News

Fendix kicks off NIS2 Quality Mark implementations

Fendix kicks off NIS2 Quality Mark implementations
At Fendix, we have started the first processes for implementing the NIS2 Quality Mark. The NIS2 Quality Mark (QM) is a quality mark developed in response to the European NIS2 Directive. We sat down with our colleague Jelle, Senior Consultant at Fendix, to discuss how he experiences it.
This article was last updated on
9/10/2025

What is the NIS2 Quality Mark?

The NIS2 guideline directive emphasizes digital security and supply chain responsibility. Are you an NIS2 organization? Then not only your organization must be secure, but also all organizations within your chain. The NIS2 Quality Mark allows suppliers of NIS2-compliant organizations to demonstrate that they have their cybersecurity in order.

 

The label works with three levels:

 

  • QM10 (Basic) - the basic measures for organizations with a lower risk profile
  • QM20 (Substantial) - for organizations with more risk, where Operational Technology (OT) is also included
  • QM30 (High) - the highest level, for organizations in critical chains or where the impact of incidents can be high

 

How does such an implementation go?

Jelle explained how we approach such a trajectory at Fendix. The process is very similar to an ISO 27001 trajectory, but with OT as an important addition to QM20 and QM30.

 

"We always start with a GAP analysis. With this we map out where the organization is now and where there are still gaps," says Jelle.

At the organization where Jelle now operates, an ISO 27001-certified ISMS had not yet been implemented. Someone was hired to set up all the documentation, while from the GAP analysis we understand and prioritize the pain points.

 

"After the risk analysis is complete, we get to work drafting and implementing policies and measures. Think technical solutions, processes and clear responsibilities," Jelle indicates.

For example, according to the NIS2 Quality Mark High (30), organizations should:

 

  • using a procedure and checklist, ensure that employees and hired workers return company assets (such as laptops, phones, keycards and keys) after their employment contracts expire or are modified (1.8);
  • implement a procedure to ensure that access rights are properly granted, modified and removed (1.14);
  • Ensuring that employees and hired workers sign a confidentiality agreement, which stipulates that confidential information exchanged during the collaboration must not be disclosed to third parties (2.5);
  • record and analyze logs of relevant events (4.11);
  • Based on a risk assessment, establish and apply rules that clarify in which cases stored and transmitted information should be secured with a specific form of cryptography (4.12).

 

OT components often require a lot of extra attention because those systems are directly intertwined with business processes. Another important component is awareness and support. After all, digital security is not just a matter of IT, but of the entire organization. "Employees need to know what their role is and why certain measures are necessary," Jelle says.

 

Another challenge

The implementation of the Dutch NIS2 Directive (Cyber Security Act) has been delayed to Q2 of 2026. Because the implementation of NIS2 has been delayed, many organizations are waiting. "That's risky," Jelle believes. "That's not creating enough urgency among organizations quickly enough. The implementation of the law is going to happen anyway. Those who start with the Quality Mark now are ahead of the game and prevent the process from coming under time pressure later."

 

Why is this important?

An NIS2 Quality Mark shows that you are serious about digital security. Increasingly, customers, partners and regulators are demanding demonstrable assurance. Without a plan B or exit strategy, you are dependent, and if things go wrong, the consequences are not just technical, but operational and reputational.

The label therefore helps you get a step-by-step grip on that responsibility, with a level that suits your organization.

 

The first pathways have started

At Fendix, we have now begun the first NIS2 Quality Mark implementations. Our consultants guide organizations from GAP analysis to policy, implementation and maintenance. We see that even organizations without ISO 27001 certification can make great strides when the right tools are in place.

 

Want to know more?

Want to know which level (QM10, QM20 or QM30) suits your organization? Or where you are now and what it takes to get started? We would be happy to help you.

 

Feel free to contact us for a no-obligation consultation. Together we will see what the best approach is for your organization.

Mathijs Oppelaar
Operations Manager
085 773 60 05
To news overview

Related articles

Information Security
Emergency kit for organizations: why every business needs a continuity plan now
read more
Information Security
When will NIS2 take effect? Deadlines & legislation explained
read more
KAM Certificeringen is now Fendix

We are a partner of

SGS
BSI
TUV
DEKRA
KIWA
Brand Compliance
LRQA
DNV
Digitrust