NIS2 Quality Mark
The NIS2 Directive makes essential and important companies, also known as NIS2 companies, responsible for the cybersecurity of their supply chain. This means that they will require their direct suppliers, often SMEs, to demonstrate that they operate securely in a digital environment. SMEs will therefore need to provide evidence of their security measures.
The NIS2 Quality Mark certificate provides this proof. With a modular standard system consisting of three levels (QM10, QM20 and QM30), companies can implement the appropriate security measures tailored to their organisation and the associated risk.
NIS2-QM10
- Organisational control measures
- People-oriented management measures
- Physical management measures
- Technological management measures
NIS2-QM20
- Organisational control measures
- People-oriented management measures
- Physical management measures
- Technological management measures
- OT management measures
- IT management measures
NIS2-QM30
- Organisational control measures
- People-oriented management measures
- Physical management measures
- Technological management measures
- OT management measureas
- IT management measures
Price for use of the standard by NIS2 companies and SMEs: € 0,-
If you provide GRC software or are an audit organization and wish to undertake commercial activities using the NIS2 Quality Mark, please get in touch.
What types of companies are suppliers under NIS2?
For which companies and organisations is it important to obtain the NIS2 QM?Which companies are considered to be suppliers? Examples include: architectural firms, transport companies, logistics companies, car companies, service companies, consultants, marketing agencies, etc.
What about risks and which NIS2 QM certificate should I get?
If your company supplies to large organisations that supply to NIS2 companies, or if you supply directly to NIS2 companies, then NIS2-QM10 is the certification standard you need to demonstrate compliance with the required security standards. This is the standard for most companies operating in the supply chain.
NIS2 focuses on risk management. If a supplier is inadequately secured, this can pose a risk to the NIS2 companies they supply directly or indirectly. This can lead to vulnerabilities in IT, digital communications, physical infrastructure, electronic data interchange (EDI), delivery and ordering systems, and even in products that contain operational technology (OT) software. OT software controls machines whether they are connected to the Internet or not. Because NIS2 takes an “all hazards” approach, it considers different types of risk, not just those related to IT.
The main rule of thumb is that the greater the impact of your products or services on your customer, the greater the risk you pose and the higher the standard you need to achieve.
For most SMEs in the supply chain, the NIS2-QM10 certificate will be sufficient. So, do you supply to companies that supply to NIS2 companies, or directly to a NIS2 organisation? And are you not an IT or OT company? Then NIS2-QM10 is the minimum certification standard to demonstrate that your company has sufficient security measures in place.
If you think your company may be at a higher risk, for example because you have access to highly sensitive data, your product is an essential component for your customer, or your product is difficult to replace, then you should talk to your customer about a potentially higher certification standard. Not sure if you need a higher level of certification? Contact the Support Desk for advice.