The NIS2 Quality Mark provides a clear and achievable foundation

Bluebird & Hawk is a Dutch cybersecurity company specialising in information security, risk management, and security testing. They offer services such as quick scans, training, ISMS implementations, and penetration testing to help organisations strengthen their digital resilience. We speak with expert Julian van Sijp.

Could you introduce yourself?
Julian: “I’m Julian van Sijp, Managing Director of Bluebird & Hawk. I have a background in information security and have been working in this field for about ten years. Most of that time, I worked at De Nederlandsche Bank in Amsterdam.”

What roles did you have at De Nederlandsche Bank?
Julian: “I held various roles, including serving as an ambassador for the Netherlands, where I assisted central banks worldwide in improving their information security maturity. I was also a trainer in risk management for European central banks and worked on risk management for information security within De Nederlandsche Bank itself.”

How did Bluebird & Hawk come about?
Julian: “Together with Ewoud and Maurice, my current partners, we decided to start a new security consultancy firm focused primarily on information security and privacy.”

What types of companies do you serve?
Julian: “Our client base is very diverse, spanning government agencies, the financial sector, agriculture, healthcare, and more. We focus on tactical and strategic information security, looking at governance, organisational structure, and how companies implement security. Unlike companies with a purely technical focus, we help businesses with overarching strategic decisions: where to begin, what to prioritise, and how to align management with IT.”

So, you don’t provide 24/7 monitoring or incident response?
Julian: “No, we don’t offer 24/7 monitoring, specialised software, or incident response. Our role is at a different stage of the process—helping businesses make strategic and tactical decisions. For example, we assist in selecting the right type of monitoring or structuring an incident response plan that best fits the organisation.”

What is your view on the new Cybersecurity Act and the NIS2 Directive?
Julian: “There is a lot of confusion surrounding the terminology. Over the past two years, people have been bombarded with the term ‘NIS2.’ While the legislation is officially called NIS2 across Europe, in the Netherlands, it is implemented as the Cybersecurity Act. Essentially, it’s the Dutch version of the European directive.

Together with DTX, we’ve developed a toolkit to help businesses comply with NIS2 more efficiently. This toolkit includes both technical and governance-related components to accelerate compliance.”

Is this toolkit suitable for SMEs?
Julian: “For many SMEs, the current toolkit may be too extensive or even unnecessary. That’s why we are now collaborating with the NIS2 Quality Mark, which is specifically designed for businesses that don’t need to meet the highest levels of compliance. Together with DTX, we are adapting our toolkit to align with the Quality Mark’s requirements, making it more accessible for SMEs.”

Does this mean you are integrating the NIS2 Quality Mark into your toolkit?
Julian: “Yes, we are adopting the Quality Mark as a standard. Our toolkit is currently based on ISO 27001, Microsoft best practices, and the CIS baselines. Now, we are adding the Quality Mark’s baseline requirements, providing SMEs with a structured and achievable approach.”

What was your first impression of the NIS2 Quality Mark?
Julian: “What I find particularly strong about it is that it selects relevant security measures that smaller companies can implement. There are countless security measures available to reduce risks, but small businesses can’t do everything at once and often lack the resources. The Quality Mark provides a clear and manageable foundation.”

Why is this Quality Mark important for companies like Bluebird & Hawk?
Julian: “It gives us a clear standard to work with. Previously, we had to determine risks and security measures for each company individually. With the NIS2 Quality Mark, we can take a more structured approach, making the process more efficient.

Many SMEs don’t have the manpower to thoroughly assess all potential cybersecurity risks. The Quality Mark helps them navigate these challenges, and it allows us to provide practical and effective guidance.”

How was the process before the Quality Mark? Suppose a company had 15 employees—how would compliance work without it?
Julian: “Previously, we typically advised businesses to follow the ISO standard to some extent. This involved conducting risk assessments and implementing appropriate security measures. However, this approach was often too complex for smaller companies.
They had to identify risks independently, or with our help, and then align them with NIS2.

For example, if a company supplied sterilised containers to a hospital, they would be considered a supplier to an essential organisation, meaning they had a duty of care to prevent cyber incidents from disrupting their services.
Before, companies had to map out their risks from scratch. Now, they can start with the NIS2 Quality Mark, which not only requires risk assessment but also prescribes fundamental security measures. As a result, the remaining risks become much more manageable.”

Why is ISO certification difficult for smaller companies?
Julian: “Many small businesses lack the knowledge or resources to meet all ISO requirements.

• Certification takes time
• Audit and certification costs can be high
• Process-heavy frameworks may not fit small businesses
• Conducting a risk analysis is complex

To comply, many SMEs had to hire external consultants, which felt like an expensive and cumbersome process. As a result, cybersecurity was often pushed aside—considered a costly obligation rather than a necessity.”

How does the NIS2 Quality Mark improve this process?
Julian: “It gives businesses a clear roadmap: a practical guideline outlining the minimum-security measures they need. They no longer must figure everything out themselves, making compliance much more manageable, especially for SMEs.
It doesn’t remove the need for risk assessment or ongoing improvements, but it does significantly raise the baseline security level within the SME sector. From there, companies can continue strengthening their cybersecurity step by step.”

The Quality Mark consists of three levels: QM10, QM20, and QM30. You focus on QM20 and QM30. Why not QM10?
Julian: “We believe QM10 might be too lightweight for our toolkit, but we are currently researching its potential value. If it proves beneficial, we may include it, but for now, our focus remains on QM20 and QM30.”

What do you see as the main benefit of NIS2 Quality Mark certification?
Julian: “Companies can have an audit performed and obtain an NIS2 Quality Mark certificate.Although the Quality Mark is currently used primarily in the Netherlands, it provides a way for businesses to demonstrate cybersecurity compliance to both national and international partners. It helps with accountability towards customers and suppliers, showing that an independent organisation has assessed and validated their cybersecurity practices.”