EN 
NL 
DE More and more organisations are facing stricter requirements around information security. This is due to the NIS2 directive: European legislation that has now also been transposed into national law in the Netherlands. But as an organisation, how do you demonstrate that you comply with the requirements? And how do you know if your suppliers do? The NIS2 Quality Mark offers a solution for this. In this article, you will read what exactly this quality mark means, for whom it is relevant and what role DigiTrust plays in this as an independent certifying body.
What is the NIS2 guideline?
The NIS2 Directive (Network and Information Security 2) is a European directive designed to strengthen digital resilience in the EU. Organisations covered by this directive must demonstrably take information security and risk management measures. Consider sector-specific companies in, for example, healthcare, energy, transport, digital infrastructure and government.
The directive entered into force in January 2023 and has been transposed into Dutch law since October 2024 through an amendment to the Network and Information Systems Security Act (Wbni). The NIS2 directive entails obligations in the areas of:
- risk management measures;
- incident notification within 24 hours;
- chain responsibility;
- and heightened supervision.
How does the NIS2 Quality Mark work in practice?
The NIS2 Quality Mark is an objective assessment showing that an organisation is demonstrably working on digital resilience in line with the objectives of the NIS2 guideline. It is not a legally required quality mark, but it is increasingly requested by supply chain partners, clients or regulators who want assurance about their suppliers' security measures.
The quality mark allows organisations to demonstrate that they take information security seriously and take appropriate measures. This applies not only to organisations directly covered by NIS2, but also to parties in their supply chain.
What is being assessed?
Assessment for the NIS2 Quality Mark is done on the basis of existing standards and frameworks, such as ISO/IEC 27001, NEN 7510 or ENSIA. Thereby, the focus is on components that match the requirements from the NIS2 guideline, such as:
- risk assessment and management;
- security policy and awareness;
- supplier management;
- incident response and recovery;
- continuous improvement of security measures.
The quality mark is awarded after an independent assessment by a certifying body. The assessment is tailored to the nature of the organisation, the sector in which it operates and its risk profile.
What is DigiTrust's role?
DigiTrust is an independent certification body that tests organisations for compliance with standards and quality criteria. With the NIS2 Quality Mark, DigiTrust also carries out the assessment in an objective, transparent and traceable manner.
Important to know: DigiTrust does not advise on the implementation of measures. This is in line with international standards for certification bodies, such as ISO/IEC 17021. DigiTrust only assesses whether the organisation meets the assessment criteria. This ensures the independence and integrity of the certification process.
Who is the NIS2 Quality Mark relevant to?
The quality mark is primarily relevant for organisations directly covered by the NIS2 directive. It is also relevant for suppliers and service providers that are part of the chain of these organisations. For example:
- IT service providers;
- software developers;
- hosting and cloud providers;
- care providers;
- government suppliers.
The quality mark also offers added value for organisations that want to demonstrate their information security to clients or partners.
Frequently asked questions about the NIS2 Quality Mark
Is the NIS2 Quality Mark mandatory?
No, it is not a legal requirement. However, it may be required by clients or supply chain partners as proof of compliance with NIS2 targets.
What is the difference between NIS2 and ISO 27001?
NIS2 is a legal guideline with cybersecurity requirements. ISO 27001 is an international standard for information security management systems. The NIS2 Quality Mark can use ISO 27001 as a basis for assessment.
Who gets to award the quality mark?
Only independent certification bodies such as DigiTrust are allowed to award the NIS2 Quality Mark after an objective assessment.
Should my organisation be NIS2 compliant?
It depends on the sector, size and role of your organisation. The updated legislation includes criteria for 'essential' and 'significant' entities. Consult the government or your industry association for more information.
Conclusion
The NIS2 guideline requires organisations to take information security and risk management seriously. The NIS2 Quality Mark helps to demonstrate this to customers, chain partners and regulators. DigiTrust tests independently, without implementation advice, and does so according to internationally recognised standards.
Do you have questions about the quality mark or want to know what certification entails? DigiTrust will be happy to explain it to you clearly and objectively.