Effects of NIS2 on the retail and food sectors

NIS2 Directive – the current status

The NIS2 Directive has the overarching objective of establishing a uniform minimum standard for information security within various sectors and industries in the EU. In particular, there are to be stricter security measures and better collaboration on the European level.

In Germany, there is still no final national transposing law that will make the NIS2 Directive definite. But the current bill for the NIS 2 Implementation Act (NIS2UmsuCG) is expected to be passed by March 2025. This gives companies only a limited amount of time to prepare for the provisions to come. These new rules will probably particularly affect retail companies that: 

• process large amounts of customer data
• use digital payment systems or 
• are heavily involved in interconnected supply chains.

NIS2 requirements in the retail sector

The new rules present considerable hurdles to many businesses. The greatest challenge in the retail sector will presumably be complex supply chains, which often include external IT service providers, logistics companies and other partners. The IT and cyber security standards of these partners could also influence the entire ecosystem. For example, a security incident at a single external member of this chain can have serious consequences for the company’s entire organisation. At the same time, the pressure is rising to safeguard customers’ digital data (which are increasingly a focus) and to ensure the NIS2 rules are complied with on time, that is, by the start of 2025.

The additional regulatory burden that NIS2 brings with it includes obliging companies not only to prevent security incidents, but also to document them properly. The details of particularly serious incidents are even to be reported to the responsible authorities. Furthermore, companies must carry out regular reviews and updates of their IT security measures. This can be a big burden, especially for mid-market or regional retailers, who often don’t have the necessary resources or know-how. On top of this, existing IT systems and measures frequently don’t conform to the security requirements laid down by NIS2. This can make additional investment necessary.

Solutions and outlook for the retail sector

Despite these challenges, at the same time, the implementation of NIS2 offers retail potential and opportunities. The first step for companies is to conduct a comprehensive risk analysis. This allows IT assets to be identified on a risk basis and vulnerabilities in your IT infrastructure exposed. Based on the results, targeted steps can then be taken to close gaps in security and comply with the relevant requirements of the NIS2 Directive. Furthermore, clear strategies to respond to potential security incidents are indispensable. Contingency plans, reporting processes or even a structured way of dealing with security incidents can be decisive in mitigating the effects of a cyber-attack.

Working closely with experienced IT security experts can effectively help implement the requirements efficiently. External partners often have the expertise necessary to both examine existing systems and optimise processes.

Businesses that respond to the necessary requirements early are not only able to mitigate risks but also gain an advantage over the competition. A robust cyber-security strategy not only strengthens resilience against attacks but also builds trust with customers and partners. NIS2 has not yet been finally transposed into German law. Nevertheless, companies should act now, because at present no deadlines for implementing the NIS2 measures have been laid down. You should already have implemented the requirements by the time the national NIS2UmsuCG comes into force. So using the remaining time to prepare as best you can is important.

Our expertise gained from a variety of NIS2 projects can help you implement the requirements efficiently and for the long-term. Contact us to develop a customised cyber-security strategy for your company together.

The article was written by our expert Jonas Neurath.