Skip to content

Insights from the Experts

Dr. Michel A. Dutrée

Chairman, Stichting Kwaliteitsinnovatie

Read more

Dr. Michel A. Dutrée

Chairman, Stichting Kwaliteitsinnovatie

The NIS2 law and the NIS2 Quality Mark: the game changers

Our collective challenge: A secure digital foundation

Digital security is of paramount importance in the business world. The new NIS2 legislation poses new challenges for companies. As we all know, the digital world we live in is constantly evolving, offering both opportunities and threats. It is therefore vital that we work together to create a solid foundation for digital security so that organisations can work together without significant risk.

Our mission

Our mission is for all companies and organisations in Europe to adopt a minimum but robust set of cybersecurity standards and comply with the NIS2 Cybersecurity Act. We offer a growth model that starts with the basics: a minimum level of cyber hygiene. This foundation, known as the QM10 standard, is what we should expect from each other to work together securely. We want every company in Europe to achieve at least this basic cyber standard. We believe that if companies want to work together and build long-term relationships, there needs to be a minimum digital foundation for that agreement, so that digital collaboration can take place with confidence.

NIS2, the game changer, as a catalyst

The introduction of NIS2 (Network and Information Security Directive) is a game changer for cyber security. It marks a significant step forward in improving our digital security. The directive requires more than 100,000 large organisations in Europe to actively engage in cybersecurity, which is a milestone and a game changer in this area. Whereas in the past, cybersecurity was often approached on a voluntary basis, it is now mandatory. This is the catalyst for a structural change in how organisations should approach their digital security.

The chain reaction

NIS2 is not limited to large organisations. Through the supply chain, more than 400,000 suppliers, organisations and businesses of all sizes are also involved in the supply chain obligation. This means that many organisations across Europe face a significant challenge. Implementing effective cybersecurity measures is no longer an option, it is a necessity. Each link in the chain must take responsibility for ensuring overall security wherever there is a risk component. It is essential to agree that there is a demonstrable minimum level of cybersecurity, a minimum level of cyber hygiene, in any collaboration. NIS2-QM10 is the minimum standard for any collaboration.

Differentiating cybersecurity needs

Our mission is possible because the European Union recognises that cybersecurity needs and measures vary according to the size and complexity of organisations. We have created a tailored, three-tiered system of standards, developed in collaboration with dozens of experts and industry organisations. This approach makes cybersecurity scalable, making NIS2 achievable for every organisation and allowing us to grow together in security.

Our standard, known as the NIS2 Quality Mark, is a flexible and scalable framework that helps organisations of different sizes and sectors to meet the requirements of NIS2. It provides a step-by-step approach that allows organisations to scale their cybersecurity measures as their needs grow. This ensures that even the smallest organisations can achieve a good level of protection by achieving NIS2-QM10 without unnecessary complexity or over-investment.

With NIS2-QM10, we have collectively established a robust standard that meets the minimum cyber hygiene requirements that we, as collaborating organisations, should expect from each other. Creating the standard was relatively easy. The government helped us by publishing various guidelines and advice online, and we also carefully considered the minimum standard required to obtain cyber security insurance. These aspects together led to the creation of the minimum standard: NIS2-QM10.

Companies with a higher risk profile can opt for NIS2-QM20 or NIS2-QM30. NIS2-QM30 includes all the components of NIS2, plus the IT and OT components required for 360-degree security in complex manufacturing environments.

3 levels of NIS2 cyber security as a growth path for supply chain collaboration

Achieving goals through collaboration and support

Thanks to the collaboration of dozens of industry associations, we are helping businesses meet this enormous challenge. It is vital that businesses take the right steps now, because everything is digital now. With a mix of online working, remote support, business intelligence and AI, we also aim to alleviate capacity challenges in auditing. Our approach focuses on collaboration with other parties. Together, we can provide organisations and companies not only with the standard, but also, through collaborative partners, with the tools and knowledge they need, and the practical support to use them effectively. Training, guidance and ongoing support are essential components to ensure that organisations can confidently address and overcome cyber threats.

Integration and growth path with established standards

By adding our standard with a specific focus on the supply chain to the cybersecurity standards landscape, we provide a growth path to well-known standards such as ISO27001, NEN7510 and widely used frameworks such as NIST. The path of continuous focus and growth in cybersecurity systematically leads to sustainable and ever-improving digital security.

Companies and organisations using the NIS2-QM standards will add measures to their security each year. This standard requires annual attention and is therefore not a static standard. This would not be possible given the dynamic nature of cyber security, where new threats are constantly emerging.

Integration with existing standards ensures that organisations that have already taken steps in their cybersecurity strategy can seamlessly extend and improve those efforts. Through mapping and transparency, we avoid duplication of effort. It is about implementing real measures that achieve security, not the name of the standard or the certification mark.

Building safety together

I am particularly proud to serve as chairman of the Stichting Kwaliteitsinnovatie, which combines today’s challenges with a high-quality standard that we want to roll out across Europe. Our standard aims to become a valued tool. Together we can build a secure digital future for all. Our joint efforts will contribute not only to a safer digital environment, but also to the trust and resilience of our economy and a secure digital society.

Thank you for your attention and commitment to a safer digital world.

Yours sincerely,
Dr Michel A. Dutrée
President, Stichting Kwaliteitsinnovatie

Peter Noordhoek

Director-Secretary of the Quality Innovation Foundation

Read more

Peter Noordhoek

Director-Secretary of the Quality Innovation Foundation

Meeting Cybersecurity Standards: From Local to Global

With the introduction of the new European NIS2 directive, a new cybersecurity standard for SMEs is coming: the NIS2 Quality Mark. Dr. Peter Noordhoek, director-secretary of the Quality InnovationFoundation was at the basis of this development.

What is the basic idea behind the NIS2 Quality Mark?

Peter: ‘The NIS2 is a law that affects many companies and sectors. There

are many laws, which can be challenging for companies. Industry organizations are used to laws, standards, and quality marks. In this case, it turned out that there was a need for a translation of the law into a standard. In the Netherlands alone, an estimated 50,000 to 70,000 companies will be directly or indirectly affected by NIS2. That’s a huge number, and our challenge was to develop a standard that is not only effective but also affordable and accessible to all these companies, regardless of their size.’

How would you describe the NIS2 Quality Mark?

Peter: ‘The NIS2 Quality Mark was launched last year for the Netherlands and has now been further developed. Going international was always the plan, and now it’s happening. Dutch companies are strongly internationally oriented, and as the fifth largest export country and eighth largest import country in the world, it is essential that these companies meet the cybersecurity requirements of international partners. NIS2 Quality Mark certification helps companies demonstrably comply with cybersecurity. This is essential for our international competitive position.’

Is it gaining traction?

Peter: ‘Indeed, it’s progressing very well. We have a collaboration with

Samen Digitaal Veilig. By now, 64 industryorganizations (with a reach of more than 100,000 companies) arecommunicating this to their members as a standard. Many companies are already working on achieving it. We’re very happy about that.’

There are various levels, how does that work?

Peter: ‘In the market, there are very good, but quite heavy frameworks and standards (such as NIST, ISO27001, and NEN7510) that are suitable for large, more complex organizations. Below that, there was nothing. Now, there is. We have created three levels as a ladder to higher standards. This is possible because NIS2 is about risk, and not every company poses an equally severe risk. So there’s room for differentiation. We’ve utilized that. ENISA, the European cyber agency, opened the door a few years ago with the announcement of tiered standards for laws. This is very beneficial. We’re now reaping thebenefits of that.

The basic standard NIS2-QM10 offers companies the opportunity to start with a basic level of security. This standard is at the same level as what the NCSC has on their website and helps companies immediately get started with the first crucial steps.

NIS2 includes the obligation to secure the supply chain. So NIS2 organizations must check their suppliers if there is a risk. Low risk? Then a low standard is sufficient. More risk, such as with IT companies, then companies can, depending on their risk profile and needs, grow to QM20 and QM30. This tiered model is deliberately designed to be scalable and flexible, so that both small and larger companies can implement it. This significantly lowers the threshold to start with cybersecurity.

What’s important is that we don’t want companies to see certification as the end goal. The goal is for companies to actually become and remain safe. Certification is just a means to achieve that goal.’

What are the main advantages of the NIS2 Quality Mark?

Peter: ‘The biggest advantage is the simplicity and comprehensibility of the standard. Additionally, the standard can be downloaded free of charge from our website. We’ve created a structure that companies can quickly implement, without getting stuck in complex certification processes that cost a lot of time and money.

Moreover, our model is scalable. This tiered model is suitable for both small and large companies. We also prevent duplication in the application of standards: for each standard, it’s described where it touches other standards. If that standard has already been tested, it doesn’t need to be done again with us. We don’t want to impose double work. That would only frustrate.’

How does this standard support companies internationally?

Peter: ‘The standard not only helps companies comply with the new European

legislation and regulations but also allow SMEs to collaborate with their foreign customers and suppliers. The requirements from NIS2 regarding the supply chain are crystal clear. Companies must comply with these to continue doing business. With the NIS2 Quality Mark, we ensure that Dutch companies are ready to meet the cybersecurity requirements of their international partners.’

Hans ten Hove

Area Vice President for Continental Europe at Kaseya

Read more

Hans ten Hove

Area Vice President for Continental Europe at Kaseya

Not all businesses are the same – it’s a good thing the NIS2 Quality Mark includes different risk levels

Kaseya is a global provider of IT and security management solutions for Managed Service Providers (MSPs) and mid-sized businesses. The company offers an integrated platform that enables IT professionals to efficiently manage and secure their infrastructure. In June 2022, Kaseya acquired Datto, a provider of security and cloud-based software solutions developed specifically for MSPs. We speak with expert Hans ten Hove.

Prevention and recovery are the two key pillars of the (upcoming) NIS2 Directive. How important is it to clearly explain that?
Hans: “Extremely important. Many businesses still view cybersecurity as something like ‘I’ll just buy an antivirus package and then I’m safe’. But NIS2 is about a much broader approach:

• Prevention – what must your organisation do to protect itself as effectively as possible?
• Recovery – what happens if something does go wrong? Do you have an emergency plan? How quickly can you become operational again after a cyberattack?

The challenge with legislation is that it’s often imposed without making a clear and understandable translation for entrepreneurs. That’s why the NIS2 Quality Mark is such a valuable initiative. It helps businesses understand what they need to do and provides MSPs with a framework to guide their clients.”

How do you view the NIS2 Quality Mark from your professional perspective?
Hans: “Well, first of all, it didn’t exist yet, and I think it’s really essential. The legislation around NIS2 is quite abstract and doesn’t concretely spell out what entrepreneurs need to do or why. The NIS2 Quality Mark bridges that gap, and that’s critical.

Moreover, not all businesses are the same, and it’s a good thing the Quality Mark includes different levels. That makes it more accessible for SMEs and enables them to work together with their MSPs using a shared dashboard: where do we stand, what have we arranged, and what still needs attention? Such a reference framework is vital. Without frameworks like this, the implementation and compliance with NIS2 will fall behind. So, I wholeheartedly support this initiative.”

The Quality Mark is written in plain, accessible language. How important is that?
Hans: “Extremely important. Not because entrepreneurs aren’t intelligent, but because cybersecurity is often explained in a technical jargon that many business owners don’t understand. But ultimately, it’s not about the tech—it’s about the impact on your business. IT is no longer a separate silo within a company—it’s an integral part of business operations. That’s why we need to speak in business terms, not just technical specifications.”

Some describe the NIS2 Quality Mark as a ‘licence to operate’. Would you agree?
Hans: “Absolutely. More and more, larger companies are asking their suppliers how they have arranged their cybersecurity. Some SMEs think they don’t need to comply with NIS2, but that’s a misconception. Hackers don’t care about regulations—they look for vulnerable targets. And as a small business, you’re not only responsible for your own cybersecurity, but you’re also a potential weak link in the supply chain. If your company is attacked and a major client is impacted as a result, the consequences extend far beyond your own organisation. This isn’t a choice—it’s an obligation.”

What do you believe will determine the success of the NIS2 Quality Mark?
Hans: “The translation from risk assessment to concrete technical measures must be as clear as possible. NIS2, for instance, says you must assess vulnerabilities across people, processes, and technology. But what does that actually mean? What tools do you need? How far should you go?

The Quality Mark must give entrepreneurs clarity on the minimum level of security they need and what questions they should ask their MSPs. Without that practical guidance, companies might wrongly assume that antivirus software is enough, when in fact that’s nowhere near sufficient.”

So you’re essentially saying: cybersecurity is not just about technology, but also about people?
Hans: “Absolutely. The human factor is one of the biggest risks. It doesn’t matter how good your technical defences are—if an employee clicks on the wrong link or opens a phishing email, the damage can be enormous. That’s why cyber resilience training and simulations are essential. Every business owner should be addressing this, and MSPs should be offering this as standard to their clients. But it’s still happening far too infrequently.”

Cees van der Wens

ISO/IEC 27001 and NEN7510 auditor, consultant

Read more

Cees van der Wens

ISO/IEC 27001 and NEN7510 auditor, consultant

Supporting SMEs in a practical way

Cees van der Wens is an expert in the field of information security, especially in auditing and implementing the ISO/IEC 27001 standard. He has conducted numerous audits at various organizations, including hospitals, and helped them achieve certifications. With a background in industrial automation, he primarily supports small and medium-sized enterprises in setting up information security management systems.

Cees often acts as a lead auditor and is the author of books on the implementation and audit of security standards. His work plays an important role in the cybersecurity world, especially in the areas of compliance and risk management.

You’re involved in the NIS2 Quality Mark project as an advisor. What exactly does that involvement entail, and why did you think: ‘I want to do this’?

Cees: ‘I’ve been actively involved with the ISO 27001 standard since 2007 and with the NEN 7510 standard since 2011. Over all those years, and especially when I started auditing, I’ve seen many organizations struggle with this subject matter. I was strongly attracted to the idea of helping companies that have difficulty complying with the heavy requirements of ISO 27001 in one go, to move forward step by step. For many small and medium-sized businesses – SMEs – it’s sometimes really burdensome or too expensive to fully comply with this standard right away. For example, I’m currently helping a self-employed person who has built a fantastic web application and needs to obtain ISO certification from his clients. All by himself. There’s simply a strong need for an alternative. In the Netherlands, there might be a hundred thousand SMEs that will probably never take the full step towards ISO 27001. That’s why it’s important to support them in a practical way.’

What is your specific contribution to this project to ensure it’s well executed?

Cees: ‘Together with the team behind the NIS2 Quality Mark, I’m looking at how we can develop an approach that allows companies to work towards good information security step by step. My role is to incorporate the basic ideas and good concepts from the ISO 27001 standard and other standards in a new way. A way that better aligns with the needs of often smaller SMEs. Not all measures are equally relevant or necessary for everyone, so I’m investigating how we can find a good balance. We need to ensure that the system doesn’t become too heavy but remains valuable for suppliers and their customers. It should provide a level of assurance that is understandable and applicable for SMEs, but also recognized by the market and auditors.’

Can you tell us more about how you’re going to secure this?

Cees: ‘It’s important that we set a clear framework so that SMEs can increase their digital security and prove to their customers after an audit that they are certified. To make that succeed, companies need to know exactly what they need to do and how to do it. The system must represent a certain quality standard that is recognizable and reliable, such as the NIS2 Quality Mark with three levels: NIS2-QM10 Basic, NIS2-QM20 Substantial, and NIS2-QM30 High. We want to ensure that companies that comply with this are valued by the market and that the standard is clear and consistent.’

What’s the biggest challenge in establishing this standard?

Cees: ‘Language use is a major challenge. In the current formulation of standards, the language isn’t always consistent or clear. I’ve learned from experience how much confusion can arise from language. Words like ‘manager’ or ‘system’ can be interpreted in different ways, leading to ambiguity about what exactly is meant. Such ambiguities can cause large differences in how measures are taken or not taken. And also, how they are interpreted by an auditor. That’s why I keep focusing on simplifying and making the formulation of the standards consistent. Moreover, I’ve developed texts that should better clarify the purpose of the measures. So that people understand which cyber risk they’re actually reducing with which measure.’

Given the number of involved parties and industry organizations, do you think it will succeed? And what will be the advantage for SMEs?

Cees: ‘Companies that achieve a certificate are always happy. In this case, it gives them more certainty that they’re working digitally secure, and they can show that to their big clients. For clients, it’s nice to have proof that their supplier works digitally secure. Additionally, NIS2 Quality Mark offers a low-threshold entry with the possibility to grow step by step. The NIS2 Quality Mark has three levels—QM10, QM20, and QM30—and companies can enter at a level that suits them. The idea is that companies can start at a lower level and gradually grow. That makes it accessible for SMEs that would otherwise never be able to comply with a heavy standard.’

In countries like Belgium and England, attempts have already been made with a tiered model for cybersecurity, but it hasn’t really taken off there. What makes this project different?

Cees: ‘I’m aware of those initiatives, but not of all the details. In Belgium, they introduced a step-by-step model that comes from the government. That’s not really working, because the government is a strange party to interfere with standardization; they should really only deal with legislation. In England, it’s different. There, many companies have a very small standard – which have large numbers of users – and a very high standard with very few users. So, there’s a lack of a growth model. This project intrigues me because we’ve been able to learn lessons for the Netherlands. The market will ultimately play a big role. If the market, for example, finds the QM10 standard sufficient, SMEs won’t quickly move to QM20 or QM30. With the NIS2 Quality Mark, we’ve opted for a dynamic, growing standard, so companies will probably have to do something constantly, and there might also be an incentive from the market to move to a higher level.’

Do you think companies will embrace the idea of a tiered model, or will they see this as ‘just another set of rules’?

Cees: ‘I expect many companies will see it as an opportunity. There are certainly companies that will start with QM10 and find that sufficient, but there are also plenty of companies that can immediately enter at a higher level, such as QM20 or QM30. The system is flexible, allowing companies to grow at their own pace. It offers a feasible route for SMEs who want to show their big customers that they’ve obtained certification through an audit.’

Do you think the NIS2 Quality Mark is sufficient for large clients?

Cees: ‘Yes, I think so. Clients don’t want to drive away their suppliers and can thus continue to work with suppliers who have the NIS2 QM. They will also appreciate that there’s more choice than just between companies with or without ISO27001 or NEN7510 certification. As it is now, some clients have very few options; they have to choose from a few parties that have a standard. Soon there will be more options. Anyway, it can be a solution for both clients and smaller companies, who then aren’t forced to bear the heavy burdens of a heavy certification.’

You write books on this subject yourself. Your ‘Handbook ISO27001’ is the most well-known cyber book in the Netherlands. How come success hasn’t gone to your head yet?

Cees: ‘I love my profession. My passion is in standards and audits. I try to do that as well as possible. By writing it down, I also help others with my knowledge and insights. As far as I’m concerned, NIS2 Quality Mark should lead to even better protection of the availability, integrity, and confidentiality of information, including information from people like you and me that is processed daily by countless SMEs. Ultimately, everyone benefits from this approach.’

Ivar van Duuren

Co-founder of ISOPlanner

Read more

Ivar van Duuren

Co-founder of ISOPlanner

A Low-Threshold Way to Get Started with Security

ISOPlanner is a user-friendly Software-as-a-Service (SaaS) solution that helps organisations manage ISO compliance within the Microsoft 365 environment. By integrating with tools such as SharePoint, Outlook, and Teams, companies can efficiently comply with standards such as ISO 27001, NEN, and the NIS2 Quality Mark.

Ivar, can you briefly explain what ISOPlanner does?

Ivar: “Our ISOPlanner software helps customers implement standards and frameworks. We provide a sort of framework or ‘coat rack’: customers get access to requirements and measures for a range of standards. That includes ISO and NEN standards, but also other frameworks that don’t originate from ISO or NEN.”

Your slogan is “Effortless Compliance Management in Microsoft 365.” What makes your approach unique?
Ivar: “Our software is the only solution fully integrated with Microsoft 365 for managing ISO standards. ISOPlanner acts as a layer on top of the existing Microsoft 365 environment. Users log in using their Microsoft account—no additional passwords required. Documentation stays within SharePoint, and ISOPlanner allows you to link documents and tasks directly within that environment.

There’s also integration with Outlook: tasks created in ISOPlanner automatically appear in users’ calendars. Employees can even complete tasks directly in Outlook—including checklists and document links. This makes the process incredibly accessible and easy to adopt.”

Which standard is most commonly implemented through ISOPlanner?
Ivar: “Within ISOPlanner, ISO 27001 is the most widely used standard. Globally, ISO 9001 is still more popular, but ISO 27001 is rapidly gaining ground.”

NIS2 and the associated supply chain obligations are a hot topic. How does the NIS2 Quality Mark fit into this, and what’s your view as a company?
Ivar: “The NIS2 Quality Mark was developed specifically for smaller SMEs that find the requirements of ISO 27001 too heavy. We don’t see it as competition, but as a complementary solution. It makes cybersecurity more accessible for businesses not ready for the complexity of full ISO certification. Through our collaboration with the Samen Digitaal Veilig initiative, we’ve seen high demand for practical solutions like this quality mark.”

The NIS2 Quality Mark focuses on SMEs and provides basic solutions. Do you see this as a threat to your work with ISO 27001?
Ivar: “Not at all—it’s simply a different approach for a different audience. For companies that find ISO 27001 too complex, the NIS2 Quality Mark is a low-threshold solution. What matters to us is offering clients the right fit—whether that’s ISO 27001 or the quality mark.”

“It makes sense—ISO 27001 can be overwhelming for many organisations. The NIS2 Quality Mark offers a practical starting point. It enables businesses to take small steps—perhaps moving from 10% to 20% compliance—and eventually grow into ISO 27001.”

You remain neutral, but I assume clients sometimes ask for advice. For example: ‘Should I go for the NIS2 Quality Mark or opt for ISO 27001?’ How do you handle such questions?
Ivar: “Yes, we are mainly an implementation partner and don’t conduct audits ourselves. But if clients ask us for advice, we try to help them think it through. Still, we avoid giving definitive recommendations, because it really depends on factors like their industry requirements or what their own clients expect from them.”

“We usually explain the differences. For example: if none of your clients are asking for ISO 27001, you might not need to pursue it. But if you anticipate questions related to NIS2 compliance, starting with a quality mark makes a lot of sense. It helps you establish a foundation, and you can always scale up to more comprehensive standards later. It’s all about a pragmatic approach.”

So there’s demand for a practical, usable framework?
Ivar: “Absolutely. Many organisations just want to know: ‘What exactly do I need to do?’ The NIS2 Quality Marks offer a concrete answer to that question. They translate legislation into a set of actionable measures. Once you accept that, you can actually start working on it.”

How do you see the relationship between ISO 27001 and NIS2?
Ivar: “ISO 27001 already covers a lot, but NIS2 introduces new elements—like the supply chain obligation. This means suppliers of companies covered by NIS2 also bear added responsibility. These aspects are not yet fully embedded in the older version of ISO 27001, so there is some overlap, but also additional requirements.”

Can clients come to you for help with NIS2?
Ivar: “Definitely. Clients can use ISOPlanner to implement standards more easily within their Microsoft 365 environment. If they have questions about NIS2, we can point them to the NIS2 Quality Marks. These marks are now available in ISOPlanner as the first framework supporting NIS2. That’s an important step—and more options may follow in the future.”

Why did you decide to support the NIS2 Quality Marks?
Ivar: “Honestly, it was driven by demand. Our customers and partners clearly expressed a need for a NIS2 solution. Partners who help their own clients with information security came to us asking for a framework. The NIS2 Quality Marks are the first solution we’re offering in this area.”

Finally, what do you think is important to add?
Ivar: “Many businesses are currently asking themselves: ‘Does NIS2 affect me? Am I directly covered by the law—or do I serve a client who is, and will hold me accountable?’ Based on that, they wonder: ‘Do I need to take action?’ Personally, I believe every business should take information security seriously.”

“It’s like a bike mechanic saying your bike should be well-maintained—some people think, ‘It’s just a bike,’ but I find it odd when a company doesn’t have a management system for information security. How can you not have processes for incident reporting, learning from mistakes, or assessing risks and taking the right measures? That should be standard practice.”

So your advice is to always take some action, even if in doubt?
Ivar: “Exactly. If you’re unsure—do something. And if you’re just getting started, the NIS2 Quality Marks offer an excellent and accessible entry point. Even if you think the legislation doesn’t directly apply to you, I’d say: do it anyway. Every company has information—whether from clients, employees, suppliers, or shareholders. That data lives in your systems, and you’re responsible for protecting it. That doesn’t happen by itself—you have to actively work on it.”

Lennart Pikaart

Strategic & Key Accounts, Bitsight

Read more

Lennart Pikaart

Strategic & Key Accounts, Bitsight

A Central Bureau for Global Corporate Cybersecurity Performance

Bitsight is an international company with headquarters in the United States, Lisbon, and the Asia-Pacific region. Their clients span diverse sectors: government bodies such as the Centre for Cybersecurity Belgium, as well as manufacturing firms, banks, transport enterprises, and high-tech companies. Lennart Pikaart, Strategic & Key Accounts at Bitsight, explains the company’s unique approach.

Could you briefly explain what Bitsight does?

Lennart: ‘Bitsight is akin to the Office for National Statistics, but for the cybersecurity performance of companies worldwide. We provide organisations with insight into their own security position and that of their suppliers. Beyond that, companies can benchmark themselves against their peers in terms of cybersecurity.’

How precisely do you help organisations?

Lennart: ‘In essence, we address two major challenges with our platform and data. First, we help organisations manage security risks in their supply chain. Second, companies can visualise how a hacker views their organisation from the outside. On occasion, the board enquires: “How do we measure up against our competitors?” We can provide that answer entirely through data.’

What is your approach?

Lennart: ‘Thirteen years ago, we conceived the idea to create something akin to a credit rating, but for cybersecurity. This concept only works if one can assess every organisation worldwide in precisely the same manner. This means we only make observations from the outside. If you require permission to scan systems, half would decline. So we opted to do it from the outside. We often say we provide the “Criminal’s Eye View” of two million organisations worldwide, and we scan, monitor, and update that information daily.’

How do you collect and process that data?

Lennart: ‘We’ve developed a platform that collects data globally through our own scanning platform and numerous external sources. We focus on various companies, such as those in the Dutch High Tech Sector, which operate worldwide. The data must be consistent and of uniform quality. We then package this information into 25 security sub-areas. Rather interestingly, we roll this data up into KPIs, allowing organisations to benchmark themselves against their peers or internally.’

How do these KPIs lead to a security rating?

Lennart: ‘We roll up all this data and KPIs into an overall security rating. This rating is based on the American credit rating system and ranges from 300 to 850. It provides a readily comprehensible figure that reflects the overall cybersecurity performance of an organisation.’

Suppose you visit an organisation with a rating of 600. They’re above average and performing rather well. Do most clients then aspire to that 850 rating, or are they content with a passing grade?

Lennart: ‘That rather depends on the organisation’s security awareness and maturity. The typical first reaction is: “Do show us, then.” Naturally, everyone wishes to improve, but it’s rather important to recognise that not every organisation has the same resources. That’s precisely why it’s so crucial to examine this in the supply chain context. Security isn’t merely about willingness and ambition but about whether you have the means to achieve it. Banks, for instance, have been investing in security for decades and therefore tend to perform rather better. SMEs mightn’t have those capabilities.’

Large corporates are often ISO 27001 certified, but that doesn’t necessarily mean they achieve a rating of 850, correct?

Lennart: ‘That’s quite right. Many people think: “I’ve achieved my ISO 27001 certification, so I’m safe”. But it’s not quite so straightforward. It’s rather like a footballer who joined the first team a year ago and then thought he needn’t train quite so hard. In cybersecurity, things can change rather quickly. Things may well have been in perfect order during the audit, but if people leave afterwards or processes change, gaps can readily emerge. That’s precisely why regulators increasingly emphasise the importance of continuous monitoring. One needs to make agreements with suppliers about security requirements, document these in KPIs, and then actively monitor them.’

So you help organisations gain insight not only into their own security position but also that of their suppliers?

Lennart: ‘Precisely so. By providing a continuous and objective view of security performance across the entire chain, organisations can better manage risks and work with suppliers to implement improvements. With the growing complexity of digital ecosystems and more stringent regulations, it’s essential to have continuous insight into your own security position and that of your chain partners. We continue to develop our platform to provide even greater value to our customers and help them navigate the ever-changing cybersecurity landscape.’

Why has Bitsight decided to embrace the NIS2 Quality Mark?

Lennart: ‘The Quality Innovation Foundation has designed a rather thorough framework through which companies can be audited and certified. Through collaboration, our Bitsight clients can monitor their supply chain even more effectively. We can visualise the 25 security areas we monitor within the NIS2 Quality Mark framework. This helps our clients understand how these two tools are interconnected.’

How do you view the NIS2 Quality Mark from your expertise?

Lennart: ‘I find the NIS2 Quality Mark a rather robust initiative, particularly because it offers a growth model with three levels. Companies needn’t make an enormous leap immediately but can gradually progress towards an achievable level for them. It provides clarity and helps with the translation and understanding of cybersecurity standards in a specific geographic area. My only slight concern is that Europe might become rather overwhelmed with different standards, which could prove confusing. However, the NIS2 Quality Mark directly links to various frameworks, which helps with understanding and implementation.’

How precisely do you integrate these two tools?

‘We integrate the NIS2 Quality Mark into the Bitsight portal. Users can directly see how the 25 security KPIs we monitor fit within that framework. One can see where you excel and where you might grow, and it relates precisely to your level within the NIS2 Quality Mark. For instance, if a supplier claims they’ve achieved level 3, but our data shows something rather different, that contrast becomes immediately apparent. This helps companies understand any discrepancies and take appropriate action.’

What makes the combination of Bitsight and the NIS2 Quality Mark so powerful?

Lennart: ‘Achieving the NIS2 Quality Mark is a jolly good step, but it’s rather important to continue training and improving afterwards. With Bitsight, you can continuously look in the mirror, as it were, and see how you’re faring. You can readily access our platform to see if your expectations align with reality. One can only learn from that.’

Julian van Sijp

Partner & co-founder at Bluebird & Hawk

Read more

Julian van Sijp

Partner & co-founder at Bluebird & Hawk

The NIS2 Quality Mark provides a clear and achievable foundation

Bluebird & Hawk is a Dutch cybersecurity company specialising in information security, risk management, and security testing. They offer services such as quick scans, training, ISMS implementations, and penetration testing to help organisations strengthen their digital resilience. We speak with expert Julian van Sijp.

Could you introduce yourself?
Julian: “I’m Julian van Sijp, Managing Director of Bluebird & Hawk. I have a background in information security and have been working in this field for about ten years. Most of that time, I worked at De Nederlandsche Bank in Amsterdam.”

What roles did you have at De Nederlandsche Bank?
Julian: “I held various roles, including serving as an ambassador for the Netherlands, where I assisted central banks worldwide in improving their information security maturity. I was also a trainer in risk management for European central banks and worked on risk management for information security within De Nederlandsche Bank itself.”

How did Bluebird & Hawk come about?
Julian: “Together with Ewoud and Maurice, my current partners, we decided to start a new security consultancy firm focused primarily on information security and privacy.”

What types of companies do you serve?
Julian: “Our client base is very diverse, spanning government agencies, the financial sector, agriculture, healthcare, and more. We focus on tactical and strategic information security, looking at governance, organisational structure, and how companies implement security. Unlike companies with a purely technical focus, we help businesses with overarching strategic decisions: where to begin, what to prioritise, and how to align management with IT.”

So, you don’t provide 24/7 monitoring or incident response?
Julian: “No, we don’t offer 24/7 monitoring, specialised software, or incident response. Our role is at a different stage of the process—helping businesses make strategic and tactical decisions. For example, we assist in selecting the right type of monitoring or structuring an incident response plan that best fits the organisation.”

What is your view on the new Cybersecurity Act and the NIS2 Directive?
Julian: “There is a lot of confusion surrounding the terminology. Over the past two years, people have been bombarded with the term ‘NIS2.’ While the legislation is officially called NIS2 across Europe, in the Netherlands, it is implemented as the Cybersecurity Act. Essentially, it’s the Dutch version of the European directive.

Together with DTX, we’ve developed a toolkit to help businesses comply with NIS2 more efficiently. This toolkit includes both technical and governance-related components to accelerate compliance.”

Is this toolkit suitable for SMEs?
Julian: “For many SMEs, the current toolkit may be too extensive or even unnecessary. That’s why we are now collaborating with the NIS2 Quality Mark, which is specifically designed for businesses that don’t need to meet the highest levels of compliance. Together with DTX, we are adapting our toolkit to align with the Quality Mark’s requirements, making it more accessible for SMEs.”

Does this mean you are integrating the NIS2 Quality Mark into your toolkit?
Julian: “Yes, we are adopting the Quality Mark as a standard. Our toolkit is currently based on ISO 27001, Microsoft best practices, and the CIS baselines. Now, we are adding the Quality Mark’s baseline requirements, providing SMEs with a structured and achievable approach.”

What was your first impression of the NIS2 Quality Mark?
Julian: “What I find particularly strong about it is that it selects relevant security measures that smaller companies can implement. There are countless security measures available to reduce risks, but small businesses can’t do everything at once and often lack the resources. The Quality Mark provides a clear and manageable foundation.”

Why is this Quality Mark important for companies like Bluebird & Hawk?
Julian: “It gives us a clear standard to work with. Previously, we had to determine risks and security measures for each company individually. With the NIS2 Quality Mark, we can take a more structured approach, making the process more efficient.

Many SMEs don’t have the manpower to thoroughly assess all potential cybersecurity risks. The Quality Mark helps them navigate these challenges, and it allows us to provide practical and effective guidance.”

How was the process before the Quality Mark? Suppose a company had 15 employees—how would compliance work without it?
Julian: “Previously, we typically advised businesses to follow the ISO standard to some extent. This involved conducting risk assessments and implementing appropriate security measures. However, this approach was often too complex for smaller companies.
They had to identify risks independently, or with our help, and then align them with NIS2.

For example, if a company supplied sterilised containers to a hospital, they would be considered a supplier to an essential organisation, meaning they had a duty of care to prevent cyber incidents from disrupting their services.
Before, companies had to map out their risks from scratch. Now, they can start with the NIS2 Quality Mark, which not only requires risk assessment but also prescribes fundamental security measures. As a result, the remaining risks become much more manageable.”

Why is ISO certification difficult for smaller companies?
Julian: “Many small businesses lack the knowledge or resources to meet all ISO requirements.

• Certification takes time
• Audit and certification costs can be high
• Process-heavy frameworks may not fit small businesses
• Conducting a risk analysis is complex

To comply, many SMEs had to hire external consultants, which felt like an expensive and cumbersome process. As a result, cybersecurity was often pushed aside—considered a costly obligation rather than a necessity.”

How does the NIS2 Quality Mark improve this process?
Julian: “It gives businesses a clear roadmap: a practical guideline outlining the minimum-security measures they need. They no longer must figure everything out themselves, making compliance much more manageable, especially for SMEs.
It doesn’t remove the need for risk assessment or ongoing improvements, but it does significantly raise the baseline security level within the SME sector. From there, companies can continue strengthening their cybersecurity step by step.”

The Quality Mark consists of three levels: QM10, QM20, and QM30. You focus on QM20 and QM30. Why not QM10?
Julian: “We believe QM10 might be too lightweight for our toolkit, but we are currently researching its potential value. If it proves beneficial, we may include it, but for now, our focus remains on QM20 and QM30.”

What do you see as the main benefit of NIS2 Quality Mark certification?
Julian: “Companies can have an audit performed and obtain an NIS2 Quality Mark certificate.Although the Quality Mark is currently used primarily in the Netherlands, it provides a way for businesses to demonstrate cybersecurity compliance to both national and international partners. It helps with accountability towards customers and suppliers, showing that an independent organisation has assessed and validated their cybersecurity practices.”

Nathalie Verkade

Compliance Officer TechOne

Read more

Nathalie Verkade

Compliance Officer TechOne

Your chain, your responsibility: Safety doesn’t stop at your own organisation

Nathalie Verkade is the Compliance Officer at TechOne, a company within a group of 30 IT companies focused on IT and cyber security services. TechOne helps communications, managed IT and security companies realise their potential. Nathalie’s role is to ensure that the companies’ practices comply with relevant laws and regulations, with a particular focus on cybersecurity and data protection standards such as NIS2. In the following interview, Cybersecurity Editor Jan Meijroos talks to her about the importance of certifications for different industries.

You are a compliance officer, primarily focused on laws and regulations within the organisation. Can you transfer this experience and knowledge to your clients?

Nathalie: ‘Initially, my focus was mainly internal, which makes sense given my role. But I quickly realised that the issues within our companies often stem from what is happening with their customers. When you discuss certain issues internally, ideas come quickly. It adds a lot of value to your customers if you can provide additional expertise. So why keep that knowledge to yourself? The companies and people we work with also want to help and ask for tips. Of course, they come to me because they don’t read all the legal texts themselves.’

Have you already looked into the recently launched NIS2 consultation? If so, what are your first impressions?

Nathalie: ‘It’s in line with the original NIS2 as written in English. It’s a maximum harmonisation law, which means that member states can have stricter requirements in their national legislation, but in practice they’re unlikely to deviate much. The measures in Article 21 of NIS2 are not so different. I think the Netherlands has looked closely at how other countries like Germany and Belgium have implemented it.’

From your experience as a compliance officer, what is your view of the NIS2 quality mark?

Nathalie: ‘Not every company is directly subject to NIS2; there are two categories: companies that are directly subject to NIS2 and companies that have to comply through the supply chain. People often forget that they still have to comply indirectly through due diligence and supply chain responsibility. The NIS2 Quality Mark focuses on this, especially for SMEs, and can help many companies.

NIS2 is European legislation that must be implemented in the Netherlands. The NIS2 Quality Mark makes this legislation manageable. After an audit by a certified audit firm, you have proof that you have taken a significant number of cybersecurity measures. In the eyes of your major customers, it shows that you are serious about cybersecurity. This accessible, manageable nature is a godsend for SMEs.’

NIS2 includes new aspects not typically covered by ISO 27000, such as due diligence in the supply chain. Does this make a difference?

Nathalie: ‘Absolutely. NIS2 is a bit stricter. In ISO, you have supplier assessments, but NIS2 also requires your suppliers to take real action in case of risk. You are responsible for the information security of your supply chain, not just your own. Companies often think they’re done with ISO, but they’re not. And SMEs who think they have to comply with the heavy-handed ISO requirements are often misinformed. ISO is a good standard, but it’s too comprehensive and complex for many SMEs. The NIS2 Quality Mark addresses this.’

It also puts the spotlight on the supply chain, which includes many of your customers. I understand that thousands of customers are eligible for the NIS2 Quality Mark?

Nathalie: ‘Yes, we have fifteen locations in the Netherlands and about thirty companies. If you add up the clients of all these companies, you quickly reach a large number. Samen Digitaal Veilig (Together Digital Safe) ensures that SMEs are well prepared for the law, even if these companies are not fully subject to NIS2. We are a good partner to pass on this knowledge to our clients.’

What is it like working with Samen Digitaal Veilig?

Nathalie: ‘SDV provides a lot of support and information. They have a department for questions that are more specific than our knowledge. So we can pass on customer enquiries. We also organise meetings, webinars and more together.’

What are your expectations for the implementation of the law, in terms of timing?

Nathalie: ‘The Netherlands is a bit behind. Other European countries will meet the deadline. Dutch delays cannot be used as an excuse. Companies from other European countries will definitely be concerned.’

Why are standards important, especially for smaller companies that often feel resistant to new regulations?

Nathalie: ‘I understand the frustration. In the past, these rules were mainly for large companies, but increasingly they are also for SMEs. My advice is to start small with one standard, start with the basics. You’ll quickly see the benefits across all your processes. For your large customers, it’s important to show that you’re working on cybersecurity. At TechOne, we look at how we can make this accessible to our customers. We don’t just provide basic IT services, we provide partnerships. And that’s good for your relationship with your customers.’

Remco van der Linde

Director of Technology & Market at Techniek Nederland

Read more

Remco van der Linde

Director of Technology & Market at Techniek Nederland

The NIS2 Quality Mark meets the needs of our members

Remco van der Linden is Director of Technology & Market at Techniek Nederland. The industry he represents is familiar with many certifications and standards. The NIS2 Quality Mark has a solid foundation: “Achieving this standard is accessible and doesn’t feel like a punishment”.

Can you tell us a little about your industry?

Remco van der Linden: ‘Our industry has been heavily regulated for years, due to technical and safety aspects. Originally, we were supervised by the energy companies, but after these controls disappeared, we introduced private quality schemes to distinguish skilled entrepreneurs from less qualified ones.’

‘Some of our schemes are now required by law, such as certification for geothermal heat pumps and gas boilers. All in all, this has led to an abundance of quality schemes, which is also a problem. In the Netherlands we have too many certifications and inspections, often without taking into account certificates already obtained. This leads to inefficiency and overburdening of entrepreneurs and professionals.’

So you’re saying that less could and should be done?

Remco van der Linden: ‘Yes, it can and should be different. We need to combine more intelligently and avoid duplication. Self-assessment and peer review can help. Data and risk driven control instead of checking everything is key. We need to make sure that everything doesn’t have to be demonstrated again under different schemes.’

There is a new cybersecurity law coming, the NIS2 directive. How do you see this affecting your industry, given the large number of suppliers?

Remco van der Linden: ‘I see that NIS2 is set up very similarly to the CSRD, with more responsibility in the supply chain. Many of our members provide technical equipment for critical infrastructure and have to meet high standards, which increases the administrative burden on these companies. SME suppliers will also have to comply with these requirements, which we want to standardise to prevent each company setting its own requirements.’

What is your view on the NIS2 Quality Mark and secure digital operations?

Remco van der Linden: ‘We promote cyber awareness and try to offer as many tools as possible. The NIS2 Quality Mark offers gradations of requirements and allows for self-assessment or audit if necessary. This choice is nice. The tiered model prevents overburdening. And that’s where the NIS2 Quality Mark comes in. It is in line with the principles of our quality policy.’

‘Often the baseline set by the government is sufficient. We shouldn’t exceed that baseline unnecessarily, unless specifically requested by the client. It’s important that clients are well informed about the levels of the NIS2 Quality Mark and ISO 27001 so that they can choose the right standard for them.’

How do you ensure that entrepreneurs are not put off by (yet) another standard or certification?

Remco van der Linden: ‘By presenting the standard in an entrepreneur-friendly way. The NIS2 Quality Mark, for example, offers sufficient support, such as webinars and a helpdesk. A standard should inspire confidence in customers. It needs to be effective and translated into a business-friendly approach. Achieving the NIS2 Quality Mark is manageable and doesn’t feel like a punishment. A standard shouldn’t be a policeman checking up on you, but a tool that helps entrepreneurs achieve certification with a reasonable amount of effort. As a business organisation, we want to lend a helping hand to ensure that the process is well supported.’

Do you see specific challenges in your industry in terms of cyber and information security?

Remco van der Linden: ‘Certainly. Large members often already have good security measures and the necessary knowledge. Many companies see it as something far away, whereas cyber resilience is crucial for all companies. Communication and awareness are essential to make it part of the way they do business. SMEs also need to realise that customers are likely to demand it of them. So they need to get on board, even if they are smaller.’

Can the new law act as a catalyst to raise awareness?

Remco van der Linden: ‘Certainly. The law is good, but it remains a challenge. Often people only react when something happens. It’s a transition that needs to take place, and we need to make the process as easy as possible for entrepreneurs.’

What else are you working on within the organisation?

Remco van der Linden: ‘At Techniek Nederland we’re working on labour market issues, sustainability, recycling, mobility and craftsmanship. This ranges from access to city centres for delivery vans to the legal certification of gas boilers. We’re also looking at network congestion and digitalisation in the construction and technology sectors.’

What do you enjoy most about your job?

Remco van der Linden: ‘I enjoy working on solutions to societal problems and supporting entrepreneurs. It’s great to see the progress we’re making with digitalisation and cybersecurity. Working with different industries to promote digital security is one of the things I’m passionate about.’

Finally, what do you think is most important when it comes to information security?

Remco van der Linden: ‘The most important thing is that we provide good support to entrepreneurs in making their businesses cyber resilient, without just ticking boxes. We really want to contribute to their success. ‘Not ticking boxes, but igniting sparks’, as we say in the industry.’

Remco van der Linden is Director of Technology & Market at Techniek Nederland. He is responsible for promoting innovation and market development in the technology sector. Since September 2023, he has also been Chairman of the Board of the Central Register of Technology, where he focuses on the digital presentation of craftsmanship and quality.

He also plays a key role in the implementation of the NIS2 legislation, which aims to improve cybersecurity in the sector. He emphasises the importance of collaboration and self-regulation to reduce the administrative burden on businesses and ensure the secure operation of technical systems.

Rick van der Gaag

Project Manager Schoonmakend Nederland

Read more

Rick van der Gaag

Project Manager Schoonmakend Nederland

A practical and affordable solution for a healthy business

Rick van der Gaag is project manager for entrepreneurship at Schoonmakend Nederland, the trade organisation for the cleaning sector in the Netherlands. He supports cleaning companies in their operations and promotes entrepreneurship within the sector. He also advises on risk management and insurance to ensure business continuity. In addition, the industry has its own quality mark and, after a thorough analysis of its contents, is very enthusiastic about the NIS2 Quality Mark – a practical standard for safe operations within the supply chain.

What does your own quality mark entail?

Rick: ‘Our standard is called ‘Keurmerk Schoon’. This mark stands for the professionalism and financial reliability of cleaning and window-cleaning companies. It focuses primarily on compliance with the law, especially in administration and business operations.’

Can you explain this in more detail?

Rick: ‘Our mark, similar to the NIS2 Quality Mark, includes chain responsibility but in a very different area – specifically ethical and decent working practices. There are several criteria for assessment, such as paying taxes and premiums correctly, adhering to the collective labour agreement (CAO) and maintaining good governance. An independent certification body assesses this twice a year, once with a comprehensive audit and once with a mandatory audit.’

‘Cleaners work with a wide range of clients, including hotels, holiday parks, railway stations, public spaces and government buildings. Chain responsibility is crucial to ensure that people are treated fairly and that wages are paid correctly. In hotels, for example, staff should not be paid per room. Our label ensures that these kinds of misunderstandings are avoided.’

What is the general attitude towards quality labels and standards? Are people enthusiastic about them or is there initial resistance?

Rick: ‘There is definitely resistance because a standard should not add another layer of administration. The success of a label also depends on the extent to which customers demand it. Initially companies are enthusiastic, but after a few audits they start to weigh up the costs and benefits. Ensuring that members continue to embrace the label remains a point of attention.’

What is your view of the NIS2 Quality Mark for SMEs as a cyber security standard?

Rick: ‘At first, I was hesitant because cybersecurity often doesn’t directly relate to a company’s core activities. But as soon as you open the newspaper you read about hacking, and recently there’s been a lot of talk about NIS2 and cybersecurity. So it’s important to pay attention to that, because large companies are going to make requirements of their suppliers, including smaller companies.’

‘It’s important to find a very practical and affordable solution that doesn’t disrupt ongoing business operations, and with a lot of support for the company. That’s exactly what the NIS2 Quality Mark offers. The fact that 75 industries are already participating in Samen Digitaal Veilig (Together Digital Safe), and that together we are reaching 125,000 companies, makes me very optimistic.’

How are IT security and secure digital operations generally managed among your members?

Rick: ‘This varies greatly. Larger companies often have dedicated departments, while smaller companies pay less attention to it. It’s generally not the most popular topic of discussion among business owners.’

Do you think the NIS2 Quality Mark can ultimately help your members?

Rick: ‘I certainly think it can be a solution. It’s important to start now and take steps gradually so that you have everything in order later on. It is also a competitive advantage if you are prepared.’

What do you tell your members when there is potential resistance regarding cyber security and the upcoming NIS2 directive?

Rick: ‘Start today and take the necessary steps one step at a time. The things you need to do as a business in terms of secure operations make sense, and it’s better to start now than to be surprised by obligations later. Again, the standard gives entrepreneurs a head start over other companies and prevents a lot of aggravation and potential damage down the line.’

Jan Meijroos

Cybersecurity editor

Read more

Jan Meijroos

Cybersecurity editor

The accessible language of the NIS2 quality mark according to cybersecurity editor Jan Meijroos

The digital world is constantly evolving, and with this change comes new challenges for businesses, especially when it comes to cybersecurity. For many SMEs and small businesses, cybersecurity is often an abstract concept that is difficult to grasp. Everyone understands the need to keep their house or car securely locked, but backing up data and encrypting backups… that’s not something everyone immediately recognises. As a journalist who writes extensively about cybersecurity and technology, I’ve noticed that many companies find cybersecurity and information security challenging. They understand the urgency but are often overwhelmed by the jargon. However, everyone will need to step up their game in the coming period.

Securing the entire supply chain

With the new European cyber law, NIS2, on the horizon, significant changes are coming for all companies in the Netherlands. Organisations that are crucial to society, the so-called NIS2 companies, will have to make extra efforts to protect their digital networks and systems from problems such as disruption or extortion. This also means working with their direct suppliers to secure the entire supply chain. This is where the NIS2 Quality Mark comes in, a certification specifically designed for the latter group.

The NIS2 Quality Mark is a ray of hope for many entrepreneurs who are suppliers to large and important companies. These smaller companies are often overwhelmed by complex regulations that require them to implement heavy, often incomprehensible measures. The result? Resistance to change. But this certification takes a different approach.

Understandable task, three levels

What makes the NIS2 Quality Mark so accessible is the plain language in which it is written. No complicated jargon, just clear, applicable guidelines. This allows entrepreneurs to know exactly what is expected of them without feeling overwhelmed.

In addition, the certification is divided into three levels: QM10, QM20 and QM30. These levels are tailored to the importance and size of the organisation, making it much easier to achieve certification. There’s no need to implement unnecessarily heavy measures; the lists are clear and straightforward, lowering the threshold to get started.

And that is crucial, because retaining large customers is vital for many small businesses. With the NIS2 Quality Mark, they can demonstrate that they have the necessary cyber security measures in place, building trust with their larger clients and keeping them ahead in a competitive market.

Retain valuable customers

In summary, the NIS2 Quality Mark provides an accessible, understandable and effective way for SMEs to get their cybersecurity house in order. Not only to comply with regulations, but also to retain their valuable customers and strengthen their position in the marketplace.

Kristel Houtappels

Communication Specialist & Cybersecurity Standard Expert

Read more

Kristel Houtappels

Communication Specialist & Cybersecurity Standard Expert

Making Technical Standards Understandable and Applicable for Business Owners

Kristel is a communication specialist and cybersecurity standard expert. For the NIS2 Quality Mark – consisting of three levels, namely NIS2-QM10, NIS2-QM20 and NIS2-QM30 – she rewrote technical and legal requirements associated with a cybersecurity certification into comprehensible language.

You have transformed the formal European directive texts of NIS2 into understandable measures, checklists and example documents. What was the biggest challenge for you in this process?

Kristel: ‘The biggest challenge lies in the combination of legal and technical jargon. Lawyers write in terms that are often complex from a legal context, and cybersecurity experts use technical language that isn’t readily accessible to a non-IT professional. My task is to translate these two worlds into something that business owners with little to no technical background can immediately work with. In doing so, I need to ensure that none of the legal or technical precision is lost, whilst writing it in such a way that business owners understand what they need to do without feeling overwhelmed.’

Many SME owners have outsourced their IT operations and may find it challenging to interpret these cybersecurity standards. How do you simplify the language without losing the essential legal and technical details needed for compliance?

Kristel: ‘The key is to convert technical details into specific, practical steps. Instead of saying that you “must implement vulnerability scanners”, I explain that you “need to ensure your systems are regularly checked for security risks, rather like checking your home alarm system”. I use everyday comparisons as much as possible and avoid technical language. It needs to be immediately clear to SMEs what they need to do, without getting lost in technical or legal terminology.’

You have worked with a team, including experts such as Cees van der Wens, the author of the well-known ISO 27001 handbook. How has this collaboration helped?

Kristel: ‘Working with experts like Cees has been invaluable because, from his experience, he can immediately identify what crucial elements are in a cybersecurity context. He knows precisely which technical measures are important, and that makes it easier for me to determine what absolutely must be included in the text and what we can describe in a more accessible way.’

Explanatory documents accompanying the measures help make abstract technical standards more comprehensible. Could you illustrate this by showing how a practical example might help a business owner?

Kristel: ‘Indeed, explanatory documents are incredibly valuable in making technical standards comprehensible and applicable for business owners. They translate abstract guidelines into clear, actionable steps. Consider, for instance, supply chain security. Many business owners recognise its importance, but how does one approach it in practice? In the explanatory documents, you’ll find a complete step-by-step guide on how to assess your suppliers’ security, which agreements you need to document, and how to continuously monitor the chain. There are also ready-to-use checklists with which you can promptly verify whether you have set everything up correctly.

Another example is an ICT continuity plan. Rather than having to devise everything yourself, you receive a detailed example plan in the document that you can adopt and adapt to your own business circumstances. These sorts of practical examples and readily usable tools help business owners to swiftly take the appropriate steps to secure their organisation without requiring complex technical knowledge.’

Once the texts were drafted in Dutch, they had to be translated into English. How does this bring new challenges, and how do you ensure that the nuances are preserved in both languages?

Kristel: ‘When translating to English, one must be particularly careful that the legal and technical details remain correct, whilst ensuring the language remains comprehensible. English, for instance, has more scope for technical terms that are understandable to a wider audience, but we want to ensure that the accessibility we’ve achieved in Dutch is maintained. It’s a matter of thorough proofreading and liaising with native speakers to ensure it’s correct in both languages.’

Now that the NIS2 standards are being implemented, how do you see these translations as written in NIS2-QM10, NIS2-QM20 and NIS2-QM30 helping SME companies in their cybersecurity efforts?

Kristel: ‘I believe that SMEs, precisely because of these comprehensible translations, will be far less hesitant to approach cybersecurity. Where it was previously often perceived as something rather distant and complex, they now see that it involves practical, achievable measures that can genuinely help them operate more securely. This gives them the confidence that they can comply with legal requirements even without in-depth IT knowledge.’