The standard for a resilient chain

The NIS2 Directive makes essential and important companies, known as NIS2 companies, responsible for cybersecurity within their supply chain. They will therefore require their direct suppliers, often SMEs, to demonstrate that they work digitally securely. This means that SMEs must provide concrete evidence of the security measures they have taken. The NIS2 Supply Chain certificate (formerly NIS2 Quality Mark) is the best way to demonstrate this.

The NIS2 Supply Chain certificate is a quality mark that demonstrates that your company works digitally securely and complies with the requirements of the NIS-2 directive. It is structured as a modular system of standards with three levels: SC10, SC20, and SC30. Each level offers specific security measures tailored to the risks and needs of your organization.

‍

Does your organization supply NIS2 companies directly or indirectly? If so, NIS2-SC10 is often the certification you need to prove that you meet the required security standards. This is the standard norm for most companies in the supply chain.

‍

The rule of thumb is simple: the greater the impact of your products or services on your customer, the greater the risk you pose, and the higher the standard you must meet. With the NIS2 Supply Chain certificate, you not only demonstrate compliance, but also strengthen trust in your company.

We can imagine that you are now wondering: what exactly do SC10, SC20, and SC30 entail? SC10 addresses organizational, people-oriented, physical, and technological control measures. Within SC20 and SC30, this is expanded with OT management and IT management control measures, with SC30 containing additional control measures compared to SC20. Below is a brief overview of the measures:

‍

SC10 - Basic measures

Under SC10, you must implement control measures such as: 

1️⃣ Cybersecurity Policy - Formally established policy with clear responsibilities.

2️⃣ Access Management - Multi-factor authentication (MFA) and strict access rights.

3️⃣ Incident Management - Procedures for detecting and reporting security incidents.

4️⃣ Device Security - Regular updates and malware protection.

5️⃣ Awareness & Training - Educate employees and administrators in cybersecurity.

‍

Expansions in SC20 compared to SC10

The SC20 has more requirements, whereby you must implement additional control measures such as: 

1️⃣ Classification of Information - Data Confidentiality and Protection Policy.

2️⃣ Supplier security - Cybersecurity requirements and agreements in contracts.

3️⃣ Control of user accounts - Stricter registration, monitoring and revocation of accounts.

4️⃣ Data transfer security - Encryption and secure communication channels.

5️⃣ Compliance monitoring - Regular internal reviews of security measures.

‍

Extensions in SC30 compared to SC20

The most comprehensive certificate is the SC30, which requires you to comply with additional control measures such as: 

1️⃣ Managing OT systems - Inventory, segmentation and patch management for operational technology.

2️⃣ Stricter cloud services control - Secure selection, monitoring and exit strategies for cloud providers.

3️⃣ Secure software development - Source code management and application security testing.

4️⃣ Digital forensic evidence - Procedures for collecting and securing incident data.

5️⃣ Independent security audits - External review of cybersecurity measures.

‍

Want to know more about the quality brands? You can download the complete contents of the quality brands here.
‍