NIS2 Quality Mark
The NIS2 Directive holds essential and important companies, also known as NIS2 companies, responsible for the cybersecurity of their supply chain. This means they will require their direct suppliers, often SMEs, to prove they are digitally secure. SMEs must therefore provide verifiable evidence of their security measures.
The NIS2 Quality Mark certificate is this evidence. With a modular standards system consisting of three levels (QM10, QM20, and QM30), companies can implement the appropriate security measures, tailored to their organisation and the associated risk.
Price for use of the standard by NIS2 companies and SMEs: € 0,-
If you provide GRC software or are an audit organization and wish to undertake commercial activities using the NIS2 Quality Mark, please get in touch.
Which companies are considered suppliers under NIS2?
Many companies and organisations supply directly or indirectly to NIS2-obliged companies and may therefore be required to demonstrate that they work securely. The NIS2 Quality Mark helps them meet these requirements.
Below is an overview of suppliers that may be subject to NIS2:
- ICT & Cybersecurity – IT service providers, managed service providers (MSPs), cloud providers, data centres, network companies, cybersecurity firms, software developers, SaaS providers, hosting providers, telecom companies, and IT audit firms.
- Industry, Manufacturing & Infrastructure – Machine manufacturers, industrial automation companies (OT/ICS), suppliers of production lines, suppliers of industrial components, parts suppliers, 3D printing companies, energy and water management providers, smart technologies (IoT), factory automation specialists, and technical maintenance companies.
- Food Industry & Supply Chain – Food production companies, suppliers of food processing machinery, packaging industry, cold transport companies, and warehouse management companies.
- Transport & Logistics – Transport companies, logistics service providers, shipping companies, aviation suppliers, railway logistics, container terminals, and supply chain management companies.
- Consultancy & Services – IT consultants, cybersecurity specialists, legal and compliance advisors, accountants, risk management agencies, and financial service providers.
- Marketing & Communications – Marketing agencies, PR firms, web design and hosting companies, digital media agencies, and e-commerce platforms.
- Construction & Architecture – Architectural firms, construction companies, engineering agencies, property management companies, suppliers of building materials, and installation companies.
- Energy & Utilities – Energy suppliers, water companies, critical infrastructure maintenance companies, and manufacturers of energy storage systems.
Companies that create digital, physical, or operational dependencies within the supply chain of a NIS2-obliged organisation must demonstrate secure operations in the event of a risk. The NIS2 Quality Mark helps them easily meet this requirement.
There are many assets to be protected for NIS2 companies. Here is a list.
What about risks and which NIS2 QM certificate should I get?
If your company supplies to large organisations that supply to NIS2 companies, or if you supply directly to NIS2 companies, then NIS2-QM10 is the certification standard you need to demonstrate compliance with the required security standards. This is the standard for most companies operating in the supply chain.
NIS2 focuses on risk management. If a supplier is inadequately secured, this can pose a risk to the NIS2 companies they supply directly or indirectly. This can lead to vulnerabilities in IT, digital communications, physical infrastructure, electronic data interchange (EDI), delivery and ordering systems, and even in products that contain operational technology (OT) software. OT software controls machines whether they are connected to the Internet or not. Because NIS2 takes an “all hazards” approach, it considers different types of risk, not just those related to IT.
The main rule of thumb is that the greater the impact of your products or services on your customer, the greater the risk you pose and the higher the standard you need to achieve.
For most SMEs in the supply chain, the NIS2-QM10 certificate will be sufficient. So, do you supply to companies that supply to NIS2 companies, or directly to a NIS2 organisation? And are you not an IT or OT company? Then NIS2-QM10 is the minimum certification standard to demonstrate that your company has sufficient security measures in place.
If you think your company may be at a higher risk, for example because you have access to highly sensitive data, your product is an essential component for your customer, or your product is difficult to replace, then you should talk to your customer about a potentially higher certification standard. Not sure if you need a higher level of certification? Contact the Support Desk for advice.