.webp)
What is the NIS2 Quality Mark?
The NIS2 Quality Mark is a seal of approval that shows your organization meets the cybersecurity requirements of the NIS2 Directive. This mark helps you demonstrate to customers and partners that you meet the required security standards. The system has three levels: QM10 (basic level), QM20 (substantial level) and QM30 (high level), allowing organizations to take measures appropriate to their risks and business activities. The higher the level, the more requirements apply to your organization. As you can see from the table below, an ISO 27001 certificate is more than enough to meet all levels of the NIS2 Quality Mark.
Why is the NIS2 Quality Mark important?
NIS2 places the responsibility for supply chain security on NIS2 organizations. They must ensure that their suppliers also take appropriate cybersecurity measures. For suppliers, this means that they must be able to prove that their security is in order. The NIS2 Quality Mark provides this assurance and makes compliance with NIS2 demonstrable. The greater the impact of your services on customers, the more requirements there are to meet.
The three levels of the NIS2 Quality Mark
✅ QM10 - Basic measures.
This level focuses on fundamental security measures such as:
- Cybersecurity policies with clear responsibilities.
- Multi-factor authentication and strict access rights.
- Incident management and monitoring.
- Regular updates and malware protection.
- Employee awareness and training.
Does your organization provide services to an NIS2 company, but you yourself are not required to register? Then QM10 is usually sufficient to demonstrate that you have the basics of cybersecurity in order. This applies to most SMEs. Download all the requirements within the QM10 here.
✅ QM20 - Comprehensive Security
In addition to the QM10 requirements, additional measures such as:
- Classification of information and tighter data security.
- Security requirements in contracts with vendors.
- Stricter monitoring and control of user accounts.
- Encryption and secure communication channels.
- Regular internal audits on security measures.
Does your organization provide ICT or OT services? If so, your customer may require QM20 or even QM30. This depends on the risk and impact of your service on the availability, integrity and confidentiality (BIV) of their systems. Download all the requirements within the QM20 here.
✅ QM30 - Advanced cybersecurity
The highest level with additional management measures such as:
- Management and security of OT systems.
- Strict requirements for cloud services and vendors.
- Secure software development and application testing.
- Procedures for digital forensic evidence.
- Independent external security audits.
Does your organization fall directly under the NIS2 legislation and require registration? Then QM30 is required as a minimum. In addition, additional certification, such as ISO 27001, NEN 7510 or IEC 62443, is strongly recommended. Download all the requirements within QM30 here.
How long does a certification audit take?
The table below shows how long a certification audit for the NIS2 Quality Mark takes. Do you already have an ISO 27001 or NEN 7510 certification? If so, you will be exempt from specific requirements already covered therein.
The certificate is valid for 3 years and is issued by the Quality Innovation Foundation, which also publishes the certificate in a central register.
How do we help?
Want to know where your organization stands and what steps are needed to comply with the NIS2 or achieve the NIS2 Quality Mark? We help you with:
- A GAP analysis - An analysis with concrete recommendations for meeting requirements.
- Implementation guidance - Assistance in implementing the necessary measures and achieving the seal of approval.
Want instant insight into your cybersecurity status and be prepared for NIS2 requirements? Contact us without obligation and find out how we can help you. 🚀
