TheNIS2 Directivemarks a turning point in the way companies must manage digital risk. Although the NIS2 Directive has yet to be transposed into Spanish law (only Spain and Greece have not done so yet), it will have a direct impact on the agri-food sector, affecting a significant number of organizations that will need to increase their level ofcybersecurity vigilance.
Cybersecurity in the agrifood sector is no longer just a technical issue. Today, it directly impacts critical aspects such as production, traceability, and food safety—key factors in ensuring business continuity.
Butwhat does NIS2 really mean for an agri-food company? And why should it start preparing now?
What is the NIS2 Directive?
NIS2 is the European regulation that establishes a common framework to strengthen cybersecurity for entities deemed essential and important. Its goal is to improve resilience against incidents that could affect operations, security, or business continuity.
Cybersecurity requirements under the NIS2 Directive
To comply with the NIS2 Directive, companies must implement a set of technical and organizational measures aimed at managing digital risk.
The main requirements include:
- Cybersecurity Risk Management
- Technical and organizational security measures
- Security Incident Notification
- Oversight by the authorities
- Direct responsibility of the management body
In addition, the directive significantly expands the number of companies affected in Europe, including sectors such as agri-food, water, energy, and transportation.
Which companies are affected by the NIS2 Directive?
The NIS2 Directive applies to companies considered essential or important within critical sectors.
In the case of the agri-food sector, this includes organizations that:
- They have more than 50 employees
- They have a turnover of more than 10 million euros
- They are part of the chain
This means that many companies that were not previously subject to these requirements will now fall under the scope of the regulations.
Why is the agri-food sector included in NIS2?
The agri-food sector is critical because of its direct impact on society and the supply chain.
An incident can affect:
- Food supply
- Food security
- Supply chain stability
- Consumer confidence
In addition, the digitization of production processes has increased exposure to risk, particularly in control, automation, and traceability systems.
How the NIS2 Directive Affects the Agri-Food Sector
The impact of the NIS2 Directive on the agri-food sector goes beyond regulatory compliance. It represents a shift in how cybersecurity is managed within the company.
On the one hand, it expands the number of organizations affected. On the other hand, it introduces a strategic approach in which cybersecurity becomes an integral part of overall business management .
This means that key processes such as production, traceability, and process control are directly linked to digital risk.
The Role of Management in NIS2
One of the most significant changes in the NIS2 Directive is the direct involvement of senior management. Digital risk management is no longer the sole responsibility of the technical department but becomes part of the CEO’s and the executive committee’s responsibilities.
This implies:
- Monitor cybersecurity risks
- Making strategic decisions
- Allocate resources
- Integrating Cybersecurity into Business Management
In the agri-food sector, this responsibility is particularly critical given its impact on food safety and business continuity.
Key gaps in the sector: the challenge of OT environments
The agri-food sector shows varying levels of readiness for NIS2.
Although many companies have systems and controls in place, in many cases there is no structured approach to digital risk management.
This gap is particularly evident in operational technology (OT) environments, where:
- The systems were not designed with cybersecurity in mind
- There is a high degree of interconnection
- Integration with overall risk management is limited
This increases exposure in critical areas such as traceability, process control, and operational continuity.
Consequences of a cybersecurity incident
A cybersecurity incident in the agri-food sector can have a direct impact on:
- Production
- Traceability
- Food security
- Business continuity
- Reputation
In an environment where trust is key, these risks take on a strategic dimension.
The NIS2 Directive in Spain: Current Status
Currently, the NIS2 Directive has not yet been fully transposed into Spanish law. However, this does not mean that companies should not take action now, as it is already the benchmark for cybersecurity compliance in most European countries.
NIS2 sets the regulatory framework toward which Spanish regulations will evolve, so preparing in advance is key to reducing risks and facilitating future adaptation. Furthermore, many of its requirements are aligned with frameworks such as the National Security Scheme or theISO/IEC 27001 standard.
How to Prepare for NIS2
Companies in the agri-food sector can start preparing today by taking a step-by-step approach:
- Cybersecurity Maturity Assessment (Gap Analysis)
- Identification of risks and vulnerabilities
- Implementation of frameworks such as ENS or ISO 27001
- Integrating Cybersecurity into Business Strategy
- Definition of a phased adaptation plan
The goal is not only to stay ahead of future regulations, but also to strengthen the organization's resilience.
A new landscape for the agri-food sector
The NIS2 Directive is not just a regulation; it reflects the new environment in which companies operate.
In the agri-food sector, where production, traceability, and food safety are critical, digital risk management has become a strategic priority. By staying ahead of the curve, organizations can mitigate risks, improve operational resilience, and better prepare for future requirements.
If you want to understand how NIS2 affects your company and what steps management can take, visit ACERTA we’ll be addressing this topic alongside cybersecurity experts in awebinar specifically designed for the agri-food sector.
If you'd like to assess your readiness for NIS2, you can contact our team to assess your current situation.
Frequently Asked Questions Frequently Asked Questions
- Currently, the NIS2 Directive has not yet been fully transposed into Spanish law. However, it sets out the regulatory framework toward which the legislation will evolve, so companies should begin preparing now.
- The NIS2 Directive applies to companies considered essential or significant within critical sectors. In the agri-food sector, this includes organizations with more than 50 employees, or with a turnover of more than 10 million euros, or that are part of the food supply chain.
- The directive has a direct impact on key processes such as production, process control, traceability, and food safety, and it also involves senior management in digital risk management and strategic decision-making.
- The NIS2 Directive addresses risks related to cybersecurity incidents that can affect production, traceability, food safety, and business continuity, as well as supply chain stability and consumer confidence.