Not all businesses are the same – it’s a good thing the NIS2 Quality Mark includes different risk levels

Kaseya is a global provider of IT and security management solutions for Managed Service Providers (MSPs) and mid-sized businesses. The company offers an integrated platform that enables IT professionals to efficiently manage and secure their infrastructure. In June 2022, Kaseya acquired Datto, a provider of security and cloud-based software solutions developed specifically for MSPs. We speak with expert Hans ten Hove.

Prevention and recovery are the two key pillars of the (upcoming) NIS2 Directive. How important is it to clearly explain that?
Hans: “Extremely important. Many businesses still view cybersecurity as something like ‘I’ll just buy an antivirus package and then I’m safe’. But NIS2 is about a much broader approach:

• Prevention – what must your organisation do to protect itself as effectively as possible?
• Recovery – what happens if something does go wrong? Do you have an emergency plan? How quickly can you become operational again after a cyberattack?

The challenge with legislation is that it’s often imposed without making a clear and understandable translation for entrepreneurs. That’s why the NIS2 Quality Mark is such a valuable initiative. It helps businesses understand what they need to do and provides MSPs with a framework to guide their clients.”

How do you view the NIS2 Quality Mark from your professional perspective?
Hans: “Well, first of all, it didn’t exist yet, and I think it’s really essential. The legislation around NIS2 is quite abstract and doesn’t concretely spell out what entrepreneurs need to do or why. The NIS2 Quality Mark bridges that gap, and that’s critical.

Moreover, not all businesses are the same, and it’s a good thing the Quality Mark includes different levels. That makes it more accessible for SMEs and enables them to work together with their MSPs using a shared dashboard: where do we stand, what have we arranged, and what still needs attention? Such a reference framework is vital. Without frameworks like this, the implementation and compliance with NIS2 will fall behind. So, I wholeheartedly support this initiative.”

The Quality Mark is written in plain, accessible language. How important is that?
Hans: “Extremely important. Not because entrepreneurs aren’t intelligent, but because cybersecurity is often explained in a technical jargon that many business owners don’t understand. But ultimately, it’s not about the tech—it’s about the impact on your business. IT is no longer a separate silo within a company—it’s an integral part of business operations. That’s why we need to speak in business terms, not just technical specifications.”

Some describe the NIS2 Quality Mark as a ‘licence to operate’. Would you agree?
Hans: “Absolutely. More and more, larger companies are asking their suppliers how they have arranged their cybersecurity. Some SMEs think they don’t need to comply with NIS2, but that’s a misconception. Hackers don’t care about regulations—they look for vulnerable targets. And as a small business, you’re not only responsible for your own cybersecurity, but you’re also a potential weak link in the supply chain. If your company is attacked and a major client is impacted as a result, the consequences extend far beyond your own organisation. This isn’t a choice—it’s an obligation.”

What do you believe will determine the success of the NIS2 Quality Mark?
Hans: “The translation from risk assessment to concrete technical measures must be as clear as possible. NIS2, for instance, says you must assess vulnerabilities across people, processes, and technology. But what does that actually mean? What tools do you need? How far should you go?

The Quality Mark must give entrepreneurs clarity on the minimum level of security they need and what questions they should ask their MSPs. Without that practical guidance, companies might wrongly assume that antivirus software is enough, when in fact that’s nowhere near sufficient.”

So you’re essentially saying: cybersecurity is not just about technology, but also about people?
Hans: “Absolutely. The human factor is one of the biggest risks. It doesn’t matter how good your technical defences are—if an employee clicks on the wrong link or opens a phishing email, the damage can be enormous. That’s why cyber resilience training and simulations are essential. Every business owner should be addressing this, and MSPs should be offering this as standard to their clients. But it’s still happening far too infrequently.”