News

Fendix launches NIS2 Supply Chain implementations

Fendix launches NIS2 Supply Chain implementations
At Fendix, we have started the first processes for implementing the NIS2 Supply Chain certificate (formerly NIS2 Quality Mark). The NIS2 Supply Chain certificate (NIS2 SC) is a quality mark developed in response to the European NIS2 directive. We spoke with our colleague Jelle, Senior Consultant at Fendix, to discuss his experiences.
This article was last updated on
January 7, 2026

What is an NIS2 Supply Chain Certificate?

The NIS2 directive emphasizes digital security and chain responsibility. Are you an NIS2 organization? Then not only must your organization be secure, but so must all organizations within your chain. With the NIS2 Supply Chain certificate, suppliers of NIS2-compliant organizations can demonstrate that their cybersecurity is in order.

 

The label works with three levels:

 

  • SC10 (Basic) – basic measures for organizations with a lower risk profile
  • SC20 (Substantial) – for organizations with higher risks, where Operational Technology (OT) is also included
  • SC30 (High) – the highest level, for organizations in critical chains or where the impact of incidents can be significant

 

How does such an implementation go?

Jelle explained how we approach such a process at Fendix. The process is very similar to an ISO 27001 process, but with OT as an important addition to SC20 and SC30.

 

"We always start with a GAP analysis. With this we map out where the organization is now and where there are still gaps," says Jelle.

The organization where Jelle currently works had not yet implemented an ISO 27001-certified ISMS. Someone has been hired to set up all the documentation, while we are identifying and prioritizing the pain points based on the GAP analysis.

 

"After the risk analysis is complete, we get to work drafting and implementing policies and measures. Think technical solutions, processes and clear responsibilities," Jelle indicates.

According to the NIS2 Supply Chain High certificate (NIS2 SC 30), organizations must, for example:

 

  • using a procedure and checklist, ensure that employees and hired workers return company assets (such as laptops, phones, keycards and keys) after their employment contracts expire or are modified (1.8);
  • implement a procedure to ensure that access rights are properly granted, modified and removed (1.14);
  • Ensuring that employees and hired workers sign a confidentiality agreement, which stipulates that confidential information exchanged during the collaboration must not be disclosed to third parties (2.5);
  • record and analyze logs of relevant events (4.11);
  • Based on a risk assessment, establish and apply rules that clarify in which cases stored and transmitted information should be secured with a specific form of cryptography (4.12).

 

OT components often require a lot of extra attention because those systems are directly intertwined with business processes. Another important component is awareness and support. After all, digital security is not just a matter of IT, but of the entire organization. "Employees need to know what their role is and why certain measures are necessary," Jelle says.

 

Another challenge

The implementation of the Dutch NIS2 directive (Cybersecurity Act) has been postponed until Q2 of 2026. Because the introduction of NIS2 has been delayed, many organizations are waiting to see what happens. "That's risky," says Jelle. "It means that organizations are not feeling the urgency quickly enough. The law will be implemented regardless. Those who start working on the NIS2 Supply Chain certificate now will be ahead of the game and avoid time pressure later on."

 

Why is this important?

An NIS2 Supply Chain certificate demonstrates that you take digital security seriously. Customers, partners, and regulators are increasingly demanding demonstrable security. Without a plan B or exit strategy, you are vulnerable, and if things go wrong, the consequences are not only technical but also operational and reputational.

The label therefore helps you get a step-by-step grip on that responsibility, with a level that suits your organization.

 

The first pathways have started

At Fendix, we have now started the first NIS2 Supply Chain implementations. Our consultants guide organizations from GAP analysis to policy, implementation, and maintenance. We see that even organizations without ISO 27001 certification can make great strides when the right tools are available.

 

Want to know more?

Would you like to know which level (SC10, SC20, or SC30) suits your organization? Or where you currently stand and what is needed to get started? We are happy to help.

 

Feel free to contact us for a no-obligation consultation. Together we will see what the best approach is for your organization.

Mathijs Oppelaar
Operations Manager
085 773 60 05
To news overview

Related articles

Information Security
Emergency kit for organizations: why every business needs a continuity plan now
read more
Information Security
When will NIS2 take effect? Deadlines & legislation explained
read more
KAM Certificeringen is now Fendix

We are a partner of

SGS
BSI
TUV
DEKRA
KIWA
Brand Compliance
LRQA
DNV
Digitrust