a fortune. And just as importantly: it should not steal your most valuable resource - your attention.
We will never have more than 42 clients on A42-CC. It is written into your contract. Premium service requires focus - you should not be customer number 837 in a queue.
Write down how you manage cyber risk - and keep it current.
Annual risk assessment with quarterly updates and a live risk register
Ready-to-adopt policy pack (information security, access control, incident, BCP/DR)
Signed policies, risk register, remediation plan.
Spot incidents fast; know who does what; report on time.
24/7 monitoring and response with an incident playbook aligned to regulatory timelines
Defined severity, escalation paths, and post-incident reviews captured as evidence
Incident logs, timelines, and post-incident review notes.
Your data is backed up - and you can prove you can restore it.
Immutable backup policies for collaboration suites and servers; agreed RPO/RTO
Scheduled restore tests and crisis/DR playbooks
Restore test reports and DR exercise summaries.
Check that vendors don't become your weakest link.
Supplier DDQ templates, vendor register model, and baseline security clauses
Monthly external exposure snapshot with tracked remediation for high-risk findings
Completed DDQs, vendor register, exposure snapshot & tickets.
Build and change systems securely; fix vulnerabilities on time.
Patch SLAs and continuous vulnerability/exposure reviews with change guidance
Coordinated vulnerability handling and disclosure procedures
Patch compliance, vulnerability reports, change records.
Measure what works. Quarterly management reviews with concrete metrics - not once a year because the auditor is coming.
Quarterly management reviews with detection and response metrics, recovery tests and prioritized remediation
Exportable evidence packs showing what was measured, what was found, and what was done about it
Quarterly reports with metrics, remediation log, consolidated evidence pack (portal/PDF export)
Awareness training that actually changes behavior. Monthly micro-lessons. Realistic phishing simulations calibrated to your industry. We track who clicks - not to shame them, but to know where to focus.
Managed awareness program with monthly micro-lessons, industry-calibrated phishing simulations and completion tracking
Training records per employee, completion rates, phishing simulation results, quarterly behavior report
Data protected in transit and at rest - by policy and in practice, not just on paper.
Encryption standards defined in policy: TLS 1.3 for data in transit, AES-256 for data at rest
Email authentication baseline (SPF/DKIM/DMARC) and periodic verification checks logged as evidence
Encryption policy, configuration reports, email authentication verification log
Right people, right access, hardened devices, clear inventory. Not a spreadsheet from 2019.
Joiner/Mover/Leaver access matrix with role-based access reviews - so access is removed when people change roles or leave
Device baseline: disk encryption, screen lock, patch KPIs. Asset register updated continuously, not once a year
Access review records, device posture reports, asset register
MFA deployed from day one. We do not accept "we will do it later" - it is the cheapest insurance you can buy. Identity and access management is part of the license, not an add-on.
MFA enforced across all relevant systems from day one. Identity management included in the license
Documented emergency contacts and escalation paths, tested in tabletop exercises. Secure communication guidance
MFA coverage report, audit log of MFA events, exception handling process
“NIS2 isn't a checkbox. It's a board-level liability now. I built A42-CC so the evidence pack is ready before the auditor asks, not assembled in a panic the week before.”
Tobias Lauge JensenFounder & CEO, Alliance42
No sales team. No call center. Just me.