When is a meat processing company subject to NIS2?

Meat processing companies fall under NIS2 Annex II No. 5 once they meet an industrial processing structure and the size threshold of 50 employees or 10 million Euro annual turnover (SME Recommendation 2003/361/EC Art. 2). Industrial processing applies when using automated cutting lines, central refrigeration management systems, or HACCP-linked IT systems. Traditional local butcheries without supra-regional production are generally not covered.

When does a meat processor become a KRITIS operator?

KRITIS under BSI-KritisV § 4 Annex 3 applies in the food sector from an annual processing volume of 434,500 tonnes. In Germany this threshold is achievable only by a few large operators (e.g. Tönnies, Westfleisch). Below this threshold only NIS2 obligations apply, not the additional KRITIS requirements such as 24/7 contact point and mandatory certifications.

What fines apply for NIS2 violations in meat processing?

§ 65 BSIG-neu provides for Important Entities (medium operations) fines of up to 10 million Euro or 2 percent of global annual revenue. Essential Entities (large operations) face up to 10 million Euro or 2 percent of group turnover. In addition, personal liability of management may apply under § 38 BSIG-neu.

How do NIS2 supply-chain obligations affect meat producers?

§ 30 Para. 2 No. 4 BSIG-neu requires security across the entire supply chain. For meat operators this means: security requirements for slaughterhouse management software, cold-chain systems, ERP providers, and logistics partners. Contracts with these partners must include cybersecurity clauses, and critical suppliers must be audited regularly.

Must meat processors protect HACCP systems in an NIS2-compliant way?

Yes. HACCP-linked production control systems qualify as critical OT/IT infrastructure under § 30 BSIG-neu. Protection obligations include network segmentation between OT and IT, patch management for PLCs and control computers, and backup concepts for HACCP log data. Cyberattacks on these systems trigger a 24-hour initial reporting obligation under § 32 BSIG-neu.

When must a meat processing company register with the BSI?

The registration obligation under § 33 BSIG-neu arises within three months of determining NIS2 applicability. The decisive point in time is when all criteria (sector, size, production structure) are met. Registration is via the electronic BSI reporting portal, providing entity category, sector, and designated contact point.

Are managing directors in meat processing personally liable under NIS2?

§ 38 BSIG-neu explicitly requires management to approve, supervise, and train on cybersecurity measures. Violations of these organizational obligations can result in personal liability. Recommended practice: annual management resolution on risk management measures, documented training participation, and an internal compliance audit.

Industry-specific Self-Check

Is my meat operation affected by NIS2?

Butcher shops, chains, cutting operations - generic checkers miss the gray zone. This calculator doesn't.

Step 1 / 2

Production and distribution structure

NIS2 targets 'industrial production' — an EU term, not the craft registry. Check what applies to your operation.

Central meat processing supplies multiple retail outletsOne production site supplies 2+ stores, delivery services, marketsAutomated slaughter, cutting, or processing linesCutting facilities, sausage lines, automated packaging, cold storesSupply to external B2B customersSupermarkets, restaurants, canteens, other butchers, wholesale, hospitalsAnnual production above 1,000 tonnes of meat/sausage productsIndicator of a production scale beyond a classic artisanal butcher

Step 2 / 2

Company size

Meat Processing: The Complete NIS2 Guide

Meat processing companies are in scope under NIS2 Annex II No. 5 as food manufacturers as soon as they exceed 50 employees or EUR 10 million in annual revenue. Because slaughter lines, cutting operations, and cold chain logistics are so tightly IT-dependent, NIS2 compliance here is not a bureaucratic exercise - it is critical operational safety. This guide is written for operations managers, managing directors, and IT managers in the meat industry.

Who is affected?

Slaughterhouses and meat processors fall under NIS2 Annex II No. 5 (Food, NACE C.10.1) when they exceed the SME thresholds from EU Recommendation 2003/361/EC Art. 2: at least 50 employees or at least EUR 10 million in annual revenue.

Large slaughterhouses with more than 250 employees and over EUR 50 million in revenue are Essential Entities under Annex I if they reach the KRITIS threshold under BSI-KritisV. For slaughter animals, this is approximately 1.5 million cattle equivalents per year; exact values are set out in BSI-KritisV Annex 6.

A facility with 150 employees, a deboning line, and its own distribution to food retailers exceeds the NIS2 threshold and is an Important Entity.

Obligations under § 30 BSIG-new

§ 30 BSIG-new lists seven obligation categories that in meat processing are heavily shaped by OT/IT overlaps:

Risk analysis and management: Slaughter line controls, cold storage monitoring, cutting band automation, and logistics IT must all be included in the risk assessment.
Incident handling: A failure of the stunning equipment control system or a cold storage alarm is an incident under NIS2. Reporting and escalation paths must be clearly defined.
Business continuity: Meat processing is time-critical - a production stoppage of more than a few hours means spoilage. A detailed BCP with alternative processes and communication plans is mandatory.
Supply chain security: Suppliers of animal transport IT, slaughter technology, MES, and ERP must provide security certifications. § 30 Para. 2 No. 4 BSIG-new requires contractual clauses.
Access control and MFA: Access to production systems and company IT must be secured by MFA. Remote maintenance access from equipment manufacturers must be specifically secured.
Encryption: Supplier and customer data, slaughter records, and traceability data must be stored encrypted.
Training and awareness: Shift supervisors, IT staff, and administrative personnel must receive regular cybersecurity awareness training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new: within three months. For security incidents, § 32 BSIG-new applies: initial report within 24 hours, full report within 72 hours, final report within 30 days.

A ransomware attack on slaughter line controls that interrupts production for more than 12 hours is a reportable significant incident. A cold storage failure caused by a cyberattack also falls under this obligation if it affects food safety.

Fines and personal liability

Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover. Essential Entity (Annex I): up to EUR 10 million or 2% of turnover.

§ 38 BSIG-new: managing directors are personally liable for the negligent failure to implement NIS2 measures. Combined with potential product liability claims for spoiled food (e.g., from a failed cold chain), the consequences can be existential.

Slaughter and cutting lines: why IT resilience is so critical

Meat processing is more threatened by IT failures than almost any other food sector: processes are time-bound (hygiene, cold chain), highly automated, and poorly prepared for manual fallbacks.

An example: JBS, the world's largest meat processor, paid USD 11 million in ransom after a 2021 ransomware attack. In Germany, such attacks also affect mid-sized operations. A cutting line failure lasting 8 hours means: perishable semi-finished product, delivery obligation breaches toward retail customers, and possible recall actions if temperature deviations occur.

What NIS2 concretely requires: network segmentation so that an office IT attack cannot reach production systems; regular backups of production configurations; tested recovery procedures for slaughter line software; and a clear escalation protocol for incidents.

First steps

Check your headcount and revenue against the SME thresholds.
Map all networked systems: slaughter line controls, cutting band, cold storage monitoring, MES, ERP, traceability software.
Analyze remote maintenance access points from equipment manufacturers (e.g., Henny Penny, Stork).
Ensure OT networks are separated from the office network.
Create a contingency plan specifically for IT failure during live production.
Document supplier contracts with respect to § 30 Para. 2 No. 4 BSIG-new.
Register with the BSI.

Common pitfalls

IT failure planning ignores production timing: A contingency plan that does not account for what happens after 4 hours of stoppage with semi-finished product on the line is incomplete.

Traceability systems not classified as critical: Quality assurance systems and origin records are regulatorily critical. Their failure is reportable.

Slaughter operation and processing assessed separately: If slaughter and deboning run in the same company but on different IT systems, both must be included in the overall risk assessment.

Cold chain monitoring not recognized as an IT security issue: Sensor infrastructure for temperature is IT. Its failure is a security incident with food law consequences.

Use the industry-specific NIS2 calculator for meat processing to determine your obligations.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my meat operation affected by NIS2?

Meat Processing: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

Slaughter and cutting lines: why IT resilience is so critical

First steps

Common pitfalls

Frequently asked questions

01When is a meat processing company subject to NIS2?

02When does a meat processor become a KRITIS operator?

03What fines apply for NIS2 violations in meat processing?

04How do NIS2 supply-chain obligations affect meat producers?

05Must meat processors protect HACCP systems in an NIS2-compliant way?

06When must a meat processing company register with the BSI?

07Are managing directors in meat processing personally liable under NIS2?