EN 
NL 
DE 
NIS2 Directive - Quality Mark
NIS2 legislation describes that essential and important companies, also known as NIS2 companies, are responsible for the cyber security of their supply chain. This means that they have to start requiring their direct suppliers, mostly SMEs, to be able to demonstrate that they work securely digitally. NIS2-compliant organisations demonstrate this with an NIS2 Quality Mark certificate.
DigiTrust can provide you and your suppliers in accordance with the NIS2 Quality Mark auditing and certification.
What type of organisation are you?
Many SME organisations provide services to so-called NIS2 companies. To determine whether or not your organisation itself is an NIS2 organisation, the NCSC has a poster made and online NIS2 self-assessment test. Organisations characterised as an NIS2 organisation must of course comply with the NIS2 guideline and are also required to register with the NCSC. <link>
note: Each country has made its own translation of the European NIS2 legislation. In the Netherlands, this will be the Cyber Beveiligings Wet, abbreviated CBW. This law is expected to be published June/July 2025.
Within the NIS2 legislation, a distinction is made between essential and important companies, these are also called NIS2 companies. These companies have to comply with the NIS2 legislation themselves, but also their supply chain. So the NIS2 Quality Mark helps with this.
NIS2 guideline: different levels
Within NIS2 Quality Mark, there are 3 levels, tailored to the risk of the service provided.
- NIS2-QM10 (Basic)
- NIS2-QM20 (Substantial)
- NIS2-QM30 (High)
Suppliers - NIS2 guideline
NIS2 organisations must start requiring their suppliers, mostly SME organisations, to be able to demonstrate compliance with NIS2 legislation. Having an ISO27001 certificate is not enough for this purpose. For this, the NIS2 Quality Mark certificate provides additional evidence with which they demonstrate compliance with the NIS2 guideline.
Quality Mark 10 (QM10)
If your organisation is not subject to registration, but you provide services to an NIS2 organisation, your organisation must also comply with NIS2. For most SME organisations, Quality Mark level 10 (QM10) will be sufficient, to demonstrate that you have the basics in place.
Quality Mark 20 (QM20)
However, if your organisation provides ICT or OT services, your client may demand QM20 or even QM30. Of course, this strongly depends on the risk the client has regarding your delivered service and the impact on the GIS.
- Availability (is the system there or not),
- Integrity (is the data in the systems correct) and the
- Confidentiality (is it well regulated who may or may not see what)
Quality Mark 30 (QM30)
If your organisation falls directly under the NIS2 and you are therefore subject to registration, then the NIS2 Quality Mark level 30 will apply to your organisations at a minimum. Having an additional, under accreditation ISO27001/NEN7510/IEC 62443 Certification is highly recommended.
How long does a certification audit take?
A table is available, detailing how much audit time is required per standard for each type of organisation. Depending on your context, the audit time within the range may be lower or higher.
note; if you already have an ISO27001/NEN7510 certification, you will be granted a waiver on specific requirements already covered within this certification. This reduces the number of audit hours in the table above.
How do you apply for NIS2 Quality Mark certification?
If you believe that you meet the NIS2 guideline of the NIS2 Quality Mark, DigiTrust is authorised to conduct an audit at your premises. Please contact us to initiate this certification. If the audit is completed positively by DigiTrust, the Quality Innovation Foundation will prepare and publish the certificate for you. There will be a central register of this.
The certificate is valid for 3 years. Contact us for a no-obligation quote: sales@digitrust.nl
