NIS2 Quality Mark: Demonstrable Cybersecurity Compliance

NIS2 certification is set to become an essential requirement for companies operating in critical supply chains or providing services to NIS2-regulated organizations. With the NIS2 Quality Mark, your organization demonstrates both cybersecurity resilience and compliance with the new legal obligations. As an independent certification body, Kiwa not only assures compliance with the directive but also strengthens trust among customers, partners and regulators.

Receive a quote tailored to your needs

To strengthen cybersecurity across Europe and prevent social and economic disruption caused by cyberattacks, the European Union has introduced the NIS2 Directive. This successor to the original NIS Directive (previously implemented in the Netherlands as the Wbni) has a broader scope and targets both essential and important entities.

Cybersecurity Act

In the Netherlands, this NIS2 directive is being converted into national law through the Cybersecurity Act (Cyberbeveiligingswet, or Cbw), which is expected to come into force in the third quarter of 2025. Although the Dutch Cybersecurity Act has not yet been passed, the government is already advising organizations to begin strengthening their cybersecurity strategies. Acting early will help prevent delays and ensure readiness for upcoming obligations.

NIS2 requirements for suppliers

A key aspect of the NIS2 legislation is that organizations are not only responsible for securing their own IT environment but also for the cybersecurity resilience of their suppliers and service providers, especially those who can directly affect the network and information systems of a NIS2-regulated organization.

Risk-based approach to cybersecurity

To help organizations demonstrate compliance with these new requirements, the NIS2 Quality Mark was developed by the Quality Innovation Foundation (Stichting Kwaliteitsinnovatie). Available for certification from 1 July 2025, the Quality Mark offers a clear, risk-based approach to cybersecurity. It is a practical tool for businesses to identify cyber risks, implement effective measures and raise employee awareness of digital threats. Kiwa is accredited to conduct audits under this quality framework, with a focus on QM20 and QM30 levels (see below).

Three levels of the NIS2 Quality Mark

Depending on your organization’s role and risk profile, three versions of the NIS2 Quality Mark are available. Kiwa certifies levels QM20 and QM30:

QM10 – Basic

Designed for SMEs with limited risk exposure that are indirectly connected to the supply chain of NIS2-regulated entities.

QM20 – Substantial

For suppliers that provide direct services to NIS2 entities and have access to sensitive systems or data.

QM30 – High

Intended for organizations playing a critical role in the supply chain, where disruption or failure could have major societal or economic consequences.

The certification process in 5 steps

Kiwa guides your organization through every step toward certification:

    Register at NIS2qualitymark.eu

    Sign up your organization on the official NIS2 Quality Mark platform.

    Prepare for the audit

    Collect relevant documentation and perform a risk assessment, either independently or with external support. All required guidelines are available at NIS2qualitymark.eu.

    Mandatory pre-audit webinar

    This interactive webinar helps identify gaps in your information security policy. Participation is required for certification and provides valuable insights and recommendations.

    Formal audit by Kiwa

    A certified Kiwa auditor visits your site, evaluates processes, interviews staff and verifies the implementation of cybersecurity measures.

    Awarding of the NIS2 Quality Mark certificate

    Kiwa’s certification board will review the audit results and issue formal approval. Upon successful assessment, you will receive the official certificate.

Why choose Kiwa for NIS2 Quality Mark certification?

  • Independent assessment by Kiwa
    Known for its expertise, integrity and impartial evaluations, Kiwa also offers pre-audit services, including a NIS2 GAP analysis.
  • Demonstrable compliance with NIS2 and the Dutch Cybersecurity Act
    The Quality Mark provides clear evidence for clients and regulators.
  • Enhanced trust in your organization
    Clients and partners see that you take cybersecurity seriously.
  • Improved management of cyber risks
    A systematic approach helps prevent incidents and limits damage in case of threats.
  • Competitive edge in the supply chain
    Especially the NIS2 QM30 certificate sends a strong signal to buyers who are required to vet their suppliers for cyber resilience.

Prepare with a pre-audit/GAP analysis

Are you planning to certify your organization according to a specific standard but unsure where to start? Or have you already implemented a management system in line with, for example, ISO 9001, ISO 27001, or ISO 14001, but you're uncertain if it fully meets the certification requirements? Discover more about our pre-audit/GAP analysis.

Related services