Now Reading: Navigating NIS2 Quality Marks with Microsoft Security: From QM10 to QM30
-
01
Navigating NIS2 Quality Marks with Microsoft Security: From QM10 to QM30
It’s totally outside of my comfort zone, but I created this for a customer — and it turned into something I think a lot of MSPs and Modern Workplace professionals can use.
The new NIS2 Directive reshapes how organizations in Europe — and their IT partners — approach cybersecurity and compliance. For MSPs and Modern Workplace professionals, this isn’t just a regulatory checkbox. It’s about proving that you run a secure, resilient, and trustworthy service environment.
The NIS2 Quality Mark framework makes that measurable through three progressive levels: QM10, QM20, and QM30.
Let’s break down what these levels mean, and how Microsoft’s security ecosystem can help you reach and demonstrate compliance.
What are the NIS2 Quality Marks?
The NIS2 Quality Mark provides a structured way to show that your organization meets the cybersecurity expectations of the NIS2 Directive.
It’s managed by independent certification bodies (like DigiTrust or Kiwa) and comes in three maturity levels:
| Level | Target audience | Focus | Audit intensity |
|---|---|---|---|
| QM10 – Basic | Low-risk suppliers or subcontractors to NIS2 entities | Basic cyber hygiene and awareness | Light audit / self-assessment |
| QM20 – Substantial | IT and managed service providers (MSPs) with access to customer environments | Advanced controls and incident response | Full third-party audit |
| QM30 – High | Critical service providers and operators of essential infrastructure | Continuous monitoring, forensics, SOC integration | High audit frequency and evidence depth |
Why this matters for MSPs
If you manage or secure Microsoft 365, Intune, or Azure environments for your customers, you’re part of their supply chain — and that makes you relevant to NIS2.
Your clients might soon ask:
Which Quality Mark level do you comply with — QM10, QM20, or QM30?
This means your own environment, tools, and governance must reflect the same standards you apply for your customers.
Luckily, the Microsoft ecosystem provides almost everything needed to cover the technical part of NIS2 compliance.
Mapping QM10–QM30 to Microsoft Security
| Domain | QM10 | QM20 | QM30 |
|---|---|---|---|
| Identity & Access | Entra ID Basic + MFA + Conditional Access (P1) | Entra ID P2 (PIM, Identity Protection) | Full Zero Trust enforcement, JIT access, access reviews |
| Endpoint Security | Defender for Endpoint Plan 1 | Defender for Endpoint Plan 2 (EDR, ASR rules) | Integration with SOC/Sentinel and threat hunting |
| Email & Collaboration | Defender for Office 365 Plan 1 | Plan 2 + Safe Links/Attachments + auto response | Advanced hunting, SOC integration |
| Data Protection | Purview DLP (basic) | Purview Info Protection + Endpoint DLP | Full Purview Suite + lifecycle and eDiscovery |
| Monitoring & Detection | Basic logging via M365/Azure Monitor | Microsoft Sentinel (SIEM/SOAR) + Defender for Cloud | 24/7 SOC, threat intel integration, automation |
| Network & Infra Security | Basic firewall/VPN | Azure Firewall + Bastion + Zero Trust segmentation | Advanced network protection & cross-tenant policies |
| Continuity & Recovery | M365 backup / retention | Azure Backup + Site Recovery | Automated failover + DR drills |
| Governance & Awareness | Security awareness + Intune compliance | RBAC, audit logging, policy enforcement | Full SOC governance, forensic logging, vendor mgmt. |
Microsoft Licensing Path
| NIS2 Level | Recommended License | Key Capabilities |
|---|---|---|
| QM10 | 🟢 Microsoft 365 Business Premium (or M365 E3 + Add-ons) | Entra ID P1, Defender for Office P1, Intune, BitLocker, basic DLP |
| QM20 | 🟡 Microsoft 365 E5 Security or full M365 E5 | Defender P2, Entra ID P2, Sentinel, Compliance Manager |
| QM30 | 🔵 Microsoft 365 E5 + Sentinel (SOC/MSSP) + Defender for Cloud | 24/7 monitoring, advanced detection, compliance auditing, threat intel |
In short: M365 Business Premium → E5 Security → E5 + Sentinel mirrors the QM10 → QM20 → QM30 maturity journey.
The Modern Workplace Roadmap
| Step | Goal | Microsoft Actions |
|---|---|---|
| 1. Establish a baseline (QM10) | Implement security fundamentals | Enable MFA, Conditional Access, device compliance, Defender for Endpoint, backups |
| 2. Strengthen and monitor (QM20) | Professionalize security management | Deploy Sentinel, Defender for Cloud Apps, Purview DLP, PIM & Identity Protection |
| 3. Mature and automate (QM30) | Build a resilient, continuously monitored environment | 24/7 SOC, automation playbooks, threat intelligence, regular tabletop exercises |
Key takeaway
NIS2 Quality Marks offer a structured path to prove your cybersecurity maturity.
With the right Microsoft Security stack, you can cover 90% of the technical requirements — from basic cyber hygiene to full SOC-level resilience.
The remaining 10%?
That’s about governance, processes, and people — and that’s where MSPs make the difference.
Want to start mapping your NIS2 level?
If you’re an MSP or IT partner delivering Microsoft 365, Intune, or Azure services, start with your QM10 baseline and gradually build toward QM20.
Combine your operational excellence with Microsoft’s security stack, and you’ll be NIS2-ready long before the audits begin.
Questions or feedback?
If you have any questions about NIS2, Microsoft Security, or how to prepare your organization for compliance — feel free to reach out to me on LinkedIn or via burgerhout.org/contact.
Always happy to share ideas, experiences, and lessons learned from the field.
That is it for now. Until next time. 👋
Original Post https://www.burgerhout.org/navigating-nis2-quality-marks-with-microsoft-security-from-qm10-to-qm30/
