When is a frozen food manufacturer subject to NIS2?

Frozen food manufacturers fall under NIS2 Annex II No. 5 once industrial production structure and medium-enterprise size per SME Recommendation 2003/361/EC Art. 2 are present. A company is industrial when it operates automated freezing lines, HACCP-linked IT systems, and regularly supplies food retail or large kitchens on a B2B basis. The size threshold is 50 employees or 10 million Euro annual turnover.

What role does the cold chain play for NIS2 obligations in frozen food?

Cold-chain control systems qualify as critical OT infrastructure under § 30 BSIG-neu. Failure of freezing controls or temperature monitoring systems can create an immediate food safety hazard and thus constitutes a reportable significant incident under § 32 BSIG-neu. Operators must maintain backup systems, redundancies, and incident response plans for cooling failures.

What is the difference between NIS2 and KRITIS for frozen food producers?

NIS2 Annex II No. 5 covers medium and large frozen food manufacturers. KRITIS under BSI-KritisV § 4 Annex 3 only applies from annual production of 434,500 tonnes in the food sector, which in practice affects only a few large groups. Below this threshold frozen food producers are subject to NIS2 only.

What fines do frozen food manufacturers face for NIS2 violations?

§ 65 BSIG-neu provides fines up to 10 million Euro or 2 percent of global annual revenue for Important Entities (medium operations). Essential Entities (large operations) are measured by the same ceilings. In addition, personal management liability under § 38 BSIG-neu applies.

When must frozen food manufacturers register with the BSI?

Under § 33 BSIG-neu, registration must be completed within three months of determining NIS2 applicability. Registration includes sector classification (food production), entity category (Important or Essential Entity), and a 24/7 reachable contact point.

What do NIS2 supply-chain obligations mean for the frozen food industry?

§ 30 Para. 2 No. 4 BSIG-neu requires frozen food manufacturers to impose cybersecurity requirements on suppliers. Critical are providers of freezing plant controls, ERP systems, logistics platforms, and packaging automation. Supply contracts should include security requirements and audit rights; critical suppliers should be assessed annually.

Are managing directors of frozen food companies personally liable under NIS2?

§ 38 BSIG-neu requires management to approve, supervise, and train on risk management measures. Culpable breach creates personal liability. An annual management resolution on NIS2 measures with audit-proof documentation is recommended.

Industry-specific Self-Check

Is my frozen-food operation affected by NIS2?

Frozen pizza, frozen meat, frozen vegetables, frozen deli - clear sector, clear thresholds. This calculator checks both.

Step 1 / 2

Production and distribution structure

NIS2 targets 'industrial production' — an EU term, not the craft registry. Check what applies to your operation.

Central frozen-food production supplies multiple customersOne production site supplies retail, foodservice, other customersAutomated blast freezers and packagingContinuous freezing tunnels, packaging lines, fully automated cold chainsSupply to external B2B customersFood retail, restaurants, institutional catering, exportAnnual production above 1,000 tonnes of frozen productsIndicator of industrial frozen-food production scale

Step 2 / 2

Company size

Frozen Food: The Complete NIS2 Guide

Frozen food manufacturers and distributors are in scope under NIS2 Annex II No. 5 (Food) when they exceed 50 employees or EUR 10 million in annual revenue. The entire value chain in the frozen food sector depends on IT: from production controls to cold chain monitoring. An IT failure can lead to millions in damages from spoiled goods within hours. This guide is written for operations managers and IT managers in the frozen food sector.

Who is affected?

Frozen food manufacturers (NACE C.10.8 Other Food Products) and cold chain logistics providers fall under NIS2 Annex II No. 5 when they exceed the SME thresholds: at least 50 employees or at least EUR 10 million in annual revenue (EU Recommendation 2003/361/EC Art. 2).

National or European frozen food providers that exceed the KRITIS threshold under BSI-KritisV for food supply are Essential Entities under Annex I.

A frozen food manufacturer with 100 employees, a fully automated blast freezing system, and its own refrigerated vehicle fleet exceeds the NIS2 thresholds and is an Important Entity.

Obligations under § 30 BSIG-new

§ 30 BSIG-new lists seven obligation areas that for frozen food operations are particularly shaped by dependency on cold chain monitoring:

Risk analysis and management: Production controls, blast freezing equipment, frozen storage management, and refrigerated vehicle telematics must be included in the risk analysis.
Incident handling: A temperature deviation event caused by IT failure is a potentially reportable incident requiring immediate response.
Business continuity: A BCP must cover the "worst case cold chain failure" scenario: what happens if cold monitoring fails at 2am?
Supply chain security: Raw material suppliers, packaging suppliers, and telematics providers for refrigerated vehicles must be reviewed for security standards.
Access control and MFA: Access to monitoring platforms and production systems must be protected by MFA. Remote alarms and management dashboards require special attention.
Encryption: Cold chain records (legally required under EU Food Hygiene Regulation), customer data, and production data must be encrypted.
Training and awareness: Shift supervisors, logistics dispatchers, and IT staff must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months. For security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

A cyberattack that disables the central cold chain monitoring for several hours and thereby endangers significant stored inventory is a reportable significant incident. Even a pure IT incident without proven product damage is reportable if supply security is impaired.

Fines and personal liability

Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover. Essential Entity (Annex I): up to EUR 10 million or 2% of turnover.

§ 38 BSIG-new: personal liability for management. In the frozen food sector, this must be taken especially seriously because an IT-related cold chain failure can trigger not only NIS2 fines but also food law sanctions and substantial insurance claims simultaneously.

Cold chain monitoring as an NIS2-critical process: securing sensor infrastructure

Cold chain monitoring in frozen food operations is entirely IT-dependent: temperature sensors in storage cells, blast freeze tunnels, and refrigerated vehicles transmit data in real time to central management platforms. These platforms control alerts, maintenance tasks, and quality records.

The risk scenario: an attacker compromises the monitoring platform through a stolen login credential. He manipulates alarm thresholds or suppresses notifications. Cold storage cells rise to critical temperatures - without triggering any alarm. When this is noticed 6 hours later, an entire frozen storage facility is destroyed.

What § 30 BSIG-new specifically requires: redundant alarm paths (SMS + app + physical on-site alarm), no single-cloud dependency for critical alerts, strong authentication for monitoring platforms, and regular alarm tests. The sensor infrastructure itself must be included in the network security architecture.

First steps

Check headcount and revenue against the SME thresholds.
Inventory all systems connected to the cold chain: temperature sensors, monitoring platform, refrigerated vehicle telematics, warehouse management system.
Check: are there redundant alarm paths for temperature deviations? Are they tested?
Identify all external access points (monitoring platform providers, maintenance access).
Create a contingency plan for cold chain monitoring failure at 3am.
Review supplier contracts (sensor manufacturers, telematics providers) for security clauses.
Register with the BSI.

Common pitfalls

Monitoring platform without MFA: Many frozen food operations use cloud-based monitoring platforms with simple password login. This is not sufficient under NIS2.

No redundant alarm path: If temperature alarms are only delivered through the cloud platform and that platform fails, there are no alarms at all. This is a critical single point of failure.

Cold chain documentation not recognized as an IT security objective: EU Food Hygiene Regulation 852/2004 requires temperature records. Their loss through an IT attack is a food law compliance issue.

Vehicle telematics not included in risk analysis: Refrigerated vehicle telematics often connect via public mobile networks. Attacks over these connections are realistic and must be assessed.

Use the industry-specific NIS2 calculator for frozen food to determine your obligations.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my frozen-food operation affected by NIS2?

Frozen Food: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

Cold chain monitoring as an NIS2-critical process: securing sensor infrastructure

First steps

Common pitfalls

Frequently asked questions

01When is a frozen food manufacturer subject to NIS2?

02What role does the cold chain play for NIS2 obligations in frozen food?

03What is the difference between NIS2 and KRITIS for frozen food producers?

04What fines do frozen food manufacturers face for NIS2 violations?

05When must frozen food manufacturers register with the BSI?

06What do NIS2 supply-chain obligations mean for the frozen food industry?

07Are managing directors of frozen food companies personally liable under NIS2?