Request a quote
en_GB EN
en_GB EN nl_NL NL de_DE DE

NIS2 Quality Mark

If, as a supplier, you want to be able to demonstrate that you work securely digitally then it is NIS2 Quality Mark available.

DigiTrust is available as a selected specialist to audit and certify your organisation.

Assessing your information security management system is our core business. We have our own team of auditors, who look closely at the context of your organisation.

  • Specialist for all NIS2 Quality Mark audits and certificates
  • QM10, QM20 and QM30
  • In-house auditors who understand the context of your organisation
  • Sharp prices
Request a non-binding offer

More than 500 organisations have already gone before you.

Certification process - DigiTrust - ISO 27001 Certification - NEN 7510 Certification - ISO 9001 certification - ISO 14001 Certification

NIS2 Quality Mark certification

NIS2 Directive - Quality Marks

On 10 October 2024, the Quality Innovation Foundation, the holder of the NIS2 Quality Mark launched the NIS2 Quality Mark European. The NIS2 legislation describes that essential and important companies, also known as NIS2 companies, are responsible for the cyber security of their supply chain. This means that they have to start requiring their direct suppliers, mostly SMEs, to be able to demonstrate that they work securely digitally. An NIS2 Quality Mark certificate provides this proof.

In the Netherlands, the European NIS2 has been translated into the Cyber Beveiligingswet (CBW) as a replacement for the Wbni. Each country has thus made its own translation into its own local legislation. So each country has its own specific websites and information .

NIS2 organisations and their suppliers

NIS2 Quality Mark has 3 levels, tailored to the risk of the service provided.

  1. NIS2-QM10 (Basic)
  2. NIS2-QM20 (Substantial)
  3. NIS2-QM30 (High)
 
NIS2 guideline - Quality Marks
 
 

The different levels

Within the NIS2 Quality Mark, there are 3 levels. 

NIS2-QM10 Basic Level 

  • Organisational control measures
  • People-centred management measures
  • Physical management measures
  • Technological management measures

Download the full QM10 requirements here <link>

NIS2-QM20 Substance Level

  • Organisational control measures
  • People-centred management measures
  • Physical management measures
  • Technological management measures
  • OT management measures
  • IT management measures

Download the full QM20 requirements here <link>

NIS2-QM30 High Level

  • Organisational control measures
  • People-centred management measures
  • Physical management measures
  • Technological management measures
  • OT management measures
  • IT management measures

 

Download the full QM30 requirements here <link>

More information on the NIS2 Quality Mark can be found at the website.

Which NIS2 Quality Mark is applicable to your organisation?

What type of organisation are you?

Many SME organisations provide services to so-called NIS2 companies. 
To determine whether or not you yourself are an NIS2 organisation, the NCSC has a poster made and online NIS2 self-assessment key.
Organisations characterised as an NIS2 organisation are required to register with the NCSC. <link>
 
Within the NIS2 legislation, a distinction is made between essential and important companies, these are also called NIS2 companies. These companies have to comply with NIS2 legislation themselves, as well as their supply chain.
The NIS2 Quality Mark helps with this. 

Suppliers

NIS2 organisations must start requiring their suppliers, mostly SME organisations, to be able to demonstrate compliance with NIS2 legislation. Having an ISO27001 certificate is not enough for this purpose. The NIS2 Quality Mark certificate provides additional proof for this.

Quality Mark 10 (QM10) 

If your organisation is not subject to registration, but you provide services to an NIS2 organisation, your organisation must also comply with NIS2.
 
For most SME organisations, Quality Mark level 10 (QM10) will be sufficient, to demonstrate that you have the basics in place.

Quality Mark 20 (QM20)

However, if your organisation provides ICT or OT services, your client may demand QM20 or even QM30. Of course, this strongly depends on the risk the client has regarding your delivered service and the impact on the GIS. 
  • Availability (is the system there or not),
  • Integrity (is the data in the systems correct) and the
  • Confidentiality (is it well regulated who may or may not see what)

Quality Mark 30 (QM30)

If your organisation is directly covered by the NIS2 and you are therefore subject to registration, then the NIS2 Quality Mark level 30 is the minimum applicable for your organisations. Having an additional, under accreditation ISO27001/NEN7510/IEC 62443 certification is highly recommended.

How long does a certification audit take?

A table is available, detailing how much audit time is required per standard for each type of organisation. Depending on your context, the audit time within the range may be lower or higher.

NIS2 Directive - Quality Marks

Source: website NIS2 Quality Mark

note; if you already have an ISO27001/NEN7510 certification, you will be granted a waiver on specific requirements already covered within this certification. This therefore reduces the number of audit hours in the table above.

How do you apply for NIS2 Quality Mark certification?

If you believe you meet all the requirements of the NIS2 Quality Mark, DigiTrust is authorised to conduct an audit at your premises. Contact us to start this certification.

If the audit is completed positively by DigiTrust, the Quality Innovation Foundation will prepare and publish the certificate for you. There will be a central register of this.

The certificate is valid for 3 years.

Contact us for a no-obligation quote.

en_GBEN
nl_NLNL de_DEDE en_GBEN