The security and continuity of the food supply chain remain a critical concern. With the cyber threat landscape rapidly expanding, notably due to new attack vectors leveraging Artificial Intelligence (AI), the need for robust cybersecurity governance is more pressing than ever.

The NIS 2 implementation status

Directive (EU) 2022/2555 (NIS 2) is a landmark piece of European Union legislation aimed at achieving a high common level of cybersecurity across the Union. Member States were required to transpose the Directive into national law by 17 October 2024.

Current status: The legal deadline for transposition has passed. Nineteen Member States have failed to meet this deadline and have yet to fully implement NIS 2 (see the latest status here: European Commission – NIS transposition).

Despite varying progress in national implementation, the requirements set out in NIS 2 are establishing the benchmark for cybersecurity in sectors deemed essential, including the food sector.

Key obligations and the risk-based approach

NIS 2 mandates that affected entities — which now explicitly include food production, processing, and distribution companies — must implement robust measures focusing on:

1. Mandatory risk management: Implementing effective, technical, and organisational risk management measures.
2. Incident reporting: Reporting significant cyber incidents to relevant national authorities.
3. Accountability: Establishing clear personal accountability for management regarding compliance with cybersecurity obligations.
4. Supply chain security: Prioritising the security of supplier and supply chain relationships, especially by regulating security requirements with providers during modernisation projects and the construction of new facilities.

Call to action: Proactive preparation is essential

While the NIS 2 Directive primarily addresses Member States' legislative obligations, companies in the food sector should not delay preparation until their national laws are fully enacted. The growing threat landscape, particularly the sophistication introduced by AI, demands immediate action.

An immediate and thorough risk analysis is crucial. This analysis must:

• Integrate new threats: Systematically identify and evaluate new and evolving threats, specifically those facilitated by AI, which can escalate the sophistication and speed of attacks.
• Assess impact: Define the potential consequences and cascading effects of these threats on operational technology (OT), supply chain integrity, and product safety.
• Determine proportional measures: Allow for the application of appropriate and proportionate security measures designed to effectively minimise the identified risks and ensure business continuity.

Proactive governance based on a solid risk analysis is the most effective strategy for mitigating the growing threat landscape and aligning with the principles of NIS 2.

Cybersecurity and product defence are increasingly recognised as interconnected pillars of risk management in the food sector. The IFS Product and Food Defence Guideline version 2 provides valuable insights on aligning these disciplines to safeguard operations and maintain consumer trust. Find the guideline here.

We encourage all food companies to assess their current cybersecurity maturity and risk posture now.

About the author

Dawid Stępień is an ISO 27001 Lead Auditor and Sales Expert with a strong background in certification and standards. He previously worked as a Product Manager in a certification body, focusing on quality management systems (IFS, BRCGS, ISO 22000, ISO 9001) within the food industry.

Today, he combines proven management practices with the dynamic world of cybersecurity, bridging two traditionally separate fields. Dawid is also an active voice in raising security standards and has notably contributed to the IFS Product and Food Safety Standard version 2 on cybersecurity.

He is a key part of the team at Dynacon, a manufacturer of network communication solutions, monitoring systems, cybersecurity tools, and information-visualisation technologies supporting business continuity and optimisation.