Navigating NIS2 Quality Marks with Microsoft Security: From QM10 to QM30

Jeroen BurgerhoutSharepoint2 hours ago13 Views

It’s totally outside of my comfort zone, but I created this for a customer — and it turned into something I think a lot of MSPs and Modern Workplace professionals can use.

The new NIS2 Directive reshapes how organizations in Europe — and their IT partners — approach cybersecurity and compliance. For MSPs and Modern Workplace professionals, this isn’t just a regulatory checkbox. It’s about proving that you run a secure, resilient, and trustworthy service environment.

The NIS2 Quality Mark framework makes that measurable through three progressive levels: QM10, QM20, and QM30.

Let’s break down what these levels mean, and how Microsoft’s security ecosystem can help you reach and demonstrate compliance.

What are the NIS2 Quality Marks?

The NIS2 Quality Mark provides a structured way to show that your organization meets the cybersecurity expectations of the NIS2 Directive.
It’s managed by independent certification bodies (like DigiTrust or Kiwa) and comes in three maturity levels:

Level Target audience Focus Audit intensity
QM10 – Basic Low-risk suppliers or subcontractors to NIS2 entities Basic cyber hygiene and awareness Light audit / self-assessment
QM20 – Substantial IT and managed service providers (MSPs) with access to customer environments Advanced controls and incident response Full third-party audit
QM30 – High Critical service providers and operators of essential infrastructure Continuous monitoring, forensics, SOC integration High audit frequency and evidence depth

Why this matters for MSPs

If you manage or secure Microsoft 365, Intune, or Azure environments for your customers, you’re part of their supply chain — and that makes you relevant to NIS2.

Your clients might soon ask:

Which Quality Mark level do you comply with — QM10, QM20, or QM30?

This means your own environment, tools, and governance must reflect the same standards you apply for your customers.
Luckily, the Microsoft ecosystem provides almost everything needed to cover the technical part of NIS2 compliance.

Mapping QM10–QM30 to Microsoft Security

Domain QM10 QM20 QM30
Identity & Access Entra ID Basic + MFA + Conditional Access (P1) Entra ID P2 (PIM, Identity Protection) Full Zero Trust enforcement, JIT access, access reviews
Endpoint Security Defender for Endpoint Plan 1 Defender for Endpoint Plan 2 (EDR, ASR rules) Integration with SOC/Sentinel and threat hunting
Email & Collaboration Defender for Office 365 Plan 1 Plan 2 + Safe Links/Attachments + auto response Advanced hunting, SOC integration
Data Protection Purview DLP (basic) Purview Info Protection + Endpoint DLP Full Purview Suite + lifecycle and eDiscovery
Monitoring & Detection Basic logging via M365/Azure Monitor Microsoft Sentinel (SIEM/SOAR) + Defender for Cloud 24/7 SOC, threat intel integration, automation
Network & Infra Security Basic firewall/VPN Azure Firewall + Bastion + Zero Trust segmentation Advanced network protection & cross-tenant policies
Continuity & Recovery M365 backup / retention Azure Backup + Site Recovery Automated failover + DR drills
Governance & Awareness Security awareness + Intune compliance RBAC, audit logging, policy enforcement Full SOC governance, forensic logging, vendor mgmt.

Microsoft Licensing Path

NIS2 Level Recommended License Key Capabilities
QM10 🟢 Microsoft 365 Business Premium (or M365 E3 + Add-ons) Entra ID P1, Defender for Office P1, Intune, BitLocker, basic DLP
QM20 🟡 Microsoft 365 E5 Security or full M365 E5 Defender P2, Entra ID P2, Sentinel, Compliance Manager
QM30 🔵 Microsoft 365 E5 + Sentinel (SOC/MSSP) + Defender for Cloud 24/7 monitoring, advanced detection, compliance auditing, threat intel

In short: M365 Business Premium → E5 Security → E5 + Sentinel mirrors the QM10 → QM20 → QM30 maturity journey.

The Modern Workplace Roadmap

Step Goal Microsoft Actions
1. Establish a baseline (QM10) Implement security fundamentals Enable MFA, Conditional Access, device compliance, Defender for Endpoint, backups
2. Strengthen and monitor (QM20) Professionalize security management Deploy Sentinel, Defender for Cloud Apps, Purview DLP, PIM & Identity Protection
3. Mature and automate (QM30) Build a resilient, continuously monitored environment 24/7 SOC, automation playbooks, threat intelligence, regular tabletop exercises

Key takeaway

NIS2 Quality Marks offer a structured path to prove your cybersecurity maturity.

With the right Microsoft Security stack, you can cover 90% of the technical requirements — from basic cyber hygiene to full SOC-level resilience.

The remaining 10%?
That’s about governance, processes, and people — and that’s where MSPs make the difference.

Want to start mapping your NIS2 level?

If you’re an MSP or IT partner delivering Microsoft 365, Intune, or Azure services, start with your QM10 baseline and gradually build toward QM20.
Combine your operational excellence with Microsoft’s security stack, and you’ll be NIS2-ready long before the audits begin.

Questions or feedback?

If you have any questions about NIS2, Microsoft Security, or how to prepare your organization for compliance — feel free to reach out to me on LinkedIn or via burgerhout.org/contact.

Always happy to share ideas, experiences, and lessons learned from the field.

That is it for now. Until next time. 👋

Original Post https://www.burgerhout.org/navigating-nis2-quality-marks-with-microsoft-security-from-qm10-to-qm30/

0 Votes: 0 Upvotes, 0 Downvotes (0 Points)

Leave a reply

Join Us
  • X Network2.1K
  • LinkedIn3.8k
  • Bluesky0.5K
Support The Site
Events
October 2025
MTWTFSS
   1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31   
« Sep   Nov »
Follow
Search
Loading

Signing-in 3 seconds...

Signing-up 3 seconds...