A number of representative groups for the food retail and distribution sector have called on the EU to exempt medium-sized businesses from potentially costly cybersecurity obligations outlined in the proposed NIS 2 Directive.
The European Commission proposal for a NIS 2 Directive widens the scope of the existing Directive to cover all large and medium sized enterprises in selected critical/essential sectors.
The new scope would include food distribution, with the objective of avoiding food shortages in case of a cyberattack.
'Not Proportionate To The Risks'
Groups including EuroCommerce, Independent Retail Europe, SMEunited, HOTREC and Serving Europe have said that the extension of the scope to all medium sized food distribution businesses is not proportionate to the risks and leads to very high un-necessary compliance costs.
'The impact would be particularly high, as food distribution SMEs are characterised by very low-profit margins, and a significant number (e.g. hospitality, wholesale, etc.) are still struggling to recover from the COVID-19 crisis,' the groups said in a joint statement.
The groups argue that NIS 2 should only cover food distribution companies of systemic relevance, where a cyberattack would create a critical threat to ensuring consumers have access to food supply.
Food Production Process
With this in mind, medium sized food distribution firms, including retailers, restaurants, and so forth, would not be considered critical in this sense – if a cyberattack occurred, the food production process would not be affected.
The groups are calling on EU institutions to amend the scope of application of the NIS 2 proposal for the food distribution sector and ensure that:
- Either medium sized food distribution companies are exempt from NIS 2; or
- It exclusively covers businesses supplying more than 0.5% of the population of a given Member State- reflecting their importance to the food supply of Member States.
Retailer Coop Sweden saw its checkout systems disabled following a cyber attack during the summer, while Spanish beer maker Damm was forced to halt output in Barcelona following a similar attack earlier this month.