Joint food distribution industry statement from Independant Retail Europe, SME United, HOTREC, EuroCommerce & Serving Europe

Food distribution sector calls on EU to exempt medium sized businesses from costly NIS 2 cybersecurity obligations

The Commission proposal for a NIS 2 Directive would expand the scope of cybersecurity obligations to all medium sized enterprises in the food distribution sector. Such a wide scope would entail massive compliance costs for these companies, even though they are not ‘critical’ (in the sense of the Directive) for local food supply. The signatories of this statement call on EU institutions to exempt from the NIS 2 Directive all medium sized food distribution companies, or ensure that only such companies supplying a critical share of the population be covered.

The European Commission proposal for a NIS 2 Directive widens the scope of the existing Directive to cover all large and medium sized enterprises in selected critical/essential sectors. The new scope would include food distribution, with the objective of avoiding food shortages in case of a cyberattack.

The signatories of this statement, representing SMEs in the food distribution sector at large (e.g. retailers, local food shops, restaurant services, wholesalers, etc.), warn that the extension of the scope to all medium sized food distribution businesses is not proportionate to the risks and leads to very high un-necessary compliance costs[1]. The impact would be particularly high, as food distribution SMEs are characterised by very low-profit margins, and a significant number (e.g. hospitality, wholesale, etc.) are still struggling to recover from the COVID-19 crisis.

To ensure the resilience of critical supply chains in case of a cyberattack, NIS 2 should only cover food distribution companies of systemic relevance, meaning entities for which a cyberattack would create a critical threat to the food supply of populations. Individually, medium sized food distribution (retailers, restaurants, etc.) companies are not critical in this sense: they only represent a small share of the food distribution market, while there are always may local convenient alternatives available to consumers, even if a cybersecurity incident hit a specific SME. Also, although some medium-sized food businesses (e.g. bakeries, butchers, etc.) are essential in the context of regional food production, they are not critical with regards to the network of the entire food supply chain. In the case of a cybersecurity attack, the food production process would not be affected.

Therefore, we call on EU institutions to amend the scope of application of the NIS 2 proposal for the food distribution sector and ensure that:

either medium sized food distribution companies are exempt from NIS 2; or
it exclusively covers businesses supplying more than 0,5% of the population of a given Member State- reflecting their importance to the food supply of Member States.

[1] As reported in the European Commission's impact assessment (p 70-80).