NIS2 for Food Manufacturers and Wholesale Distributors

Why the Food Industry Falls Under NIS2

Food is among the most fundamental goods of any society. When the supply of food is disrupted, it affects every single person. That is precisely why the European legislator classified the entire food chain in the NIS2 Directive as a sector of high criticality and included it in Annex I.

The classification covers the entire value chain: from production through processing and manufacturing to distribution in wholesale. The NIS2 implementation law (NIS2UmsuCG) adopts the EU requirements and defines the sector as "Production, processing and distribution of food." Specifically affected are:

• Food manufacturers: Companies that produce, process, or preserve food, including dairies, meat processors, industrial bakeries, frozen food manufacturers, and beverage producers
• Wholesale distributors: Companies that distribute and store food on a large scale, including central warehouses and logistics centers of the food retail trade
• Primary producers: Agricultural operations that exceed a certain size and maintain direct supply relationships with the processing industry

The thresholds are the same as for all NIS2 sectors: at least 50 employees or at least 10 million EUR in annual revenue. In the food industry, this applies to a very large number of companies, since the sector is characterized by mid-market businesses that often employ between 80 and 500 people and generate revenues in the double-digit millions.

What surprises many companies in the sector: even if they do not consider themselves part of "critical infrastructure," they fall under NIS2. A meat processor with 150 employees and 40 million EUR in revenue may see itself as a normal mid-market company but is NIS2-obligated and must implement the corresponding measures.

The Special IT Landscape of the Food Industry

The food industry has undergone a profound digitalization over the past twenty years. What used to be manual processes is now highly automated and networked. This connectivity creates efficiency but also an attack surface with industry-specific characteristics.

Cold Chain Monitoring: When Temperature Becomes an IT Risk

Continuous cold chain monitoring is a legal obligation in the food industry. EU Regulation (EC) No. 852/2004 on food hygiene and the German Food Hygiene Regulation require temperature values to be documented along the entire supply chain. At many companies, this is now entirely digital.

A typical setup looks like this: IoT sensors in cold storage facilities, production halls, and transport vehicles capture temperatures in real time. This data is transmitted via a gateway to a central monitoring system that automatically alerts when threshold values are exceeded. The data is archived because it serves as evidence during HACCP audits and product recalls.

What happens in a cyberattack on this system?

• Manipulated temperature data: If an attacker manipulates the sensor data, deviations go undetected. Cold storage facilities could be too warm without the system raising an alarm. The consequence: spoiled goods entering the market and endangering consumers.
• Monitoring outage: Without a functioning temperature monitoring system, employees must check manually, which is simply not possible without gaps in large facilities with hundreds of cooling zones.
• Loss of documentation: If the stored temperature data is encrypted by ransomware, the evidence of cold chain compliance is lost. This can lead to entire batches being preventively withdrawn from the market, even if the goods were actually stored correctly.

ERP and Inventory Management: The Heart of the Business

In the food industry, the ERP system is not just an accounting tool but controls the entire operational business. Typical ERP systems in the sector include SAP S/4HANA, Microsoft Dynamics 365, CSB-System (industry-specific for the food industry), or GUS-OS (specific to meat processing).

The ERP system manages:

• Incoming goods inspection: Checking and releasing incoming raw materials
• Batch traceability: Assigning raw materials to finished products to identify affected batches in case of a recall
• Production planning: Controlling production lines, recipe management, material requirements planning
• Warehouse logistics: Management of cold storage, FIFO/FEFO principles (First Expired, First Out), order picking
• Delivery planning: Route planning, delivery notes, freight documentation
• Traceability: EU Regulation (EC) No. 178/2002 requires traceability "from farm to fork"

A failure of the ERP system in the food industry therefore has immediate and massive consequences. Within a few hours, no orders can be processed, no goods picked, and no deliveries dispatched. With perishable goods, the clock is ticking: fresh dairy products, meat, or prepared salads have shelf lives of days, not weeks.

HACCP Interfaces: Quality Assurance and IT Intertwined

The HACCP concept (Hazard Analysis and Critical Control Points) is mandatory for food manufacturers. It defines critical control points in production where potential hazards to food safety must be monitored.

In modern food production, these control points are digitally integrated:

• Pasteurization temperatures are automatically captured and documented
• Metal detectors on production lines report findings directly to the QM system
• Cleaning protocols (CIP, Clean-in-Place) are digitally controlled and archived
• Laboratory values (microbiology, sensory analysis, chemistry) flow from the LIMS (Laboratory Information Management System) into the ERP

These interfaces between production automation, quality assurance, and ERP are typical OT/IT transition points that deserve special attention in the NIS2 risk analysis. An attacker who gains access to HACCP-relevant systems could manipulate test results, which in the worst case means contaminated products pass through the production process.

Industry-Specific Risks

The risk landscape in the food industry differs from other sectors in several respects.

Time Pressure from Perishability

Food is perishable, and this fundamentally distinguishes the industry from the production of durable goods. A machine manufacturer can shut down operations for three days and work through the orders afterward. A manufacturer of fresh baked goods, dairy products, or meat products cannot. If production stops for one day, the goods become unsaleable.

For NIS2 implementation, this means: the Recovery Time Objectives (RTOs) for production-related systems must be extremely short. For the ERP system of a fresh logistics provider, 24 hours of downtime is often already too much. Recovery of critical systems must succeed within hours, not days.

Seasonal Fluctuations and Peak Periods

The food industry is subject to strong seasonal fluctuations. In the pre-Christmas period, before Easter, or during the grilling season, production and logistics run at full capacity. A cyberattack during such a peak period causes disproportionately high damage and hits a workforce already under time pressure that may be less vigilant toward phishing or social engineering.

Complex Supply Chains

The food industry is characterized by particularly complex and branched supply chains. A mid-market meat processor sources raw materials from dozens of farmers, spices from international suppliers, packaging materials from specialized manufacturers, and delivers to hundreds of retailers and gastronomy businesses. Each of these relationships is a potential entry point for attackers, and each requires data exchange that must be secured.

NIS2 explicitly requires the assessment and protection of supply chain security. For the food industry, this means a particular challenge because the number of business partners is typically very high.

Regulatory Overlaps

Food manufacturers are already subject to dense regulation that partially overlaps with NIS2 requirements:

The major advantage: companies that are already IFS or BRC certified have established management system structures, audit experience, and a documentation culture that can serve as a foundation for the ISMS.

Special NIS2 Requirements for the Food Industry

The ten minimum measures from Article 21 of the NIS2 Directive apply in full. Some of them require an industry-specific interpretation in the food industry.

Risk Analysis: Food Safety as a Dimension

In a traditional IT risk analysis, you assess risks based on confidentiality, integrity, and availability. In the food industry, a fourth dimension is added: food safety. An IT outage that merely causes productivity losses at an office services company can endanger consumer health at a food manufacturer.

Tools like ISMS Lite help conduct the industry-specific risk assessment in a structured manner and map the food safety dimension as a dedicated evaluation criterion. The risk analysis must therefore answer the following questions:

• Which IT and OT systems are directly involved in ensuring food safety?
• What happens if cold chain monitoring fails for four hours? What product volumes are affected?
• Can HACCP control points be monitored manually during an IT outage?
• How quickly can we switch to manual batch traceability during an ERP outage?

Network Segmentation: Separate Production and Office

The IT architecture of a food manufacturer typically encompasses three areas that must be separated through network segmentation:

Production network (OT): PLC controls for production lines, pasteurization systems, filling lines, packaging machines, CIP systems. These systems often run on proprietary operating systems and cannot be patched, or only with restrictions.

Monitoring and QM network: Temperature monitoring, HACCP data capture, LIMS, scales, and metal detectors. This network forms the bridge between OT and IT and must be controlled in both directions.

Office network (IT): ERP system, email, administrative applications, workstations. Standard IT security measures apply here.

Only defined data flows may pass between segments. Production controls must not be directly accessible from the office network, and temperature data flows to the ERP through defined interfaces and gateways, not through open network connections.

Supply Chain Security: Suppliers and EDI Connections

Electronic Data Interchange (EDI) is standard in the food industry. Orders, delivery notes, invoices, and quality certificates are exchanged automatically between business partners. These EDI connections are a potential entry point if not adequately secured.

NIS2 requires the assessment of supply chain security. In the food industry, this means specifically:

• Secure EDI connections: Encryption, authentication, monitoring for unusual transaction patterns
• Harden the supplier portal: If suppliers feed data through a web portal (quality certificates, analysis reports), this portal must be protected against unauthorized access
• Assess critical suppliers: A security assessment should be in place for the 20 most important suppliers, covering at least basic IT security questions

Incident Response: Include Recall Management

A food manufacturer's incident response plan must go beyond pure IT recovery and include recall management. If a cyberattack has jeopardized the integrity of production data, the question arises: can we be certain that the products manufactured during this period are safe?

If this question cannot be answered with a clear yes, a product recall may need to be initiated. The incident response plan must therefore contain the following elements:

• Integrity check of production data: How can we determine after an incident whether production data was manipulated?
• Interface with the recall team: Who decides on a recall? What information does the QM team need?
• Communication with authorities: In addition to the BSI notification (24 hours), a notification to the responsible food safety authority may be required if there is a health risk
• Notification of trade partners: If a recall is imminent, wholesale and retail partners must be informed quickly

Practical Example: Food Manufacturer with 120 Employees

To make the NIS2 requirements tangible, let us look at a specific example.

Starting point:

FrischWerk GmbH (fictitious example) is a manufacturer of deli salads and fresh products based in North Rhine-Westphalia. 120 employees, 35 million EUR annual revenue. Products are delivered to four major retail chains, numerous regional retailers, and caterers. The company is IFS Food certified (Higher Level).

The IT and OT infrastructure:

• ERP system: CSB-System (industry-specific, on-premise, two-server cluster)
• Production control: Three production lines with PLC control (Siemens S7-1500), automated filling and packaging lines
• Cold chain monitoring: 85 temperature sensors in three cold storage rooms, two deep-freeze storage rooms, and 12 refrigerated trucks, centrally monitored via a cloud system
• LIMS: Laboratory information system for microbiological tests and sensory evaluations
• Scales and metal detectors: At each production line, directly connected to the ERP
• EDI connections: Automated data exchange with 35 business partners
• Server infrastructure: 6 physical servers (ERP cluster, file server/AD, LIMS, backup, monitoring)
• Workstations: 40 PCs (production, laboratory, administration, dispatch)
• Cloud services: Microsoft 365, temperature monitoring (SaaS), GPS tracking of the truck fleet

IT is managed by an IT manager and two system administrators. An external IT services company handles network maintenance and second-level support. An ISMS does not exist, but the IFS QM system is well established and audited.

Phase 1: Inventory and Regulatory Classification (Months 1-2)

Applicability analysis: FrischWerk, with 120 employees and 35 million EUR revenue, falls under NIS2. Food manufacturing is listed in Annex I. Classification: important entity.

Regulatory inventory: In addition to NIS2, FrischWerk is subject to the following regulations: EU Reg. 178/2002 (traceability), EU Reg. 852/2004 (food hygiene), IFS Food 8 (certification), HACCP (mandatory), GDPR (employee and customer data), Packaging Act.

Appoint ISB: The IT manager takes on the ISB (Information Security Officer) role at 50 percent time allocation. Close cooperation with the QM manager is essential, as many NIS2-relevant systems are simultaneously IFS/HACCP-relevant.

Create asset inventory:

Notable finding: Cold chain monitoring runs through a cloud service operated by a startup with 25 employees. The SLA contains no explicit security requirements. This is a critical supplier risk that must be addressed as a priority.

Phase 2: Risk Analysis (Months 3-4)

The risk analysis considers not only IT risks but also the impact on food safety and traceability.

Identified as especially critical: The integrity of production and quality data. If an attacker manipulates laboratory results, temperature values, or metal detector logs, unsafe products can reach the market. This risk is treated with the highest priority.

Phase 3: Technical Measures (Months 5-8)

Network segmentation (Months 5-6):

The network is divided into four security zones:

• Production zone: PLC controls, filling lines, packaging machines. Strictly isolated, communication only with the process control computer.
• Monitoring zone: Temperature sensors, scales, metal detectors, LIMS. Controlled connections to the ERP and cloud monitoring.
• Business zone: ERP, email, office applications, workstations.
• DMZ: EDI gateway, supplier portal, web server.

The PLC controls on the production lines have no internet access and no direct access to the business network. Data flows between production and ERP run through defined interfaces and gateways.

Securing cold chain monitoring (Month 6):

For the cloud-based temperature monitoring, the following measures are implemented:

• Contract amendment with the cloud provider: SLA expanded to include availability (99.5%), data backup, and incident notification
• Local backup: All temperature data is additionally stored locally, so the documentation obligation is met during a cloud outage
• Integrity protection: Temperature data is provided with a hash value to make subsequent manipulation detectable

MFA and access control (Months 6-7):

Multi-factor authentication is introduced for all external access (VPN, cloud services, EDI portal administration) and for all privileged accounts. For production workstations in the clean room area where gloves are worn, chip card-based authentication is implemented.

EDI hardening (Month 7):

EDI connections are migrated to current encryption standards (TLS 1.3 or AS4). For automated processing of incoming EDI messages, a plausibility check is implemented that flags unusual order quantities or unknown article numbers.

Backup and recovery (Months 7-8):

The backup strategy is expanded to include:

• ERP: RTO 4 hours, daily backup, weekly offline backup
• Production control: Backup of all PLC programs and configurations, quarterly
• Temperature data: Daily local backup in addition to cloud backup
• LIMS: Daily backup, RTO 8 hours

Phase 4: Organizational Measures (Months 8-10)

Integration of ISMS and IFS QM system:

FrischWerk uses the existing IFS structure as the foundation for the ISMS — in ISMS Lite, the IFS document structure and ISMS controls can be managed in parallel, avoiding duplication. Specifically, this means:

• The IFS document structure is extended with ISMS documents rather than building a parallel system
• Existing IFS procedures (corrective actions, internal audits, management review) are supplemented with IT security aspects
• HACCP control points that are monitored by IT systems receive their own risk assessment in the ISMS
• The annual IFS audit and the internal ISMS audit are coordinated to avoid double burden

Training program:

• All employees: 30-minute online module on cyber hygiene, integrated into the annual mandatory training (which already takes place for hygiene, occupational safety, and HACCP)
• Production staff: Additional training on recognizing and reporting unusual system behavior on production lines
• IT team and QM management: Deeper training on OT security, incident response, and the interplay of NIS2 and IFS
• Executive management: NIS2 obligations, personal liability, risk acceptance approval

Supplier assessment:

Business continuity plan:

The plan is tested in a tabletop exercise. Scenario: ransomware attack on Monday morning, ERP unavailable, 8 truck routes must be dispatched manually, 40 tons of finished products in cold storage awaiting delivery. Result: manual dispatch works for one day, but paper-based batch traceability is error-prone. Consequence: pre-printed forms for emergency batch documentation are created and placed in the production area.

Phase 5: Audit and Continuous Improvement (Months 10-12)

Internal audit: Systematic review of all NIS2 minimum measures, cross-referenced with IFS requirements.

Audit findings:

1. The PLC controls on the oldest production line (built 2014) run on an unsupported firmware version. Compensating measure: maximum network isolation. Medium-term: request budget for a controls upgrade.
2. Three EDI connections to smaller suppliers still run over unencrypted FTP. Corrective action: migration to SFTP/AS4 within three months.
3. The emergency procedure for manual temperature monitoring has not yet been practiced with all warehouse staff. Corrective action: schedule exercise for next quarter.

Management review: Executive management approves the residual risk catalog, the budget for the following year (priorities: production line 1 controls upgrade, expansion of OT monitoring), and the training plan.

Budget Overview

Not included are the costs for upgrading the oldest production control system, as these are mapped as investments in the regular capital expenditure budget. To keep tool costs manageable: ISMS Lite offers the full feature set ab 500 Euro pro Jahr oder als Einmalkauf für 2.500 Euro, ohne Seat-Lizenzen oder versteckte Kosten.

What You Should Do Now

If you are in food manufacturing or food wholesale and need to implement NIS2, the following first steps make sense:

1. Use existing QM structures as a foundation. If you operate IFS, BRC, or another audited QM system, you already have a management system structure that you can use for the ISMS. You do not need to reinvent the wheel but rather extend the existing system.

2. Inventory cold chain monitoring and HACCP interfaces. These systems are the link between IT security and food safety. Create a complete overview of which IT systems are involved in monitoring critical control points.

3. Assess EDI connections and supplier dependencies. Supply chains in the food industry are particularly complex. Start with the 10 to 20 highest-revenue business partners and check how electronic communication is secured.

4. Plan recovery times realistically. Perishable goods do not wait. Ensure that recovery times for production-related systems are compatible with the shelf life of your products. A three-day ERP outage is manageable for a frozen food manufacturer but not for a fresh product producer.

The food industry brings a decisive advantage to NIS2 implementation: an established culture of documentation, risk management, and external auditing. Anyone who already successfully passes IFS or BRC audits has the methodological tools to build an ISMS as well. It is about transferring this existing competence to IT security and connecting both worlds into an integrated system.

Further Reading

• NIS2 für den Mittelstand: Was du wissen musst und was jetzt zu tun ist
• NIS2-Meldefristen im Überblick: 24h, 72h, 1 Monat - was wann fällig ist
• Risikobewertung im ISMS: Methoden, Kriterien und Praxisbeispiele
• Supply-Chain-Angriffe verstehen und verhindern
• Lieferantenbewertung mit Sicherheitsfragebogen: Vorlage und Leitfaden