Quickly achieve NIS2 compliance and increase cyber resilience!

IRM360 NIS2-CSMS

The scalable software solution for SME suppliers aligned with the NIS2 Quality Mark seal of approval

Request an online demo here

Simple step-by-step implementation

With awareness E-Learnings and phishing simulaties

Easy upgrade to an ISMS (ISO 27001)

Tailored to SMEs and the NIS2 Quality Mark and CyFun

NIS2 EU legislation

The NIS2 cybersecurity directive aims to improve the resilience of essential services in EU member states. Since 17 October 2024, this EU directive has been in place and from 1 July 2025 it will be in force in the Netherlands as the Cyber Security Act (Cbw). The NIS2 applies to providers of ‘essential activities’ and providers of ‘significant activities’. Click here for the online self-assessment test to determine whether you need to comply with the NIS2.

Essential NIS2 organisations should ensure proper security, report problems promptly, take additional measures such as having contingency plans and regularly check their security. Directors of these organisations who are or have been demonstrably negligent in taking cybersecurity measures may be held personally liable and may be (temporarily) removed from office.

Essential NIS2 organisations are also responsible for the security of the entire supplier chain and can no longer pass this on to an (ICT) service provider.

NIS2 Compliance

for SME Suppliers

The NIS2 directive therefore applies to the entire chain of essential and key organisations. These organisations will impose requirements on their suppliers to minimise cyber risks. If you do business with one of these organisations, you must demonstrate that you have your affairs in order. NIS2 organisations are not allowed to do business with non-compliant suppliers.

To indicate the level of information security, the international information security standard ISO 27001 is often used. An ISO 27001 certification shows that the availability, integrity and confidentiality of sensitive information within your organisation are effectively and demonstrably secured. However, for small organisations, ISO 27001 certification is often too complex, labour-intensive and costly.

The NIS2 Quality Mark is an alternative for SMEs to demonstrate to essential and important clients that they have their cyber security affairs in order.

Read more about the NIS2 Quality Mark certification and how you can easily achieve it with the IRM360 NIS2 management system below.

for Essential and Important entities

Essential and key organisations will mostly fall back on ISO 27001 certification or the related NEN 7510 (healthcare) or BIO (government) for the IT environment and any additional frameworks such as IEC 62443 for the OT environment. IRM360 provides support in the ISMS for more than 40 frameworks, including, for example, IEC 62443, CIS Controls, CSIR.

The NIS2 Quality Mark can be added to our ISMS as a standard, with a mapping of each of the QM levels to the ISO 27001, NEN 7510 or BIO and the additional QM-20 and QM30 measures for the OT environment. This allows you to see at a glance your NIS2 compliance where you can largely use your existing ISO 27001, NEN7510 or BIO compliance.

read more about the ISMS here

Het NIS2 Quality Mark

The NIS2 Quality Mark, which level suits me?

The NIS2 Quality Mark was developed as a cyber security standard for SMEs in the supply chain of essential and key NIS2 organisations, and for companies for which ISO 27001 certification is still too big a step.

The quality mark has three levels. Your customers ultimately determine which level you need to achieve to continue doing business as a ‘safe’ supply chain partner. You can demonstrate this with one of these three Quality Mark levels:

QM10-Basic: This level aligns with what are considered basic cybersecurity hygiene measures.
QM20-Substantial: This level is intended for organisations providing ICT and/or OT services where the impact of an incident can be called moderate.
QM30-High: This level is aimed at suppliers providing ICT and/or OT services with a high risk to their customers' processes. An incident here has a solid impact on the customer.

The quality mark is not a replacement for ISO 27001 but offers a demonstrable and certified level aligned with the requirements of the NIS2 for those organisation for which an ISO 27001 certificate is still a step too far. So especially relevant for SME suppliers in the NIS2 chain but who do not provide IT or OT services. Some suppliers, especially IT and OT service providers, may still need ISO 27001 certification and in some cases even additional ‘assurance’ statements or other certifications. In particular, your client will determine which requirements you need to meet.

Click here for the QM10 requirements

Click here for the QM20 requirements

Click here for the QM30 requirements

Through an external audit, conducted by accredited NIS2 Quality Mark auditors, you can be assessed and obtain a QM certificate. The duration and depth of the audit are tailored to the chosen Quality Mark level. These audits focus on:

Technical measures, such as firewalls, intrusion detection systems and encryption protocols.
Cybersecurity policies and procedures: these must be up to date and sufficient and meet the requirements of NIS2.
Compliance with legal requirements, incident and risk management and business continuity.
Awareness of staff regarding cyber security

NIS2-CSMS, the new IRM360 management system for SME entrepreneurs based on the Quality Mark

NIS2-CSMS

IRM360, which has specialised in risk and compliance management systems such as our ISMS (information security), PIMS (privacy management) and BCMS (business continuity) since 2017, has developed a special software version for the Quality Mark: the NIS2-CSMS. This system is specially designed for organisations for which ISO 27001 does not yet apply. The NIS2MS is derived from our existing IRM360 ISMS solution, where we have removed all unnecessary items that are not required for achieving the Quality Mark.

Simple and step-by-step approach

In the NIS2 -CSMS, all three levels (QM10, QM20 and QM30) are available as standards, linked to our practical measure sets. You simply select the desired level, after which all required measures are activated in the system and prepared for you. With the templates provided, you can get started right away. In addition, a progress dashboard shows exactly how far along you are with the implementation.

Does your organisation want to grow towards ISO 27001 certification or other certifications, or are you already using an IRM360 ISMS solution? Then you can add the Quality Mark levels to your existing environment or upgrade from the NIS2-CSMS to a full ISMS. So fully scalable and of course retaining all entered data.

E-Learnings & Phishing simulaties in het NIS2-CSMS

Phishing remains one of the biggest contributors to cyber incidents, such as ransomware and data breaches. Phishing attacks are becoming more sophisticated, partly due to the use of artificial intelligence (AI) and other technologies.

With the integrated E-Learning system in the NIS20-CSMS, you easily make your employees aware of this. They can start training at any time. If you wish, you can have each training completed with a test, so that you get an immediate insight into the risk awareness level of your employees.

With the integrated phishing simulations, you can easily simulate an attack and measure your organisation's cyber resilience.

The E-Learnings are tailored to the NIS2 aspects: physical, human, organisational and technical, with an additional focus on privacy. New training courses are regularly added on current topics. For instance, a training course on Artificial Intelligence (AI) has been added to our training offer, which addresses the opportunities and risks of working with AI.

The phishing simulations come with templates, so you can easily create a simulation tailored to your organisation.

All the advantages of the NIS2-CSMS management system at a glance

One stop shop, everything you need aligned with the NIS2 Quality Mark
Progress dashboards, you know exactly how far along you are
Ready-made measure templates for policies and procedures
Resource management
Incident management
Risk management
Integrated risk awareness E-Learnings and phishing simulations
Integrated supplier assessment system
Audit system with ready-to-use audit programmes for the Quality Mark levels
Task-driven (PDCA) and provided with e-mail notifications
Possibility for vulnerability analyses
No (hidden) Excel's
Multi-Factor Authentication (2FA)
Easy to upgrade to the IRM360 ISMS, while retaining all entered data

Request an (online) demo

Start now with our step-by-step approach, supported by specialists:

Step1, Start subscription

Subscribe to the NIS2-CSMS, we will coordinate the configuration with you and you will have access within 48 hours.

Step 2, Online instruction

One-to-one online instruction via Teams and our software experts will explain to you the basics of the NIS2-CSMS.

Step 3, System filling

You can now start populating the system (resources etc.) and attributing the measure templates to your own organisation.

Step 4, Controle

We check the system together, does everything work as desired and as expected, and fill and set it up further together.

Step 5, Audit preparation

We prepare you for the external Quality Mark audit and, if required, help you choose the external audit party.

Step 6, The External Audit

e go through the system online, or onsite, or sometimes a combination with the auditor. On success, a certificate!