en_GB EN
en_GB EN nl_NL NL de_DE DE

NIS2 Supply Chain

If, as a supplier, you want to be able to demonstrate that you work securely digitally then it is NIS2 Supply Chain seal of approval available.

DigiTrust is available as a selected specialist to audit and certify your organisation.

Assessing your information security management system is our core business. We have our own team of auditors, who look closely at the context of your organisation.

  • Specialist for all NIS2 supply chain audits and certificates
  • QM10, QM20 and QM30
  • In-house auditors who understand the context of your organisation
  • Sharp prices
Request a non-binding offer

More than 600 organisations have already gone before you.

Certification process - DigiTrust - ISO 27001 Certification - NEN 7510 Certification - ISO 9001 certification - ISO 14001 Certification

NIS2 Supply Chain hallmark certification

On 10 October 2024, the Quality Innovation Foundation, the holder of the NIS2 Quality Mark launched the NIS2 Quality Mark Europe-wide. As of 06/01/2026, the NIS2 Quality Mark has been renamed NIS2 Supply Chain.

The NIS2 legislation describes that essential and important companies, also known as NIS2 companies, are responsible for the cyber security of their supply chain. This means that they have to start requiring their direct suppliers, mostly SMEs, to be able to prove that they work securely digitally. An NIS2 Supply Chain hallmark certificate provides this proof.

In the Netherlands, the European NIS2 has been translated into the Cyber Beveiligingswet (CBW) as a replacement for the Wbni. Each country has thus made its own translation into its own local legislation. So each country has its own specific websites and information .

NIS2 organisations and their suppliers

NIS2 Supply Chain has 3 levels, tailored to the risk of the service provided.

  1. NIS2-SC10 (Basic)
  2. NIS2-SC20 (Substantial)
  3. NIS2-SC30 (High)
 
 
 
 

The different levels

Within the NIS2 Supply Chain, there are 3 levels. 

NIS2-SC10 Basic Level 

  • Organisational control measures
  • People-centred management measures
  • Physical management measures
  • Technological management measures

 

NIS2-SC20 Substantial Level

  • Organisational control measures
  • People-centred management measures
  • Physical management measures
  • Technological management measures
  • OT management measures
  • IT management measures

NIS2-SC30 High Level

  • Organisational control measures
  • People-centred management measures
  • Physical management measures
  • Technological management measures
  • OT management measures
  • IT management measures

 

More information on the NIS2 Supply Chain can be found at the website.

Which NIS2 Supply Chain is applicable to your organisation?

What type of organisation are you?

Many SME organisations provide services to so-called NIS2 companies. 
To determine whether or not you yourself are an NIS2 organisation, the NCSC has created a poster and online NIS2 self-assessment test.
Organisations characterised as an NIS2 organisation are required to register with the NCSC.
 
Within the NIS2 legislation, a distinction is made between essential and important companies, these are also called NIS2 companies. These companies have to comply with NIS2 legislation themselves, as well as their supply chain.
The NIS2 Supply Chain seal of approval helps with this. 

Suppliers

NIS2 organisations must start requiring their suppliers, mostly SME organisations, to be able to demonstrate compliance with NIS2 legislation. Having an ISO27001 certificate is not enough for this purpose. The NIS2 Supply Chain hallmark certificate provides additional proof for this.

Supply Chain 10 (SC10) 

If your organisation is not subject to registration, but you provide services to an NIS2 organisation, your organisation must also comply with NIS2.
 
For most SME organisations, Supply Chain level 10 (SC10) will be sufficient, to demonstrate that you have the basics in place.

Supply Chain 20 (SC20)

However, if your organisation provides ICT or OT services, your client may demand SC20 or even SC30. Of course, this strongly depends on the risk the client has regarding your service and the impact on the IPI. 
  • Availability (is the system there or not),
  • Integrity (is the data in the systems correct) and the
  • Confidentiality (is it well regulated who may or may not see what)

Supply Chain 30 (SC30)

If your organisation falls directly under the NIS2 and you are therefore subject to registration, then the NIS2 Suppply Chain level 30 will apply to your organisations at a minimum. Having an additional, under accreditation ISO27001/NEN7510/IEC 62443 certification is highly recommended.

How long does a certification audit take?

A table is available, detailing how much audit time is required per standard for each type of organisation. Depending on your context, the audit time within the range may be lower or higher.

note; if you already have an ISO27001/NEN7510 certification, you will be granted a waiver on specific requirements already covered within this certification. This therefore reduces the number of audit hours in the table above.

How do you apply for NIS2 Supply Chain hallmark certification?

If you believe you meet all the requirements of the NIS2 Supply Chain, DigiTrust is authorised to conduct an audit at your premises. Contact us to start this certification.

If the audit is completed positively by DigiTrust, the Quality Innovation Foundation will prepare and publish the certificate for you. There will be a central register of this.

The certificate is valid for 3 years.

Contact us for a no-obligation quote.

en_GBEN
nl_NLNL de_DEDE en_GBEN