EU updates cybersecurity regulations for supermarkets and suppliers

To help mitigate the risks of cyber threats to retailers and other industries, the EU has updated its cybersecurity regulation, Network and Information Security (NIS), to NIS2. This EU-wide initiative delivers the framework needed to build better cybersecurity structures across industries that provide essential functions. 

The food sector in the European Union is one of the largest and most important industries, covering every aspect from farming to food processing, packaging, transportation, and retail sales. NIS2 now categorizes the food sector as an “important entity that provides essential functions” and includes food retailers and processors and producers.

Companies covered will have the duty of care and duty to report. Duty of care includes a risk assessment with consequential measures to be taken to guarantee continuation of services as much as possible. Duty to report involves reporting incidents that (can) significantly disrupt the provision of the essential services to the supervising authority within 24 hours. Organisations covered by the NIS2 directive will be under supervision. 

The NIS2 directive also encourages supply chain management as an essential component of cybersecurity. This will require food sector organizations to ensure that their suppliers and partners meet the same cybersecurity standards that they themselves are required to comply with.

The NIS2 directive will come into effect by mid-October 2024.