Clarifying the confusion around ‘NIS2 certification’

How do you demonstrate NIS2 compliance without ‘NIS2 certification’?

Clients regularly ask us if there is an official ‘NIS2 certification’. The short answer is: no. The European NIS2 cybersecurity directive is a set of obligations, not a specific certification. This poses a problem: how do you demonstrate that your organization meets the requirements of NIS2 without a certification? In this article, our NIS2 consultant Niels van der Meij provides three concrete pieces of advice on how to deal with this.

1. Use existing standards as a foundation to demonstrate NIS2 compliance

Many companies are opting for existing certifications that help demonstrate their compliance with at least parts of NIS2, sees Van der Meij: ‘This is a logical step, because Article 23 of NIS2 refers to implementing national or international norms and standards to mitigate risks.’ Organizations can use a few certifications, depending on their sector, such as:

1. ISO27001 for various companies and industries.
2. IEC62443 for the industrial sector.
3. BIO (Dutch Baseline Information Security Government) for government agencies, such as municipalities.
4. NEN7510 for the Dutch healthcare industry.
5. NIST CSF framework.

‘These standards often align closely with NIS2’s required duty of care,’ says Van der Meij, ‘and that helps underpin compliance efforts. Compliance with any of these standards is a major step towards full NIS2 compliance, and clients or suppliers will recognize this.’

2. Use a NIS2 quality mark to demonstrate compliance

For smaller companies, such as sole traders and SME organizations, it can be difficult to comply with extensive certifications. ‘But it’s still important for these companies demonstrate NIS2 compliance, especially if they are a supplier to a company covered by NIS2. Supplier risk management is an important part of NIS2. In that case, a quality mark can help,’ says Van der Meij.

There are several quality marks in circulation in the Netherlands. For example, the NIS2 Quality Mark, developed by Samen Digitaal Veilig. Van der Meij: ‘This mark confirms that an organization follows the basic requirements of NIS2. The NIS2 Quality Mark is a selection of standards from ISO27001 and includes aspects such as risk assessment, incident management and data protection.’

The NIS2 Quality Mark is intended primarily for small organizations for whom an ISO27001 is (still) too high, and is not intended for larger organizations for whom full ISO27001 certification or similar is a possibility. ‘We feel limited certification for small organizations is better than no certification at all.’

Niels van der Meij: ‘We fully support the NIS2 Quality Mark as a stepping stone for smaller organizations to start with a smaller scope. The NIS2 Quality Mark stimulates growing and expending the scope yearly, which might enable certain companies to fully adopt the ISO27001 framework over time.’

Another Dutch NIS2 quality mark is CYRA (CYber RAting): this was developed for the high-tech sector. This means it is more suitable for larger companies.

3. Use NIS2 training certificates to demonstrate compliance

A third way to demonstrate NIS2 compliance, at least when it comes to NIS2’s training requirements, are training certificates: ‘According to NIS2, board members must have the necessary knowledge about cyber threats and how their organization deals with them. This means that board members must proactively be involved in cybersecurity risk management,’ says Van der Meij. ‘It is no longer enough to simply ‘approve’ a policy; the board must be demonstrably involved and aware of current risks and measures and approve these measures.’

The simplest way to demonstrate that the board is indeed compliant is through NIS2 training certificates. Several companies offer these, including Secura: 'Our NIS2 Board Room Training allows board members to demonstrate that they meet their responsibilities under NIS2.’

Upon completion of the training, board members receive a certificate confirming that they have gained sufficient knowledge to effectively fulfill their role according to the NIS2 requirements. Van der Meij: ‘This certificate can be a valuable document in legal or audit processes, as it demonstrates that the organization is not only aware of the legal requirements, but is also actively investing in their directors' cybersecurity knowledge.’

An integrated approach to NIS2 compliance

Although a NIS2 certification itself does not exist, organizations looking to demonstrate their compliance can use a number of different options: existing certifications such as ISO27001 or NEN7510 go a long way; a quality mark such as the NIS2 Quality Mark can also help; and boardroom training certificates are a third way to demonstrate NIS2 compliance.

The larger an organization or the more critical its services and data processing activities, the greater the need for implementing additional security measures to comply with NIS2 requirements.

‘In practice, NIS2 is not a “one-size-fits-all” solution,’ Van der Meij concludes. ‘Whether you are a large company, a supplier or a director, compliance with NIS2 requires constant attention and commitment. The NIS2 as a regulation is new but the topics mandated in NIS2 are, of course, not. Through our years of experience with Cybersecurity in the areas of both People and Process and Technology, we can also help your organization our Integrated approach and your roadmap to achieve NIS2 compliance.’

Download our NIS2 guide

Want to know more about NIS2? Download our free Practical Guide to NIS2.

Download NIS2 Guide