What is a NIS2 Supply Chain Certificate?

The NIS2 directive emphasizes digital safety and chain responsibility. Are you a NIS2 organization? Then not only your organization must be safe, but also all organizations within your chain. With the NIS2 Supply Chain Certificate the suppliers of organizations subject to NIS2 can demonstrate that they have their cybersecurity in order.

The label works with three levels:

• SC10 (Basic) — the basic measures for organizations with a lower risk profile
• SC20 (Substantial) — for organizations with more risks, including Operational Technology (OT)
• SC30 (High) — the highest level, for organizations in critical chains or where the impact of incidents can be significant

How does such an implementation work?

Jelle explained how we approach such a process at Fendix. The process is very similar to a ISO 27001-process, but with OT as an important addition to SC20 and SC30.

“We always start with a GAP analysis. In doing so, we map out where the organization is now and where there are still gaps,” says Jelle.

‍

At the organization where Jelle is currently active, there was no ISO 27001 certified yet SIMS implemented. Someone has been hired to set up all the documentation, while we clarify and prioritize the pain points from the GAP analysis.

“After the risk analysis has been completed, we will start drawing up and implementing policies and measures. Think of technical solutions, processes and clear responsibilities,” says Jelle.

‍

For example, according to the NIS2 Supply Chain High Certificate (NIS2 SC 30), organizations must:

• with the help of a procedure and a checklist, to ensure that employees and hires return business assets (such as laptops, phones, keycards and keys) after the expiration or modification of their employment contract (1.8);
• implementing a procedure to ensure that access rights are properly provided, modified and removed (1.14);
• ensure that employees and contractors sign a confidentiality agreement, which states that confidential information exchanged during the collaboration may not be disclosed to third parties (2.5);
• event logs relevant to record and analyse (4.11);
• to establish and apply rules based on a risk assessment that clarify the cases in which information stored and transmitted must be protected with a specific form of cryptography (4.12).

OT components often require a lot of extra attention, because those systems are directly intertwined with business processes. In addition, an important part awareness and support. After all, digital security is not just a matter of IT, but of the entire organization. “Employees need to know what their role is and why certain measures are necessary,” says Jelle.

Another challenge

The implementation of the Dutch NIS2 Directive (Cybersecurity Act) has been postponed to Q2 of 2026. Because the introduction of NIS2 has been delayed, many organizations are waiting. “That's risky,” says Jelle. “For example, there is not enough urgency among the organizations. The implementation of the law is going to happen anyway. Anyone who already starts with the NIS2 Supply Chain certificate is at the forefront and prevents the process from coming into time pressure.”

Why is this important?

A NIS2 Supply Chain certificate shows that you are serious about digital safety. Increasingly, customers, partners and supervisors are asking for demonstrable certainty. Without a plan B or exit strategy, you are dependent, and if things go wrong, the consequences are not only technical, but also operational and reputational.

The label therefore helps you to get a grip on that responsibility step-by-step, at a level that suits your organization.

The first processes have started

At Fendix, we have now started with the first NIS2 Supply Chain implementations. Our consultants guide organizations from GAP analysis to policy, implementation and maintenance. We see that organizations without ISO 27001 certification can also take big steps if the right tools are available.

Want to know more?

Do you want to know what level (SC10, SC20 or SC30) suits your organization? Or where you are now and what it takes to get started? We'd love to help you.

Feel free to contact us for an informal conversation. Together, we will look at the best approach for your organization.

‍