The standard for a resilient chain

The NIS2 Directive holds essential and important companies, known as NIS2 companies, responsible for cybersecurity within their supply chains. They will therefore require their direct suppliers, often SMEs, to be able to demonstrate digital security. This means that SMEs will have to provide concrete proof of the security measures they have taken. The NIS-2 Quality Mark is the way to demonstrate this.

The NIS-2 Quality Mark is a seal of approval that demonstrates that your company is digitally secure and meets the requirements of the NIS-2 guideline. It is made up of a modular standards system with three levels: QM10, QM20 and QM30. Each level provides specific security measures tailored to the risks and needs of your organization.

‍

Does your organization supply directly or indirectly to NIS2 companies? Then NIS2-QM10 is often the seal of approval you need to prove that you meet the required security standards. This is the standard for most companies in the supply chain.

‍

The rule of thumb is simple: the greater the impact your products or services have on your customer, the greater the risk you pose, and the higher the standard you must achieve. With the NIS2 Quality Mark, you not only demonstrate compliance, you also strengthen confidence in your company.

We can imagine you are now wondering: so what, specifically, does QM10, QM20 and QM30 entail? The QM10 addresses organizational, people-oriented, physical and technological management measures. Within QM20 and QM30, this is expanded to include OT management and IT management control measures, with additional control measures within QM30 compared to QM20. Below is a brief overview of the measures:

‍

QM10 - Basic measures.

Under QM10, you must implement management measures, such as: 

1️⃣ Cybersecurity Policy - Formally established policy with clear responsibilities.

2️⃣ Access Management - Multi-factor authentication (MFA) and strict access rights.

3️⃣ Incident Management - Procedures for detecting and reporting security incidents.

4️⃣ Device Security - Regular updates and malware protection.

5️⃣ Awareness & Training - Educate employees and administrators in cybersecurity.

‍

Enhancements in QM20 compared to QM10

The QM20 has more requirements, requiring you to implement additional control measures such as: 

1️⃣ Classification of Information - Data Confidentiality and Protection Policy.

2️⃣ Supplier security - Cybersecurity requirements and agreements in contracts.

3️⃣ Control of user accounts - Stricter registration, monitoring and revocation of accounts.

4️⃣ Data transfer security - Encryption and secure communication channels.

5️⃣ Compliance monitoring - Regular internal reviews of security measures.

‍

Enhancements in QM30 compared to QM20

The most comprehensive quality brand is the QM30, where you have to suffice with additional management measures such as: 

1️⃣ Managing OT systems - Inventory, segmentation and patch management for operational technology.

2️⃣ Stricter cloud services control - Secure selection, monitoring and exit strategies for cloud providers.

3️⃣ Secure software development - Source code management and application security testing.

4️⃣ Digital forensic evidence - Procedures for collecting and securing incident data.

5️⃣ Independent security audits - External review of cybersecurity measures.

‍

Want to know more about the quality brands? You can download the complete contents of the quality brands here.
‍