Frequently asked questions

This page provides answers to frequently asked questions about NIS2, certification, audits, and related topics. Can’t find your question? Please contact our support desk.

Snel naar...

For companies
For Auditors

For companies

What is the NIS2 Quality Mark, and how can it help companies?

The NIS2 Quality Mark is the certificate that proves your organisation operates securely.

The NIS2 directive makes essential and important companies—known as NIS2 companies—responsible for the cybersecurity of their supply chain. This means they must require their direct suppliers, often SMEs, to demonstrate that they work securely. As a result, SMEs must provide verifiable proof (a certificate) of their security measures.

Why are NIS2 companies responsible for the cybersecurity of their suppliers?

Article 21.2d of the NIS2 directive states:
d) the security of the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

The NIS2 directive specifies that essential and important companies—so-called NIS2 companies—are responsible for the cybersecurity of their supply chain in case of risks. This means they can require their direct suppliers to demonstrate that they operate securely.

How can suppliers demonstrate compliance with NIS2 requirements?

The NIS2 Quality Mark certificate serves as proof that your organization operates securely. The modular standards system has three levels (QM10, QM20, and QM30), allowing companies to implement the appropriate security measures that match their organization and risk profile.

Which companies are suppliers under the NIS2 directive, and who needs the NIS2 Quality Mark?

Many companies and organisations supply goods or services directly or indirectly to NIS2-obligated companies and may therefore be required to demonstrate that they operate securely. The NIS2 Quality Mark helps them meet these requirements.

Below is an overview of suppliers who may fall under NIS2:

ICT & Cybersecurity – IT service providers, managed service providers (MSPs), cloud providers, data centres, network companies, cybersecurity firms, software developers, SaaS providers, hosting providers, telecom companies, and IT audit firms.
Industry, Manufacturing & Infrastructure – Machine builders, industrial automation companies (OT/ICS), suppliers of production lines, suppliers of industrial components, parts suppliers, 3D printing companies, energy and water managers, smart technologies (IoT), factory automation specialists, and technical maintenance companies.
Food Industry & Supply Chain – Food production companies, suppliers of food processing machinery, packaging industry, cold transport companies, and warehouse management companies.
Transport & Logistics – Transport companies, logistics service providers, shipping companies, aviation suppliers, rail logistics, container terminals, and supply chain management companies.
Consultancy & Services – IT consultants, cybersecurity specialists, legal and compliance advisors, accountants, risk management agencies, and financial service providers.
Marketing & Communications – Marketing agencies, PR firms, web design and hosting companies, digital media agencies, and e-commerce platforms.
Construction & Architecture – Architectural firms, construction companies, engineering agencies, property management companies, suppliers of building materials, and installation companies.
Energy & Utilities – Energy suppliers, water companies, maintenance companies for critical infrastructure, and manufacturers of energy storage systems.

Companies that create digital, physical, or operational dependencies within the supply chain of a NIS2-obligated organisation must demonstrate secure operations in the event of a risk. With the NIS2 Quality Mark, they can easily meet this obligation.

Which NIS2 QM certificate should my company obtain?

The most commonly used certificate is the NIS2-QM10 Basic. The right certificate depends on the risk your company poses to your client. The greater the impact of your products or services on your client, the higher the risk you present, and the higher the standard you must achieve. For most SMEs, NIS2-QM10 is sufficient, but if a company has access to highly sensitive data or provides hard-to-replace products, a higher standard (such as QM20 or QM30) may be required.

How is the appropriate certification level determined?

The appropriate certification level depends on the risk your company poses to your customer. The greater the impact of your products or services on your customer, the higher the risk you represent, and the higher the standard you need to meet.

QM10 Basic – For SMEs with a limited risk who supply NIS2-obliged companies.
QM20 Substantial – For companies with elevated risks due to their role or access to sensitive data, such as ICT companies or businesses with OT or physical access.
QM30 High – For critical companies in the supply chain that pose a significant risk of disruption in the event of a cyber incident.

What are the risks for NIS2 companies and their suppliers?

NIS2 focuses on managing various types of risks that can impact the supply chain. Risks can relate to IT, digital communication, physical infrastructure, electronic data interchange (EDI), delivery systems, and products with operational technology (OT) software. Since NIS2 takes an “all hazards” approach, it includes not only IT risks but also other types of risks. Therefore, it is essential for companies within the supply chain to demonstrably have their cybersecurity in order.

What should I do if I am unsure about the correct certification level?

If you are unsure about which certification level (QM10, QM20, or QM30) to achieve, it is advisable to discuss this with your client. The client can assess the risks your company may pose. For further advice, you can also contact the NIS2 Quality Mark support desk.

For Auditors

What are the requirements to become an auditor for the NIS2 Quality Mark?

You have experience in auditing. For the QM20 and QM30 levels, knowledge of ISO 27001 is required. The audits focus on three levels: QM10 (Basic), QM20 (Substantial), and QM30 (High). These form a ladder that allows companies to gradually improve their cybersecurity. Familiarity with SMEs is an important plus.

What type of audit is the NIS2 QM audit?

The NIS2 QM audit is a thorough and serious audit. Due to a more limited set of measures, the audit takes less time compared to higher standards. It assesses whether the implemented measures are effectively applied. The goal is to carefully audit companies while simultaneously encouraging their growth towards better cybersecurity.

How does the training for auditors proceed?

You will attend a half-day training where you will learn to work with our risk-based approach, process-oriented auditing, and our reporting tool. You will practise conducting stimulating audits, with a focus on both assessing and encouraging improvement.

What kind of companies will I be auditing?

As an auditor, you will work with a diverse group of companies, ranging from small SMEs to large suppliers in critical sectors. These include IT service providers, manufacturing companies, logistics firms, installation companies, consultancy firms, and other suppliers to NIS2-obligated organizations.

Given that their knowledge and experience with cybersecurity can vary widely, you will tailor your approach to the specific context and needs of each company. For smaller companies, the focus is often on basic measures and raising awareness, while larger organizations are required to demonstrate more advanced security processes and compliance. An effective audit takes these differences into account and provides companies not only with an assessment but also valuable insights for further improvement.

How do I register as an auditor?

Audit organisations that wish to participate can fill out the contact form.

We will then get in touch with you. You will receive more information about the arrangements, methodology, training, and next steps.