Dairy: The Complete NIS2 Guide

Dairies with more than 50 employees or EUR 10 million in annual revenue must be classified as Important Entities under NIS2 Annex II No. 5 (Food). The particular challenge for dairies is their dependency on cold chain management and raw milk logistics: an IT failure in these processes can lead to production stoppage and spoiled product within hours. This guide is written for operations managers and managing directors in the dairy industry.

Who is affected?

Dairies and milk processors fall under NIS2 Annex II No. 5 (NACE C.10.5 Dairy Processing) when they exceed the SME thresholds: at least 50 employees or at least EUR 10 million in annual revenue (EU Recommendation 2003/361/EC Art. 2).

Large dairies with national supply functions - for example, those processing more than 434,500 t/a of dairy products in grain equivalents - are Essential Entities under NIS2 Annex I (KRITIS threshold per BSI-KritisV Annex 6).

A regional dairy with 80 employees, its own pasteurization plant, and daily delivery to supermarkets and schools exceeds the NIS2 threshold and is an Important Entity.

Obligations under § 30 BSIG-new

The seven obligation categories of § 30 BSIG-new are particularly demanding for dairies because of cold chain and food safety requirements:

1. Risk analysis and management: Pasteurization controls, cold storage management, tank farm IT, and logistics controls for milk tankers must all be assessed.
2. Incident handling: A temperature deviation alarm caused by a cyberattack on the cold monitoring system is a reportable incident. Your process must clearly reflect this.
3. Business continuity: Dairy processes run 24/7 and are highly time-critical. A BCP must include manual monitoring fallbacks and communication plans for suppliers and customers.
4. Supply chain security: Milk supplier IT (routing systems for tankers), packaging suppliers, and laboratory software providers must be assessed for security standards.
5. Access control and MFA: Access to production IT and business applications requires MFA. This especially applies to remote maintenance of laboratory systems and pasteurization equipment.
6. Encryption: Customer data, supplier data, and production logs (pasteurization records for food authorities) must be stored encrypted.
7. Training and awareness: Shift supervisors, quality assurance, and IT staff must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months of becoming aware of your obligations. Security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

A cyberattack that disables cold monitoring and stops the pasteurization plant must be reported within 24 hours. The financial damage from spoiled raw material makes fast action and documentation mandatory.

Fines and personal liability

Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover. Essential Entity (Annex I): up to EUR 10 million or 2% of turnover.

§ 38 BSIG-new: personal liability for management. For dairies, this is especially relevant because a security incident involving cold chain interruption can trigger NIS2 fines, food law sanctions, and civil liability claims simultaneously.

Cold chain and raw milk logistics as IT-dependent critical processes

Milk supply from intake to delivery depends entirely on IT: tanker routes are dispatched by software, raw milk intake and quality testing are IT-supported, pasteurization temperatures are automatically logged, and cold storage temperatures are remotely monitored.

A concrete risk scenario: a phishing attack on a dispatcher reaches the ERP. From there, the attacker accesses cold storage management software. He manipulates temperature thresholds so that alarms are suppressed - and raw milk begins to spoil. The company only notices at the next quality scan. Damage: spoiled raw material, production stoppage, product recall.

§ 30 BSIG-new requires for this scenario: separate network segments for cold monitoring and office IT, automatic backup alarms through redundant channels (e.g., SMS gateway as fallback), and regular tests of alerting systems.

First steps

1. Clarify headcount and revenue. Over 50 employees or EUR 10 million means: Important Entity.
2. Inventory all IT systems related to the cold chain: cold storage management, tanker dispatch, pasteurization controls, laboratory software.
3. Identify all remote maintenance access points (equipment manufacturers, software providers).
4. Review network segmentation: are cold monitoring systems separated from the office IT network?
5. Create a contingency plan for IT failure during 24/7 production.
6. Review supplier contracts for security requirements under § 30 Para. 2 No. 4 BSIG-new.
7. Register with the BSI once the portal is available.

Common pitfalls

Cold monitoring not captured as an IT system: Temperature sensors and their management software are IT in the NIS2 sense and must be included in the security architecture.

Raw milk dispatch software is underestimated: A failure of tanker route planning software can cause a raw milk intake crisis within hours.

Food safety logs not recognized as sensitive: Pasteurization records are legally required. Their manipulation or loss is a significant security incident.

BCP does not account for dairy process timing: A contingency plan designed for 48-hour response times does not help with a 4-hour cold chain problem involving fresh whole milk.

Use the industry-specific NIS2 calculator for dairies to determine your individual obligations.