NIS2 for Postal and Courier Service Providers

Why Postal and Courier Services Fall Under NIS2

The delivery of letters and parcels is a service deeply embedded in economic and social life. Businesses depend on the reliable shipment of goods, documents, and spare parts. Consumers expect their online orders to arrive on time. Government agencies send official notices, courts dispatch legally binding documents with filing deadlines. If postal and parcel logistics fail for several days, supply chains stall and legal deadlines are missed.

The European legislator has therefore included postal and courier services in Annex I of the NIS2 Directive as a sector of high criticality. This is an upgrade from the draft, which initially placed the sector in Annex II ("other critical sectors"). The final classification under Annex I means: affected companies qualify as essential entities and are subject to proactive BSI supervision, the highest fines, and full reporting obligations.

Specifically affected are:

• Postal service providers: Companies providing postal services within the meaning of the Postal Services Directive, including letter mail, parcel post, and express post
• Courier and express services: CEP providers (courier, express, parcel) that commercially transport shipments
• Logistics providers in the parcel sector: Operators of sorting centers, transshipment points, and delivery networks

The thresholds are the familiar ones: at least 50 employees or at least 10 million euros in annual revenue. In the CEP industry, a great many companies exceed these thresholds. Beyond the major players (DHL, Hermes, DPD, GLS, UPS, FedEx), numerous regional CEP providers, specialty shippers, and same-day delivery services are affected.

Special Consideration: Subcontractors and Franchise Models

The CEP industry works extensively with subcontractors. The large parcel services operate their sorting centers themselves but frequently outsource last-mile delivery to subcontractors. These subcontractors are often small companies with 10 to 30 employees that do not meet the NIS2 thresholds themselves.

However, this does not release the principal from their responsibility. NIS2 requires the assessment of supply chain security, and subcontractors who access the principal's IT systems (tracking apps, scanners, route planning) are part of this supply chain. The CEP provider must ensure that its subcontractors' devices and access meet the security requirements.

The Digital Process Chain of the CEP Industry

The CEP industry is one of the most highly digitalized sectors. From the moment a parcel is handed in until delivery, every shipment is tracked and controlled through a chain of IT systems.

Tracking: The Nervous System of Parcel Logistics

The tracking system is the central IT system of a CEP provider. It captures the status of every shipment at every point in the logistics chain:

• Handover: Parcel is handed in, barcode or QR code scanned, shipment data created in the system
• Sorting: At the sorting center, every shipment is scanned and automatically sorted to the correct route/tour
• Transport: Scans are captured during loading and unloading
• Delivery: The delivery driver scans the parcel at delivery, captures a signature or photo as proof of delivery
• Customer information: Recipients and senders can track the status in real-time via web and app

The tracking system of a mid-sized CEP provider processes hundreds of thousands of scan events per day. An outage means: parcels cannot be sorted (automatic sorting is based on barcode scanning), delivery drivers do not know which parcels are on their route, and customers see no status information. The entire logistics chain grinds to a halt.

Sorting Centers: Highly Automated OT Environments

Modern sorting centers are highly automated facilities where parcels travel on conveyor belts at speeds of up to 2 meters per second, are automatically scanned, weighed, measured, and sorted to the correct output chute.

The control of these facilities is an OT environment:

• Conveyor control: PLC controls for conveyor belts, switches, chutes
• Scanner infrastructure: Barcode and OCR scanners at every sorting point
• Weighing and volume measurement: Automatic weight and dimension capture for freight billing
• Sorting logic: Software that decides which output chute a parcel is sorted to based on shipment data
• Control room system: Monitoring and control of the entire facility by operators

A cyberattack on the sorting facility can paralyze the entire parcel distribution. If the sorting logic is manipulated, parcels end up on the wrong routes. If the conveyor system fails, parcels must be sorted manually, which is not realistic at volumes of 50,000 to 200,000 parcels per day.

Route Optimization and Tour Planning

Tour planning optimizes delivery routes considering addresses, time windows (requested delivery times), vehicle capacities, traffic conditions, and delivery priorities (express before standard). Modern systems use machine learning to calculate the most efficient routes from historical data.

For last-mile delivery, tour planning is business-critical: a delivery driver delivering 150 to 200 parcels per day needs an optimized route to manage the workload. Without tour planning, drivers take inefficient routes, the delivery rate drops, and personnel costs rise.

Parcel Lockers and Parcel Stations

Parcel lockers (Packstationen, parcel shops with self-service terminals) are a growing channel in the CEP industry. DHL alone operates over 12,000 Packstationen in Germany. Hermes, DPD, and other providers are following suit.

Parcel lockers are IoT devices in public spaces and pose special security requirements:

• Physical exposure: The devices are located in publicly accessible places (supermarkets, train stations, streets) and are thus exposed to physical attacks
• Network connectivity: Each parcel locker is connected to central IT via mobile or fixed-line networks
• Authentication: Customers authenticate via app, TAN, or card. Vulnerabilities in authentication can allow unauthorized persons to remove parcels
• Firmware updates: Thousands of devices must be centrally updated without a technician being on-site
• Payment functions: Some parcel lockers offer franking and payment, processing PCI-DSS-relevant data

Mobile Devices: Thousands of Scanners in the Field

Delivery drivers and couriers are equipped with mobile devices (handheld scanners, smartphones with scanner apps) used for parcel tracking, navigation, delivery confirmation, and customer communication.

The challenge: a CEP provider with 500 delivery drivers has 500 mobile devices in the field, performing thousands of transactions daily. These devices are the most frequent point of contact between the company's IT and the outside world. They are transported in vehicles, used in all weather conditions, and regularly lost or damaged.

Industry-Specific Risks

Time-Critical Operations

The CEP industry operates with extremely tight time windows. Parcels arriving at the sorting center by 6 PM must be on delivery vehicles the next morning. Express shipments have even tighter deadlines. A six-hour IT outage at the sorting center means an entire day's shipments are delayed.

Recovery Time Objectives in the CEP industry must be extremely short: RTOs of under four hours are typical for the tracking system and sorting facility, and under two hours for tour planning (before tour start in the morning).

Seasonal Peak Loads

The CEP industry has extreme seasonal fluctuations. During the pre-Christmas season (November/December), volumes double or triple. Black Friday and Cyber Monday create peak loads that push sorting centers to their capacity limits. A cyberattack during this peak period would have devastating effects, and it is no coincidence that attackers preferentially choose times when the victim is most vulnerable.

Data Protection: Millions of Recipient Records

CEP providers process millions of personal data records under the DSGVO (GDPR): names, addresses, phone numbers, and sometimes also the contents of the shipment (product description in customs procedures). A data leak has GDPR implications and can cause significant reputational damage.

Dependency on Subcontractors

As already mentioned, the CEP industry works extensively with subcontractors. These subcontractors use the principal's IT systems (scanners, apps, tour planning) but often lack their own IT security culture. A compromised subcontractor device can become a gateway into the overall system.

Specific NIS2 Requirements for the CEP Industry

Risk Analysis: The Logistics Chain as the Assessment Object

The risk analysis must cover the entire logistics chain from parcel intake to delivery, with an ISMS tool like ISMS Lite mapping the dependencies between tracking, sorting, and tour planning as linked assets. It is important not only to examine individual IT systems but to understand the dependencies between them. The tracking system, sorting facility, and tour planning are not isolated applications but form a process chain where the failure of one link disrupts the entire chain.

Securing Sorting Centers

Sorting centers are OT environments and must be treated accordingly:

• Network segmentation: The facility control (PLCs, conveyor technology) must be separated from the office network and the internet
• Access control: Only authorized personnel may access the sorting logic. Changes to the sorting configuration are subject to a change management process
• Monitoring: Anomaly detection for communication between scanner infrastructure, sorting logic, and conveyor technology
• Redundancy: Critical components (control computers, scanner servers) must be designed with redundancy

Mobile Device Security at Scale

Securing hundreds or thousands of mobile devices requires comprehensive mobile device management:

• Central management: All devices are managed, configured, and monitored via an MDM system
• App whitelisting: Only approved apps may be installed. The scanner app and navigation app are centrally deployed.
• Device encryption and PIN requirement: Standard practice, but not consistently enforced at many CEP providers in practice
• Remote wipe: Lost or stolen devices are immediately locked and wiped remotely
• Subcontractor devices: If subcontractors use their own devices (BYOD), these must meet the same security standards. Containerization of enterprise apps is the typical approach.

Parcel Locker Security

Securing parcel lockers requires an IoT security approach:

• Hardened firmware: Firmware must be protected against physical tampering (Secure Boot, signed firmware)
• Encrypted communication: The connection between parcel locker and headquarters must be encrypted (VPN or TLS)
• Central patch management: Firmware updates must be deployable centrally without physical access to each device
• Physical hardening: Protection against physical tampering (tamper detection, secure enclosures for control electronics)
• Monitoring: Each parcel locker reports its status to headquarters regularly. Missing reports or unusual communication patterns trigger alerts.

Practical Example: Regional CEP Provider with 110 Employees

Starting position:

ParcelExpress GmbH (fictitious example) is a regional CEP provider based in North Rhine-Westphalia. 110 employees, 28 million euros annual revenue. The company operates a sorting center, three delivery depots, and a fleet of 65 delivery vehicles. Its customers are online retailers, industrial companies, and private individuals in a catchment area of approximately 2 million inhabitants. Additionally, ParcelExpress operates 45 parcel lockers at supermarkets and train stations.

The IT infrastructure:

• Tracking system: Industry solution (logistics SaaS), processing an average of 35,000 shipments per day
• Sorting facility: Semi-automated system with conveyor technology, 12 scanner stations, PLC-controlled switches and chutes
• Tour planning: Module of the tracking solution, planning 65 delivery tours daily
• Mobile devices: 80 handheld scanners (Zebra TC series) for delivery drivers and warehouse personnel
• Parcel lockers: 45 lockers with mobile connectivity, proprietary manufacturer firmware
• ERP system: Navision/Business Central (Cloud), billing, human resources, finance
• Server infrastructure: 3 on-premises physical servers (sorting facility control, file server/AD, local backup server), tracking and ERP in the cloud
• Workstations: 25 PCs (sorting center, depots, administration)
• Subcontractors: 15 subcontractors with a total of 40 delivery drivers using their own smartphones with the ParcelExpress app

IT is managed by an IT manager and a system administrator. The cloud-based tracking system is maintained by the SaaS provider. The sorting facility is maintained by a plant manufacturer (maintenance contract with remote maintenance). No ISMS exists.

Phase 1: Inventory and Regulatory Classification (Months 1-2)

Applicability analysis: ParcelExpress falls under NIS2 with 110 employees and 28 million euros in revenue. Postal and courier services are listed in Annex I. Classification: essential entity. This means proactive BSI supervision and the highest fine category.

Regulatory inventory: In addition to NIS2, ParcelExpress is subject to the following regulations: Postal Act (PostG, if licensed postal services are provided), GDPR (recipient and sender data), Regulations on the Carriage of Dangerous Goods by Road (ADR, for dangerous goods transport), Working Hours Act (Driving Personnel Act).

Appoint CISO: The IT manager takes on the CISO role at 40 percent time allocation. Given the classification as an essential entity, an external consultant is additionally engaged for the initial ISMS implementation.

Create asset inventory:

Key finding: The 40 smartphones of subcontractor delivery drivers are not centrally managed. The ParcelExpress app runs on personal devices without encryption, PIN enforcement, or MDM control. This is a critical risk because the app provides access to shipment data (names, addresses) and delivery confirmation.

Phase 2: Risk Analysis (Months 3-4)

Identified as particularly critical: The dependency on the cloud-based tracking system. If the SaaS provider fails or is compromised, ParcelExpress has no local fallback option. This supplier must be evaluated as a priority.

Phase 3: Technical Measures (Months 5-8)

Bring subcontractor devices under control (Month 5, highest priority):

A containerization solution is implemented for the subcontractor delivery drivers' smartphones (Microsoft Intune App Protection Policies or comparable). The ParcelExpress app runs in a protected container isolated from the personal portion of the device. The container is encrypted, requires a PIN, and can be remotely wiped upon contract termination or device loss.

Additionally, an IT security clause is included in subcontractor contracts: devices must have a current operating system, PIN lock must be enabled, and installation of the containerization solution is a prerequisite for access to the ParcelExpress app.

MDM for company-owned devices (Months 5-6):

All 80 Zebra handheld scanners are enrolled in an MDM system. Central configuration, app whitelisting, firmware updates, remote wipe. The scanners are configured to automatically lock when not in use and can only be unlocked with a PIN.

Segment the sorting facility (Months 6-7):

• The sorting facility (PLC controls, sorting control computer, scanner server) is placed in its own network segment
• The plant manufacturer's remote maintenance access is moved to a jump host in the DMZ (activated only when needed, with session recording)
• The connection between sorting control computer and tracking system (cloud) runs over a dedicated, encrypted connection

Parcel locker security (Month 7):

• Collaboration with the locker manufacturer: firmware update to the latest version, activation of Secure Boot
• VPN tunnel between each parcel locker and headquarters
• Monitoring: each locker reports its status every 5 minutes. Missing reports trigger an alarm
• Physical security: inspection of enclosures for signs of tampering, tamper switches where technically feasible

Reduce cloud dependency (Months 7-8):

A contingency process is implemented for tracking system outages:

• The next day's tour data is stored locally as an export each evening. In case of a cloud outage, delivery drivers can operate with this data.
• The sorting facility receives a local fallback configuration enabling simplified sorting by postal code when the cloud connection is lost
• Scan data is cached locally on handheld scanners and synchronized when the connection is restored

MFA (Month 8):

Multi-factor authentication for all access points: VPN, cloud services (tracking, ERP), administrator access, sorting facility control room.

Phase 4: Organizational Measures (Months 8-10)

Training program:

• All employees: 30-minute online module on cyber hygiene
• Delivery drivers: short training (15 minutes, during the driver briefing) on secure use of handheld scanners, reporting loss, recognizing suspicious situations at parcel lockers
• Subcontractor delivery drivers: mandatory briefing at contract start, annual refresher
• Sorting center personnel: in-depth training on recognizing unusual facility conditions
• Management: NIS2 obligations, personal liability, proactive BSI supervision

Supplier assessment (particularly critical):

Business continuity plan:

Tabletop exercise: Scenario: On Black Friday at 2 PM, the tracking system goes down (SaaS provider has a ransomware attack). 25,000 parcels are backed up at the sorting center. 65 delivery drivers are on the road, their scanners show no new data. 45 parcel lockers are still operating with the last known data state. Result: Delivery drivers can complete their current tours using the local cache. The evening sort for the next day switches to the local fallback configuration (postal code-based). The delivery rate drops to 70 percent, but operations are maintained. Improvement potential: The local fallback sorting must be tested regularly (quarterly) to ensure the postal code assignments are current.

Phase 5: Audit and Continuous Improvement (Months 10-12)

Internal audit:

Findings:

1. 8 of 45 parcel lockers are still running an older firmware version because the manufacturer has delayed the update for this model. Compensating measure: These 8 lockers are monitored more closely. Escalation to the manufacturer with a deadline.
2. Containerization on subcontractor devices has been implemented by 12 of 15 subcontractors. Three subcontractors are resisting. Corrective action: Set a deadline; if not met, revoke app access.
3. The emergency tour data export is automatically created every evening, but the restore has not yet been tested. Corrective action: Schedule a quarterly restore test.

BSI registration: ParcelExpress registers with the BSI as an essential entity in the postal and courier services sector.

Management review: Management approves the residual risk catalog, the budget for the following year (focus: renewal of older parcel locker models, expansion of the local fallback system), and the training plan.

Budget Overview

To keep tool costs manageable: ISMS Lite offers the complete feature set ab 500 Euro pro Jahr oder als Einmalkauf für 2.500 Euro, ohne Seat-Lizenzen oder versteckte Kosten.

What You Should Do Now

If you operate a postal or courier service and need to implement NIS2, the following first steps are crucial:

1. Assess cloud dependencies. If your tracking system runs as a SaaS solution, you depend on the availability and security of this provider. Review the SLAs, request security certifications, and plan a local fallback.

2. Bring mobile devices and subcontractor devices under control. Every scanner and smartphone accessing your systems is a potential entry point. MDM and containerization are not optional extras but fundamental prerequisites.

3. Treat the sorting center as an OT environment. The sorting facility is not a simple machine but a networked OT system. Network segmentation and controlled remote maintenance are the most important protective measures.

4. Take the classification seriously. As an essential entity, you are subject to proactive BSI supervision. The BSI can request evidence at any time. A paper-only ISMS will not suffice — it must be lived.

The CEP industry moves millions of parcels and letters every day, and behind every shipment is a recipient waiting for delivery. Digitalization made this logistics performance possible in the first place, but it also created a dependency on IT systems that makes the entire industry vulnerable. NIS2 is the regulatory framework addressing this vulnerability. Those who take the requirements seriously and invest in the security of their logistics IT protect not only themselves but the reliability of a service that both business and society depend on.

Further Reading

• NIS2 for SMEs: What You Need to Know and What to Do Now
• NIS2 for Logistics and Transport Companies
• Mobile Device Policy and BYOD: Smartphones and Tablets in the ISMS
• NIS2 Reporting Deadlines at a Glance: 24h, 72h, 1 Month — What Is Due When
• Understanding and Preventing Supply Chain Attacks