Information Security

NIS2 Supply Chain: proof that your cybersecurity is in order

NIS2 Supply Chain: proof that your cybersecurity is in order
The NIS2 Directive requires organizations covered by this legislation to safeguard not only their own cybersecurity, but also that of their entire supply chain. This means that companies that supply to NIS2 organizations must be able to demonstrate that they operate digitally securely. On October 10, 2024, the Quality Innovation Foundation therefore officially launched the NIS2 Supply Chain certificate (formerly NIS2 Quality Mark) in Europe.
This article was last updated on
January 7, 2026

What is the NIS2 Supply Chain Certificate?

The NIS2 Supply Chain certificate is a quality mark that shows that your organization complies with the cybersecurity requirements of the NIS2 directive. This quality mark helps you demonstrate to customers and partners that you meet the required security standards. The system has three levels: SC10 ( basic level), SC20 ( substantial level), and SC30 ( high level), so that organizations can take measures that are appropriate to their risks and business activities. The higher the level, the more requirements apply to your organization. As you can see in the table below, an ISO 27001 certificate is more than sufficient to comply with all levels of the NIS2 Supply Chain certificate (QM = SC).

1. Overview: NIS2 Supply Chain Certificate vs. ISO 27001

Why is the NIS2 Supply Chain certificate important?

NIS2 places the responsibility for supply chain security with NIS2 organizations. They must ensure that their suppliers also take the appropriate cybersecurity measures. For suppliers, this means that they must be able to prove that their security is in order. The NIS2 Supply Chain certificate offers this assurance and makes compliance with NIS2 demonstrable. The greater the impact of your services on customers, the more requirements you must meet.

The three levels of the NIS2 Supply Chain certificate

SC10 – Basic measures

This level focuses on fundamental security measures such as:

  • Cybersecurity policies with clear responsibilities.
  • Multi-factor authentication and strict access rights.
  • Incident management and monitoring.
  • Regular updates and malware protection.
  • Employee awareness and training.

Does your organization provide services to an NIS2 company, but are you not required to register yourself? In that case, SC10 is usually sufficient to demonstrate that you have the basics of cybersecurity in place. This applies to most SMEs. Download all the requirements within SC10 here.

SC20 – Comprehensive security

In addition to the SC10 requirements, additional measures apply, such as:

  • Classification of information and tighter data security.
  • Security requirements in contracts with vendors.
  • Stricter monitoring and control of user accounts.
  • Encryption and secure communication channels.
  • Regular internal audits on security measures.

Does your organization offer ICT or OT services? If so, your customer may require SC20 or even SC30. This depends on the risk and impact of your service on the availability, integrity, and confidentiality (AIC) of their systems. Download all SC20 requirements here.

SC30 – Advanced cybersecurity

The highest level with additional management measures such as:

  • Management and security of OT systems.
  • Strict requirements for cloud services and vendors.
  • Secure software development and application testing.
  • Procedures for digital forensic evidence.
  • Independent external security audits.

Does your organization fall directly under the NIS2 legislation and are you required to register? Then SC30 is the minimum requirement. In addition, additional certification, such as ISO 27001, NEN 7510, or IEC 62443, is strongly recommended. Download all SC30 requirements here.

How long does a certification audit take?

The table below shows how long a certification audit for the NIS2 Supply Chain certificate takes (QM = SC). Do you already have ISO 27001 or NEN 7510 certification? Then you will be exempt from specific requirements that are already covered by those certifications.

The certificate is valid for 3 years and is issued by the Quality Innovation Foundation, which also publishes the certificate in a central register.

2. Summary: audit time in hours by organization

How do we help?

Would you like to know where your organization stands and what steps are needed to comply with the NIS2 or obtain the NIS2 Supply Chain certificate? We can help you with:

  • A GAP analysis - An analysis with concrete recommendations for meeting requirements.
  • Implementation guidance - Assistance in implementing the necessary measures and achieving the seal of approval.

Want instant insight into your cybersecurity status and be prepared for NIS2 requirements? Contact us without obligation and find out how we can help you. 🚀

Kilian Houthuijzen
Account Manager
085 773 60 05
To news overview

Related articles

News
NIS2 Quality Mark is now called NIS2 Supply Chain
read more
News
Fendix launches NIS2 Supply Chain implementations
read more
KAM Certificeringen is now Fendix

We collaborate with:

SGS
BSI
TUV
DEKRA
KIWA
Brand Compliance
LRQA
DNV
Digitrust