en_GB EN
en_GB EN nl_NL NL de_DE DE

What is the NIS2 Quality Mark?

The NIS2 directive brings stricter digital resilience requirements. But as an organisation, how do you know if a supplier complies? For that, the NIS2 Quality Mark developed: an independent standard that shows that an organisation is ready for the new European cybersecurity legislation. 

What is the NIS2 guideline? 

The NIS2 (Network and Information Security Directive 2) is a European directive that will be transposed into Dutch law in Q4 2025. In the Netherlands, this will be the Ceber Security Act. (CBW). The CBW requires thousands of companies in critical sectors - and their suppliers - to comply with specific information security, risk management, incident response and reporting requirements. 

Why was the NIS2 Quality Mark developed? 

Organisations that fall under NIS2 themselves, known as NIS2 organisations, tend to work with IT, cloud or security providers. Under NIS2, the main responsibility for cyber security remains with the primary organisation, but it must also demonstrate that its suppliers demonstrate safe working practices. 

The NIS2 Quality Mark helps with this. It is externally verified proof that a supplier has taken the right measures to meet NIS2 obligations - without the client having to do the full assessment itself. 

What does the NIS2 Quality Mark test? 

The NIS2 Quality Mark is based on the principles of the NIS2 guideline and tests for, among other things: 

  • Information security policy and risk management 
  • Continuity, recovery plans and incident response 
  • Systems access and network segmentation 
  • Supplier management and supply chain responsibility 
  • Incident reporting requirements 

The assessment is carried out by an independent institution such as DigiTrust. Only a positive assessment allows the quality mark to be used. 

On the website of the NIS2 Quality Mark (https://nis2qualitymark.eu/) lists several partners, for implementation guidance and auditing. 

3 different levels 

Within the NIS2 Quality Mark, there are 3 different levels. Depending on the service you provide as a supplier to an NIS2 responsible party and the associated risk, the right QM level can be chosen together with the client / the NIS2 responsible party. 

  • QM10 = the basic requirements, mostly suitable for SME organisation 
  • QM20 = requirements for suppliers, where the service presents an increased risk to the NIS2 responsible party.  
  • QM30 = highest level, suitable for higher-risk suppliers, but also suitable for NIS2 responsible itself. 

Who is the NIS2 Quality Mark relevant to? 

The NIS2 Quality Mark is primarily intended for NIS2 responsible parties and their suppliers. For these suppliers, the quality mark can be the distinctive proof that they are NIS2-compliant. 

Is the NIS2 Quality Mark mandatory? 

No, the NIS2 Quality Mark is not a legal requirement. The NIS2 legislation itself does impose obligations on the results, but not on how they are demonstrated. So the quality mark is voluntary, but it provides a standardised and objective way to demonstrate compliance. In addition, the quality mark is recognised by many industry associations. 

How does it differ from ISO 27001? 

ISO 27001 is an international standard for information security. The NIS2 Quality Mark, on the other hand, is specifically aimed at testing against the NIS2 guideline. The management measures within the NIS2 Quality Mark can be matched against the ISO27001 management measures. However, within the NIS2 Quality Mark, the requirements for the control measures are broader. 

Many organisations combine both. ISO 27001 can serve as the basis for structural information security, while the NIS2 Quality Mark helps demonstrate compliance with the specific requirements of Cybersecurity Act (CBW) 

What are the benefits of the NIS2 Quality Mark? 

  • ✔ Independent proof of NIS2 compliance 
  • ✔ Increases trust among clients 
  • ✔ Facilitates tendering and contracting 
  • ✔ Show that you take chain responsibility seriously 
  • ✔ Supports risk management and transparency 

How do you get the NIS2 Quality Mark? 

An organisation must first register with the NIS2 organisation. (https://nis2qualitymark.eu/) 

After the organisation has applied, DigiTrust can be contacted to conduct the audit. The NIS2 Quality Mark is issued on the basis of an independent review. DigiTrust carries out this assessment based on objective criteria derived from the NIS2 guideline. 

In case of a positive assessment, you will receive the quality mark for a period of 3 years, with the possibility of renewal upon reassessment. 

Need help with the review?

DigiTrust does not help you implement, but tests independently and expertly. Want to check whether your organisation or supplier qualifies? Contact us or take a look at the NIS2 Quality brand page. 

Read more about

What is the NIS2 Quality Mark?

More and more organisations are facing stricter requirements around information security. This is due to the NIS2 directive: European legislation that has now also been transposed into national law in the Netherlands. But as an organisation, how do you demonstrate compliance with the

Read more "

How does the certification audit work?

The certification audit is split into 2 parts. Called phase 1 and phase 2. Phase 1: this is actually a preliminary examination, to determine whether you are really ready for the real phase 2 audit. This is to avoid

Read more "
Back to the knowledge base
en_GBEN
nl_NLNL de_DEDE en_GBEN