With the introduction of the NIS2 Directive, cybersecurity is shifting from a technical precondition to a core responsibility for companies in the food supply chain. What was long seen as an ICT issue is increasingly becoming directly linked to security of supply, international trade and societal stability. According to Richard van Buuren, this is due to a fundamentally changed threat landscape. “Disruption of society can just as easily occur via the food supply chain as via energy or telecoms. The disruptor looks for the weakest link.”

The consequences are far from theoretical. “A cyberattack can shut down factories, send employees home and cause billions in damage.” This was demonstrated by a cyberattack at the end of 2025 in the automotive industry, when factories of Jaguar Land Rover were forced to halt operations for months and losses rose to nearly £2 billion. The impact extended far beyond a single location: international production chains were affected across Europe, China, India and Brazil, with far-reaching financial and personnel consequences that will affect the company for years to come.

Fragmented landscape

The Netherlands has chosen – like a number of other EU countries – not to centralise supervision with, for example, the National Cyber Security Centre, but to assign it to existing sectoral regulators. This means that the Netherlands Food and Consumer Product Safety Authority will be responsible for the food security chain, a domain in which cybersecurity is a new field requiring new specialist expertise that still needs to be developed. At the same time, decentralised supervision requires intensive cooperation with other regulators, as companies may fall under multiple supervisory authorities. This also means that, as joint regulators, close collaboration is required in areas such as risk prioritisation, sectoral analyses, joint inspections and the development of a common enforcement policy.

Supply chain responsibility

However, the impact of NIS2 extends beyond supervision alone. According to Richard, the greatest challenge lies with companies themselves. Companies have a “duty of care” and are therefore responsible for safeguarding their entire ICT chain. This includes not only their own systems, but also their connections with the systems of their suppliers – even if those suppliers are based in Brazil or China.

For the food sector, including importers of oils, fats and grains with highly international and complex supply chains, NIS2 represents a fundamental change. Companies must not only have their own systems in order, but also gain insight into the cybersecurity of their direct partners worldwide. This makes the challenge not only technical, but also significantly more complex from an organisational and strategic perspective.

Important or essential

Not all companies will face the same level of supervision. Under NIS2, a distinction is made between ‘important’ and ‘essential’ entities. For the majority of companies – the important entities – a reactive approach applies: supervision mainly takes place during or after incidents, or when there are signals of increased risk. In addition to this group, there is a smaller group of companies designated as ‘essential’ through the Wwke (the Dutch implementation of the CER) by the Ministry (LVVN), based on a criticality assessment. These essential entities are subject to proactive supervision and are actively audited for compliance with NIS2 and CER (NL: Cbw and Wwke). This means that, in addition to food safety requirements, they are also assessed on cyber and physical resilience (food security). Companies designated as ‘essential’ are given ten months after designation to implement the requirements.

Registration is only the first step
With the introduction of NIS2, companies will first face a registration requirement. However, this obligation does not mean that an organisation immediately complies with all requirements. It is essentially a first administrative step, intended to indicate that a company recognises that it falls under the Cbw. This registration is done with the NCSC, and through a link with the NCSC the supervisory authority also receives this information.

Support first, enforcement second

 While supervision is inevitable, the Netherlands Food and Consumer Product Safety Authority emphasises that enforcement is not the starting point. The NVWA will not begin with fines, but will first support, advise and help build capabilities. However, if a company indicates that it is not interested, the organisation will take a different approach. The initial focus is therefore on strengthening the resilience of companies, while also assessing their willingness to take action.

Standards help but offer no guarantee

Many companies seek guidance in existing standards and certifications. While these can certainly help in structuring and safeguarding processes, they never offer complete certainty, according to Richard. “In principle, you can certify everything. But if your process is weak, you certify a weak process.” Compliance with standards and certification is certainly taken into account in supervision, but the actual implementation and effectiveness in daily practice are what ultimately matter.

Old systems create new risks

According to Richard, a significant part of the risk lies not in new technologies, but in existing systems. Many systems installed over past decades now form relatively easy entry points for hackers. Examples include installations originally designed and encrypted for remote operation via simple routers with SIM cards, which today are insufficiently secured and relatively easy to compromise.

From obligation to resilience

NIS2 is often seen as a new obligation, but according to Richard, its core lies elsewhere. The aim is not to punish companies, but to strengthen the digital resilience of companies and sectors as a whole. For companies in the food supply chain, this means that cybersecurity must become a structural part of business operations – not as a standalone ICT issue, but as an integral component of continuity, risk management and strategic positioning.

Where to start as a company?

For companies at an early stage, the first step is insight: understanding which systems are in use, where the risks lie and which parties are part of the (ICT) chain. From there, further steps can be taken, for example with the help of existing standards and guidelines. Public sources, such as those of the Nationaal Cyber Security Centrum,  provide practical guidance. The introduction of NIS2 therefore does not mark an end point, but the beginning of a process in which cybersecurity becomes a fixed component within the sector.

MVO will actively support its members in this process. In cooperation with the NVWA, and with contributions from the cyber and physical resilience team, a session will be organised to help companies comply with NIS2/Cbw and to provide practical guidance for implementation. More information about this session will follow shortly.

If you have specific questions or topics you would like to see addressed during this session, please contact Felix Puts.