NIS2 for Food Production and Distribution Companies
Food production, processing, and wholesale distribution are in scope under NIS2 Annex II. If your company has 50+ employees or exceeds 10M euros in revenue, this is your practical guide to what the BSIG requires.
Why Does NIS2 Apply to Food Companies?
Modern food production is deeply dependent on IT systems. ERP systems manage orders and invoicing. Production control systems (MES) schedule and monitor manufacturing lines. Cold chain monitoring systems track temperatures from production through delivery. Laboratory information systems manage quality testing. If ransomware takes out your ERP, you cannot ship. If your cold chain monitoring fails, you cannot prove product safety. That is why the EU classified food as a critical sector.
The EU placed food production, processing, and wholesale distribution under Annex II of the NIS2 Directive. Companies meeting the size threshold (50+ employees or over 10 million euros in annual revenue) are classified as 'wichtige Einrichtungen' (important entities) under Section 28(2) BSIG. This means the full set of NIS2 obligations applies: BSI registration, 10 cybersecurity risk management measures, incident reporting, supply chain security, and management liability.
Most food companies have not dealt with cybersecurity regulation before. Food safety regulations (HACCP, IFS, BRC) are familiar, but IT security obligations are new. The good news: if your company already runs a structured quality management system, many of the concepts transfer. Risk assessment, documentation, audits, corrective actions – the framework is similar, just applied to IT instead of production hygiene.
ERP and order management
The core business system handling customer orders, invoicing, procurement, and inventory management. Commonly SAP Business One, Microsoft Dynamics, proALPHA, or sector-specific solutions like CSB-System. Compromise of this system stops order processing, shipping, and billing. One asset entry.
Production control (MES)
Manufacturing Execution Systems that schedule production runs, track batch numbers, and monitor line output. Often connected to ERP for demand-driven production. May include PLCs and SCADA components on production lines. If this goes down, production stops or runs blind. Group per production facility.
Cold chain monitoring
Temperature and humidity monitoring systems for storage, transport, and retail display. These systems provide the continuous records required for HACCP compliance. Data loggers, sensors, and monitoring software – often cloud-based. Failure means you lose the proof chain for food safety. One grouped entry.
Logistics and delivery
Fleet management, route planning, delivery tracking, and warehouse management systems. May include handheld scanners for picking and loading. These systems ensure products move from production to customer. Disruption delays deliveries and can cause spoilage for temperature-sensitive products.
Laboratory information system (LIMS)
Systems managing quality testing – microbiological analysis, chemical testing, sensory evaluation. LIMS tracks samples, results, and release decisions. If your lab system is compromised, you cannot verify product safety and may need to halt shipments until manual verification is complete.
Endpoints and office IT
Laptops, desktops, and mobile devices used by office staff, quality managers, and logistics coordinators. Standard office applications, email, and document management. Grundschutz allows grouping: '50 standard Windows laptops' is one asset entry. Include network infrastructure (routers, switches, firewalls, Wi-Fi) as a separate grouped entry.
1. Register with the BSI
Complete your Section 33 BSIG registration via muk.bsi.bund.de. This takes about 30 to 60 minutes and immediately puts you on record. The penalty for non-registration is up to 500,000 euros. If the deadline has passed, register immediately.
2. Build your asset inventory
List the systems that support your food production, quality assurance, and distribution operations. Use the six categories above as a starting point. For each asset, note what it does, who manages it, and what happens if it is unavailable for 24 hours. Pay special attention to systems that affect food safety – these have the highest regulatory impact.
3. Set up incident reporting
Define what a significant cybersecurity incident means for your company. A ransomware attack that stops production is clearly significant. A phishing email that was caught is not. Establish the reporting chain: who decides, who files the BSI report (24h/72h/1 month timelines), and how to reach them outside business hours.
4. Document supplier relationships
Food companies typically rely heavily on external IT – cloud-hosted ERP, cold chain monitoring SaaS, managed IT services. Document who these suppliers are, what access they have, and what security measures they commit to. Under Section 30(2)(4) BSIG, supply chain security is a mandatory measure. If your cloud ERP provider gets breached, it is your problem.
5. Review access controls
Audit who has access to your critical systems – especially ERP, production control, and cold chain monitoring. Implement multi-factor authentication on remote access and admin accounts. Remove accounts for former employees. Many food companies have shared passwords for production terminals – document this and plan to fix it.
Food companies sit at the intersection of IT security and food safety regulation. Your HACCP system, IFS or BRC certifications, and quality documentation already create a culture of documented processes, regular audits, and corrective actions. This is an advantage – the NIS2 framework uses very similar concepts. Risk assessment, control measures, monitoring, documentation, and periodic review are things your quality team already understands.
The unique risk for food companies is the connection between IT systems and food safety. If your cold chain monitoring system is compromised, you may not know whether products have been stored at safe temperatures. If your LIMS is manipulated, you may release unsafe products. If your ERP is down, you cannot trace a contaminated batch. These scenarios make IT security a food safety issue, not just an IT issue.
Most food companies outsource significant IT. Cloud-based ERP, SaaS cold chain monitoring, managed IT services – this is standard. Under NIS2, you own the accountability even when you outsource the operations. Your most important compliance activity is supplier management: documenting relationships, including security requirements in contracts, and verifying that suppliers maintain adequate security. Section 30 BSIG is clear – you cannot outsource responsibility.
Frequently Asked Questions
We already have IFS/BRC certification. Does that cover NIS2?
Not directly, but it gives you a significant head start. IFS and BRC require documented processes, risk assessments, corrective actions, and regular audits – the same framework NIS2 uses. What is missing is the IT-specific content: asset inventory of IT systems, cybersecurity risk assessment, incident reporting to the BSI, access control policies, and encryption documentation. Think of NIS2 as extending your quality management system to cover IT security.
Our production runs on older machines with Windows 7. Is that a problem?
Older operating systems on production equipment are common in food manufacturing and represent a real NIS2 risk. You do not necessarily need to replace the machines immediately, but you need to document the risk and implement compensating controls: network segmentation (isolate these machines from the internet and office network), restricted access, monitoring for unusual activity, and a plan for eventual upgrade or replacement. Document this in your risk assessment with a clear timeline.
Is our cold chain monitoring system an 'asset' under NIS2?
Yes, absolutely. Any system that supports the delivery of your critical services (food production and distribution) is an asset under NIS2. Cold chain monitoring is particularly important because it directly affects food safety. If the monitoring system fails or is compromised, you lose the ability to prove your products were stored safely. List it as an asset, assess the risks, and ensure your supplier (if it is cloud-based) meets adequate security standards.
How long does NIS2 compliance take for a food company our size?
For a 100 to 200 employee food production company starting from scratch, expect 3 to 6 months to reach a solid baseline. Companies with existing IFS/BRC certification can move faster because the process discipline already exists. The first month covers registration, asset inventory, and risk assessment. Months 2 and 3 cover incident process, access controls, and initial policies. Months 4 to 6 fill in supplier management, business continuity, and technical measures. After setup, ongoing effort is mainly annual reviews.