Blog

NIS 2, cybersecurity in the supply chain: for whom it is mandatory and what companies must do

Author: Monika Kulej
It is no coincidence that a new directive, NIS2, has been issued at the European level, which is a fundamental step forward to improve cybersecurity in some key sectors, and EU companies will have to take the necessary steps to comply.

Digital transformation is rapidly changing manufacturing and distribution processes, bringing new innovations to the logistics and supply chain landscape as well, but it also brings with it new risks related to cybersecurity. Managing one's data securely and protecting one's operations from cyber risks therefore becomes a crucial aspect for the future of every company.

It’s no coincidence that a new NIS2 directive has been issued at the European level, a fundamental step forward to improve cyber security in some key sectors, and EU companies will have to take the necessary steps to ensure compliance.

As a cloud solutions tech company, we take cybersecurity very seriously and know that managing cybersecurity risks requires constant vigilance to ensure that every process adequately addresses potential threats.

So we want to provide guidance on the obligations introduced by the new directive, the sectors involved, and what companies need to do to comply with the deadlines.

What is the NIS2 Directive: scope and objectives

The Network and Information Security (NIS2) Directive is an update of the previous NIS Directive (2016/1148) introduced by the European Union to improve the network and information security of a wide range of sectors that are considered critical, as they provide essential services and their cyber resilience is critical to avoid disruptions that could have serious economic and social impacts. 

The directive aims to create a common strategy to raise cybersecurity levels among member states, including not only large companies but also smaller organizations that provide essential and critical services. The main objective of NIS2 is to strengthen the resilience of the digital infrastructure of companies operating within the European Union, including not only large companies, but also smaller organizations that provide essential and critical services. 

In fact, the directive aims to create a common strategy to raise cybersecurity levels in order to increase security requirements and ensure a faster and more coordinated response to cyber attacks, which have become increasingly sophisticated.

Under the NIS2 Directive, companies must implement more advanced cybersecurity measures to protect sensitive data and critical information systems, thereby reducing the risk of operational disruptions caused by cyber attacks. The new rules also require greater collaboration between member states and the strengthening of cooperation between public and private entities.

When does the NIS2 directive take effect across the EU?

The NIS2 Directive, adopted by the European Union in 2022, requires all member states to transpose it into national law by October 18, 2024. Across the EU, including Italy, Spain, Poland, the directive is set to come into force by this deadline, with exact dates depending on each country’s legislative process.

Italy has already approved Legislative Decree 138/2024, published on October 1, 2024, with provisions coming into effect on October 16, 2024. Poland, like other EU countries, is also progressing with its regulatory framework to meet the EU’s deadline.

Countries such as Germany and France have started implementing the directive, while Spain and the Netherlands are in the final stages of preparing their national laws. 

Each member state must ensure the directive is reflected in their legal frameworks, and companies across these regions need to stay informed on national updates to be compliant by the October 18, 2024, deadline.

 

Which companies are affected by the NIS2 Directive

The NIS2 Directive has a broad scope of application and covers sectors considered essential to the economy and society. Sectors include energy, transportation, finance, healthcare, food, manufacturing, as well as digital service and infrastructure providers, waste management, chemicals, water supply, and postal services, as these are industries that play a crucial role in ensuring the continuity of supplies and services. Let’s look at some of them in more detail.

Transportation Sector

  • Companies that provide freight and passenger transport services (rail, air, sea and road).
  • Logistics companies that manage supply and distribution chains, including ports and airports.
  • Providers of information systems for transportation and traffic management, such as vehicle tracking and route optimization.

The transportation sector is one of the strategic areas focused on in NIS2. With an increasing focus on the digitalization of logistics processes, the security of shipping and transportation management data has become critical. Transportation companies must ensure the protection of sensitive information and the systems that manage transportation operations.

Manufacturing sector 

  • Companies that produce chemicals, machinery and industrial equipment.
  • Industries that supply key materials and components for other industries (such as steel and finished products that support essential infrastructure).
  • Industries that make use of IoT technologies for production and supply chain monitoring.

Manufacturing companies, especially those engaged in automated and digitalized production, must also comply with NIS2. Disruptions in production caused by cyber attacks can result in huge economic losses and impacts on the global supply chain. Industries with production systems based on IoT and other advanced technologies must implement cybersecurity standards to mitigate risks.

Food sector 

  • Companies involved in the production, processing, and distribution of food and beverages.
  • Large food distribution chains and retail platforms.
  • Providers of food supply chain management technologies (e.g., food tracking platforms).

Companies involved in the production, processing, distribution, and logistics of food products are among the main NIS2 stakeholders. This sector is increasingly dependent on digital infrastructure for supply chain management and logistics, and cybersecurity becomes critical to protect the quality and safety of food products.

Can technology improve transportation order management? Free guide on CargoON supply chain digitalization

The obligations imposed by the regulations

To give an example citing the industries mentioned above, companies operating in the food and manufacturing sectors will need to ensure that their transportation providers also meet the security standards under NIS2 by taking appropriate measures to ensure secure transportation management and to protect the integrity of the supply chain.

Companies subject to NIS2 will have to conduct periodic cyber security risk assessments and implement measures and strategies to mitigate any vulnerabilities. They will also be required to quickly report significant security incidents to the relevant authorities.

Relative to supply chain security, for example, we can summarize in three points the obligations that companies will be required to observe:

  • Risk assessment: Companies must assess cybersecurity risks not only for their own internal systems, but also for those of critical suppliers within their supply chain. This includes external partners and third-party vendors that handle sensitive data or provide services critical to business operations.
  • Supplier controls: Strict criteria for supplier selection must be implemented, with contracts that include cybersecurity measures. Companies must continuously monitor the security of their suppliers to prevent vulnerabilities throughout the supply chain.
  • Traceability: Companies must provide greater transparency on information flows, ensuring that every element of the chain is monitorable and traceable to prevent fraud, disruptions or cyber attacks along the supply chain.

What companies must do to comply with the NIS2 Directive 

To comply with the NIS2 Directive, companies must take a number of measures to improve the security of their digital infrastructure, the main ones of which we summarize below:

  • Risk assessment: companies must conduct a comprehensive cyber risk assessment and identify critical vulnerabilities in their IT and OT (Operational Technology) systems.
  • Implementation of security measures: they must take technical and organizational measures to mitigate the identified risks, such as advanced firewalls, intrusion detection systems, data encryption and regular backups.
  • Business continuity plans: develop contingency plans to ensure business continuity in the event of a cyber attack.
  • Staff training: staff must be trained and made aware of cybersecurity, with a focus on industry-specific risks.
  • Cooperation and reporting: companies must cooperate with relevant authorities and promptly report any cybersecurity incidents, with a requirement to report serious breaches within 24 hours.

Consequences and penalties for non-compliance with the NIS2 Directive

Companies that fail to comply with the NIS2 Directive risk serious consequences, including severe economic penalties and reputational damage. Fines for noncompliance can be up to 2 percent of the company’s annual global turnover or 10 million euros, whichever is greater. In addition, Article 38 allows authorities to temporarily suspend certificates or authorizations if an organization fails to comply, or to declare members of governing bodies unable to perform management functions until the necessary measures are implemented.

Of course, beyond penalties, the potentially most damaging consequence of noncompliance with cybersecurity regulations is precisely the increased vulnerability of companies to operational risks, such as disruptions in production, loss of data or other damages that could jeopardize their competitive position in the market.

 

Benefits of an ISO 27001-certified platform such as CargoON

Implementing an ISO 27001-certified digital platform such as CargoON offers companies the dual benefit of improving both operational efficiency and security. In fact, ISO 27001 certification ensures that the platform meets international standards for information security management, mitigating the risks mentioned above.

1. Advanced data security

ISO 27001 certification ensures that companies adopt secure information management practices such as encryption, multifactor authentication and continuous monitoring. This is critical for protecting sensitive supply chain-related data and preventing ransomware attacks or data theft (of the company or its customers). As freight tech experts, both CargoON and Trans.eu, a group of which we are a part, are committed to providing cutting-edge technology solutions to innovate transportation and supply chain management, so a focus on cybersecurity is part of our DNA: Trans.eu Group has been ISO 27001 certified since 2016.

2. Efficient supply chain management

The digital transition is now a sine qua non for maintaining competitiveness in an increasingly technology-driven future. With a cloud-based platform like CargoON, companies can manage their logistics and procurement operations more efficiently through automation, process optimization, and end-to-end digitization. This moreover brings considerable indirect benefits in terms of time and cost savings. For example, with the use of tools such as Dock Scheduler, companies can reduce vehicle waiting times by up to 70 percent, improving operations management in warehouses and reducing overtime costs or demurrage fees.

3. Traceability and regulatory compliance

For food companies, as well as other industries, a major challenge is to ensure traceability of products throughout the supply chain. A platform like CargoON helps digitalize the entire process, facilitating secure storage and immediate accessibility to all relevant information.

4. Risk management and business continuity

Risk management is something that should never be underestimated. Companies that still rely on manual, non-digitized systems may be more exposed to the risk of data loss, which could cause disruptions in services, while those who decide to develop proprietary digital solutions will have to shoulder the task of maintaining the security and proper functioning of the technology, with periodic updates of systems and protocols. By choosing a platform such as CargoON, companies are freed from the worry of keeping the technology in use compliant with the required standards, benefit from the advantages offered by a higher level of digitization of their processes, and can count on an ISO 27001-certified partner to reduce cyber risks.

5. Real-time monitoring.

Having visibility into the status of transportation and logistics operations is essential to take timely corrective action when delays or problems occur. With CargoON, you can achieve end-to-end supply chain digitalization for more accurate monitoring and also offer greater transparency on the status of goods to your customers and partners.

6. Integration with Existing Systems

CargoON is designed to easily integrate with ERP and other systems in use for supply chain, transportation and warehouse management, providing a scalable solution that requires extremely short implementation times and minimal investment in technology infrastructure. This facilitates a smooth transition to digitalization while improving efficiency.

The importance of cybersecurity in digitalized processes

Digitalization has now revolutionized the way we do business: it has brought incredible benefits, but it also brings new risks related to cybersecurity. The future of companies depends on their ability to securely manage their data and operations, turning the challenges of digitization into opportunities for growth and competitiveness.

Supply chain management is certainly one of the most critical aspects for companies, especially with reference to the food, manufacturing and transportation sectors. With the digitization of transportation processes, cybersecurity of the platforms that manage these operations becomes essential to reduce the risks associated with cyber attacks.

Choosing to implement digital platforms with accredited partners such as CargoON is a key step in mitigating these risks and ensuring that critical processes are protected from potential cyber threats.

Free guide for companies on how to choose the right digital transportation and logistics platform - CargoON