In the world of Van Rooijen Logistiek BV, nothing ever stops: lorries continuously travel across the Netherlands and Belgium. Goods are transported and customers depend on timely deliveries. That is precisely why a single cyberattack could bring the entire company, and the supply chain around it, to a halt. IT Manager Ruud Verkoeijen decided not to wait for something to go wrong and used the NIS2 Quality Mark to demonstrably raise the company’s digital resilience to the right level.
Ruud is IT Manager at Van Rooijen Logistiek BV, an international transport and logistics company with branches in Eindhoven and Turnhout. The company operates for major brands in food, non-food and pharmaceuticals, managing extensive storage and distribution flows. That is why digital security makes a major difference for Ruud: if IT stops, logistics stop.
“We manage IT with nine people in total,” he says. “That’s my team.” With that team, Ruud ensures that systems keep running and that the digital gate remains as tightly closed as possible to attackers. Thanks to Ruud’s efforts, Van Rooijen Logistiek BV recently obtained the NIS2 Quality Mark, an accessible certification for SMEs to show that they are compliant with NIS2 legislation.
A reliable partner for major NIS2 organisations
Ruud saw the threat landscape grow rapidly in recent years. Ransomware, phishing, supply chain attacks: what used to be exceptions has now become almost daily news. “If your IT isn’t in order, anything can happen,” he says. “And with us, the impact is immediate. If dozens of lorries stand still for two days, you’ve got a serious problem.”
The first wake-up call came when he heard about NIS2 through an IT supplier in Eindhoven. In a webinar, it became clear that large NIS2 organisations will soon start looking much more critically at their suppliers. They may no longer work with parties that pose an obvious risk, especially if those suppliers cannot demonstrate that their digital security is in order.
Ruud immediately recognised this as a risk for a logistics service provider like Van Rooijen. Large customers must be able to prove that their supply chain is secure. That includes carriers, storage partners and IT suppliers. As he puts it plainly: “If you can’t demonstrate anything, you may simply be excluded. We certainly don’t want Van Rooijen to be seen as the ‘weak link’.” And he also knows: the company cannot afford to lose major clients. That is a crucial part of his motivation.
He mentions three main reasons for pursuing the NIS2 Quality Mark:
Supply chain and customers: proving that Van Rooijen is a reliable and secure partner for major NIS2 organisations.
Legal obligation: complying with current and future, stricter requirements. “If you’re not compliant, you get a fine. Management is personally liable,” he explained to his board.
Internal conviction: his own sense of responsibility. “I simply knew we weren’t finished,” he says. “We had arranged a lot, but not everything was documented and demonstrable.”
That combination made the difference. When a Datect brochure about the NIS2 Quality Mark landed on his desk, everything fell into place. “I thought: this fits us,” he says. A clear goal (certification), at a level achievable for a family-owned business, and serious enough to convince customers and auditors.
If he had to pick one “initial reason,” he always returns to the same point: “If we don’t have things in order, a cyberattack could bring the company to a standstill.” From there, reputation, legislation and customer expectations followed naturally.
How Ruud experienced obtaining the NIS2 Quality Mark
Achieving the NIS2 Quality Mark sounds like a big job. Yet it wasn’t too bad, Ruud says. “We completed the process and obtained the certificate. It took us a year, but it was manageable alongside the day-to-day work.”
Support from the company’s management was essential. Sufficient budget was allocated for guidance and, where necessary, for investments in security solutions. Management is also part of the newly established Cyber Security Incident Response Team. At Van Rooijen, management and IT operate as one team in the fight against security threats.
Was it difficult to obtain the NIS2 Quality Mark? Yes and no. Substantively, it required attention to detail, but it wasn’t impossible. Many of the technical measures were already in place: back-up and restore processes, redundant environments, endpoint protection, monitoring. “A lot of the requirements cover things we were already doing. The main task is documenting it and testing it regularly.” As a result, the focus was on policy and structure:
-
Ruud wrote 15 to 20 policy documents covering all NIS2 topics.
-
Existing arrangements, such as password and back-up policies, were expanded and formally documented.
-
Fixed control moments were introduced, such as biannual back-up/restore tests with logbooks.
He calls the process pragmatic: “In many cases, I simply wrote down what we were already doing: this is my policy. Then Datect helped identify what was missing and where the gaps were.” The guidance was essential, he says. “My problem was: where do I start? Datect provided the framework: this is the Christmas tree, and these are the baubles you need to hang in it.”
The result is a set of documents valuable not only for the NIS2 Quality Mark, but also for other audits. “Soon I’ll have another financial audit in Eindhoven. Then I can say: question 1, this document; question 2, that document. It helps on multiple fronts.”
Reputation, major clients and avoiding a paper exercise
For a logistics company working for major food and other brands, continuity and reputation are everything. A major IT outage or hack affects not only operations but also client trust.
Van Rooijen Logistiek therefore sees the NIS2 Quality Mark as much more than a compliance checkbox. “You don’t want to do it just because the law says so,” Ruud explains. “You also don’t want to experience your systems going down as a company. And I certainly don’t want to experience that as the person ultimately responsible. You want to have a strong story for your customers. You can even use it in your sales pitch.”
When customers ask about digital security, he no longer needs to give a long explanation. He can show the quality mark, hand over the policy documents and clearly explain what Van Rooijen does regarding back-ups, awareness, supply chain security and monitoring. It avoids debate and builds trust.
For Ruud, it is also important that the quality mark does not become a “paper tiger.”
“It mustn’t become a document that ends up in a drawer,” he says. “You really have to check your back-ups, install patches and log that you’ve done so. You have to stay on top of it continuously.”
A feasible, valuable step for SMEs
Ruud is positive about the NIS2 Quality Mark as a tool for SMEs. He believes ISO 27001 is often too big a step for smaller companies, but sees QM20, the intermediate level of the quality mark, as a strong alternative. “This is the ideal step in between,” he says. “It’s achievable, but serious. You are forced to organise things properly, and you can demonstrate it.”
He hopes other SME entrepreneurs will take the same step: better to act now than to be surprised later by the demands of major clients or by an incident. Because one thing everyone wants to avoid, whether you are an IT manager or a business owner, is losing major customers because your digital security isn’t up to standard.
