How to Bring a Multi-Site Food Operation into NIS2 Compliance: ERP, SCADA, and Cold Chain Under Annex II

On 30 May 2021, JBS executives received the message that every food company CISO dreads: ransomware had encrypted critical systems across operations in the United States, Canada, and Australia. By dawn, all nine U.S. beef slaughterhouses had gone offline. Forty-seven Australian processing sites halted. The U.S. Department of Agriculture could not report wholesale meat prices. JBS paid USD $11 million in Bitcoin to the REvil criminal group to recover its systems. [2]

What made the attack so effective was not sophisticated operational technology intrusion. REvil encrypted JBS’s corporate IT and production scheduling systems — and production stopped because the ERP layer that coordinates line scheduling, order fulfilment, and supply chain logistics had been disabled. No SCADA terminal was touched directly. The mechanism — IT compromise cascading to production shutdown — is precisely what NIS2 Annex II, Section 7 is designed to address.

Since October 2024, medium and large food operators — industrial processors, wholesale distributors, and cold chain operators — are Important Entities under NIS2 and must implement Article 21 security measures across their networks. This guide explains what that means for the three attack surfaces specific to food operations: ERP systems, SCADA and industrial control systems, and cold chain temperature monitoring infrastructure. It also provides a practical framework for scoping compliance across multi-site operations.

For a foundation on the EU-wide directive, see What Is the NIS2 Directive?.

Who Does Annex II Section 7 Actually Cover?

The short answer: industrial food processors and wholesale food distributors with at least 50 employees or more than €10 million in annual turnover.

Annex II Section 7 covers “food production, processing and distribution,” defined by reference to Article 3(2) of Regulation (EC) No 178/2002 — the EU’s foundational food law. The operative scope, as confirmed by the Finnish Food Authority — acting as the national supervisory body for food-sector NIS2 compliance — is “wholesale distribution and industrial production and processing.” [3]

In scope: industrial meat, poultry, dairy, seafood, and bakery manufacturers; beverage producers (breweries, soft drink manufacturers); frozen food and ambient food processors; national and regional wholesale food distributors; cold storage hubs operating at industrial scale.

Explicitly outside scope: primary agricultural producers (farms, fishing vessels, orchards); feed producers; retail trade (supermarkets, food service, restaurants); storage and transport operators unless separately designated under the CER Directive; food contact material manufacturers.

The exclusion of primary production holds even where a farming cooperative undertakes limited on-site processing. The Finnish Food Authority confirms the threshold is industrial scale — a cooperative pressing its own apples in small volumes does not meet this standard unless it independently exceeds the size thresholds and operates at an industrial level.

Classification	Employees	Annual Turnover	Balance Sheet Total
Medium entity (minimum threshold)	50 or more	More than €10 million	More than €10 million
Large entity	250 or more	More than €50 million	More than €43 million

Medium entities meeting either the employee or financial threshold are Important Entities. Large entities may be designated Essential Entities by member states, which triggers proactive supervisory audits in addition to reactive investigation after incidents.

Scope decision tree:

1. Does your business conduct industrial food processing or wholesale food distribution? → No: out of scope. Yes: continue.
2. Does it employ 50 or more people, or turn over more than €10 million per year? → No: generally exempt. Yes: continue.
3. You are an Important Entity under NIS2 Annex II. Register with your national competent authority and implement Article 21 measures.

Group-structure note: size thresholds are assessed accounting for linked and partner enterprises. A subsidiary that is individually small may still be in scope if its parent group exceeds the thresholds. Verify with legal counsel if your company is part of a larger group.

The Three Attack Surfaces of a Food Operation

Most food businesses think about cybersecurity in terms of IT: email, office systems, the corporate network. NIS2 Article 21 requires an all-hazards approach covering every network and information system used to deliver your operation. For a food company, that means three functionally distinct attack surfaces — each with a different threat profile, attack vector, and consequence profile — that must be risk-assessed separately.

Attack Surface 1: ERP Systems

The JBS attack on 30 May 2021 is the template for ERP risk in food manufacturing. REvil encrypted JBS’s corporate IT and production scheduling systems. No SCADA terminal was targeted directly. Production stopped because the ERP layer — coordinating line scheduling, order fulfilment, and supply chain logistics — had been disabled. Operations halted at 47 Australian processing sites and nine U.S. facilities, representing approximately 20% of U.S. beef-processing capacity. The U.S. Department of Agriculture was unable to publish wholesale meat prices on 1 June. JBS paid USD $11 million in Bitcoin. [2]

The IT-to-production cascade is the central ERP risk under NIS2. Article 21(2)(a) requires that your risk analysis explicitly classify ERP as a production-critical system and document the dependency chain between IT availability and production continuity. Treating ERP as a finance system outside the scope of operational risk assessment is no longer a defensible position.

Attack Surface 2: SCADA and Industrial Control Systems

Modern food processing is automated. Mixing ratios, cooking temperatures, packaging weights, and conveyor speeds are controlled by PLCs and monitored through SCADA historian software. Attackers are no longer limited to IT entry points. In August 2024, RansomHub took direct control of a Spanish meat processing plant’s SCADA system — not an IT server, but the operational technology controlling the production line. Earlier in 2024, Stormous ransomware halted all Belgian and U.S. operations at Duvel Moortgat Brewery simultaneously; when the company refused to pay, attackers publicly released a terabyte of operational data. [7]

The scale of the threat is accelerating. Manufacturing absorbed 1,466 ransomware attacks in 2025 — a 56% increase from 2024 — with supply chain attacks in the sector nearly doubling over the same period. Across Europe, 80% of manufacturers continue to operate critical OT systems with known, unpatched vulnerabilities. [4]

The structural problem: SCADA platforms in food processing are routinely 10–20 years old, designed for reliability and real-time control, not adversarial environments. Many run on end-of-life operating systems without encryption or robust authentication. An additional factor that makes food an attractive target: processors cannot tolerate production downtime. Perishable products, live schedules, and customer commitments mean a 48-hour shutdown is economically catastrophic — which increases the probability of ransom payment and makes food operations preferred targets for ransomware operators.

Attack Surface 3: Cold Chain Temperature Monitoring

Cold chain operators add a third distinct attack surface: temperature monitoring systems — IoT sensors, gateway devices, cloud dashboards, and alarm relays — that are increasingly internet-connected and inadequately secured. A compromise of cold chain monitoring does not always look like ransomware on a server. It can mean silently manipulating temperature sensor readings so that a storage excursion goes undetected until product quality is compromised — and, in a regulatory context, until a food safety audit finds records that do not match actual conditions.

The 2023 Swiss farm incident illustrates the safety dimension: a ransomware attack disabled a herd monitoring system, resulting in the deaths of cattle before the operator recognised the system had been compromised. [8] For cold chain food operators, the risk extends beyond data loss to product integrity, food safety liability, and regulatory exposure — a scope that standard IT incident response procedures rarely address.

How Article 21 Applies Specifically to Food Operations

Article 21(2) lists ten categories of security measures (sub-clauses a through j) that Important Entities must implement using a proportionate, all-hazards approach. Most NIS2 guidance presents these as a generic checklist. Below is how each relevant clause maps to the operational reality of a food business — tied to specific systems rather than abstract obligations. For the full directive text, see our NIS2 directive overview.

Art. 21(2)(a) — Risk Analysis: Use a Three-Boundary Approach

A food-sector risk assessment that treats the corporate network, SCADA systems, and cold chain IoT as a single environment will miss the critical cross-boundary risk pathways. Conduct separate risk assessments for three system boundaries:

• IT boundary: corporate network, ERP instances, email, finance and HR systems
• OT boundary: PLCs, SCADA historians, HMIs per production site
• Cold chain boundary: IoT sensors, gateway devices, logistics monitoring platforms

Each boundary requires its own threat scenarios, likelihood ratings, and business impact assessments. The JBS attack pattern — IT compromise leading to ERP encryption leading to production shutdown — is a cross-boundary risk that must be documented in your risk register, not assumed away. See our NIS2 risk assessment guide for a structured framework covering all three boundaries.

Art. 21(2)(b) — Incident Handling: Define Your Significant Incident Threshold Before an Incident Occurs

The 24-hour early warning obligation begins when you “become aware” of a significant incident. For food operators, the following qualify as significant incident triggers and should be documented in advance: production halted at a major facility for more than eight hours due to a cyber cause; ERP systems offline preventing order processing or customer distribution; cold chain integrity compromised across a monitored distribution zone; SCADA systems inaccessible or behaving anomalously at any production site.

Pre-draft notification templates for your national competent authority — with contact details, required data fields, and early warning text pre-populated — before any incident occurs. That one document is the highest-value single preparation step for incident handling compliance.

Art. 21(2)(c) — Business Continuity: Production Line RTOs Are Not IT RTOs

This is the clause food companies most consistently underimplement. IT business continuity means restoring servers from backup — achievable in 24–48 hours with good preparation. Restoring safe production after a SCADA compromise is a different process: physical inspection of PLC configurations, reloading firmware from verified (not compromised) backups, and running safety diagnostic tests before lines restart. That process can take 5–10 days even with experienced OT teams.

If your continuity plan defines a single recovery time objective of 48 hours for all systems, you have a documentation gap. Define per-site production line RTOs separately from IT RTOs, with specific recovery steps and a named person authorised to approve production restart after a cyber event. See our business continuity guide for a framework that explicitly covers operational technology recovery planning.

Art. 21(2)(d) — Supply Chain Security: Supplier Concentration Is a Risk That Must Be Documented

One-third of cyber incidents in the food sector begin with a non-primary supplier — a packaging provider, ingredient supplier, or logistics partner whose systems connect to yours. [5] Article 21(2)(d) requires assessment of cybersecurity risks in all significant supplier relationships, and Article 21(3) requires consideration of supplier vulnerabilities specifically.

Supplier concentration is a distinct and underappreciated dimension: if your cold chain logistics provider, sole-source ERP vendor, or a critical ingredient supplier has a poor security posture and you have no practical alternative, that concentration is a residual risk that must be formally documented and accepted at management level. Article 21 does not require zero supply chain risk — it requires that you have assessed the risk, implemented proportionate controls, and acknowledged the residual exposure in writing.

Art. 21(2)(i) and (j) — Access Control and Multi-Factor Authentication

Every connected device — ERP terminals, SCADA HMIs, cold chain gateways, tablets on the production floor — must be in a live asset inventory with an assigned owner and documented patch cycle. OT assets are routinely absent from IT asset registers in food facilities. Correcting this gap is typically the highest-effort, highest-value starting point for food operators beginning an NIS2 programme, and it is the foundation on which every other access control relies.

MFA is mandatory for ERP administrator accounts without exception. For SCADA HMI accounts, older interfaces often cannot support modern MFA mechanisms. Proportionality applies: if MFA cannot be deployed on a specific system, document why, specify compensating controls — dedicated OT network segment, physical access restriction, badge-authenticated operator sessions — and formally log the residual risk with management acknowledgement.

Art. 21 Clause	Food System	Specific Control	Effort
(a) Risk analysis	ERP + OT + Cold chain	Three-boundary risk register with cross-boundary dependencies mapped	High
(b) Incident handling	All systems	Significant incident threshold table + pre-drafted notification templates	Medium
(c) Business continuity	Production lines	Per-site SCADA recovery procedures with production-specific RTOs	High
(d) Supply chain	ERP vendors, 3PLs, ingredient suppliers	Annual cyber posture assessments; supplier concentration risk documented	Medium
(e) Vulnerability handling	SCADA/PLCs	OT patch schedule with compensating controls for legacy end-of-life systems	High
(i) Access control	ERP + OT + IoT	Live asset inventory covering all OT and cold chain devices	Medium
(j) MFA	ERP administrators; SCADA HMIs	MFA mandatory (ERP); documented compensating controls (legacy HMIs)	Low–High

Scoping Article 21 for a Multi-Site Food Producer

A single-site bakery with 60 employees and a 12-country meat processor face the same legislative framework. Multi-site food producers need a scoping approach that handles decentralised OT networks while maintaining a coherent Group-level compliance programme.

The architectural challenge: a typical large food producer has a central ERP system serving all sites, site-specific SCADA networks that do not communicate directly with each other, a corporate WAN linking all facilities, and cold chain logistics managed partly internally and partly through contracted 3PLs. Each SCADA network is a separate OT boundary — but if multiple sites connect to a shared SCADA historian server or central remote monitoring platform, that platform becomes a high-priority cross-site attack path requiring its own security architecture and controls.

Five-step scoping framework:

1. Map system boundaries per site. For each facility: identify which ERP modules run locally vs. centrally hosted; which SCADA systems are present and how they connect to the corporate WAN; which cold chain assets connect to a central monitoring platform shared across sites.
2. Rank sites by materiality. A significant incident at your largest plant — by production volume, revenue, or headcount — has a different regulatory impact profile than the same event at a small regional depot. Define Group-level escalation triggers per site before an incident occurs.
3. Identify IT/OT segmentation gaps. At each site, document whether the OT network is logically separated from corporate IT. Flat networks — where engineering workstations share subnets with office computers — are the most common gap found in food sector OT security audits.
4. Assess third-party cold chain providers. If a 3PL manages cold chain temperature monitoring under a service contract, assess their security posture under Article 21(2)(d). Request incident response procedures, access control policies, and their NIS2 or equivalent compliance documentation.
5. Set per-site significant incident thresholds. A production halt at an 800-person flagship plant has different materiality than the same event at a 55-person distribution centre. Define site-specific triggers for escalation to Group-level incident management and regulatory notification.

Function	CISO / IT	OT Engineering	Operations	Legal / Compliance
Three-boundary risk assessment	Lead	Input	Review	Sign-off
SCADA asset inventory	Coordinate	Lead	—	—
Cold chain provider audit	Lead	Input	Coordinate	Review
Supplier assessment (Art. 21(d))	Lead	Input	Coordinate	Review
Incident notification (24h/72h)	Coordinate	Input	—	Lead
Production BC/DR plan	Coordinate	Lead	Review	—

90-Day Action Plan for Food Operators

Days 1–30: Establish baseline

• Apply the scope decision tree above. Register with your national competent authority if in scope (Low effort).
• Conduct a three-boundary system inventory across all sites: all ERP modules, SCADA platforms, PLCs, HMIs, and cold chain IoT assets. Allow 3–4 weeks for multi-site operations (High effort).
• Send cybersecurity questionnaires to your top 10 supply chain partners covering incident response, access control, and patch management (Medium effort).

Days 31–60: Close critical gaps

• Apply IT/OT network segmentation where engineering workstations share subnets with office IT. Prioritise plants where OT access traverses the corporate network (High effort).
• Enable MFA on all ERP administrator and privileged user accounts (Low effort).
• Draft a significant incident classification table and pre-populate notification templates with your national competent authority’s contact details and required information fields (Medium effort).
• Document compensating controls for SCADA HMIs that cannot support MFA, including rationale and formal residual risk acknowledgement (Medium effort).

Days 61–90: Test and document

• Run a tabletop exercise simulating an ERP-down scenario modelled on JBS: test production halt decision-making, escalation paths, and the 24-hour notification timeline with realistic timing pressure (Medium effort).
• Complete the three-boundary risk register with formal management sign-off (Medium effort).
• Define per-site production line RTOs separately from IT RTOs, including specific OT recovery steps and the authorisation procedure for production restart after a cyber event (High effort).
• Conduct NIS2 awareness training for OT operators covering anomalous SCADA and HMI behaviour recognition and the escalation contacts for each site (Low effort).

Frequently Asked Questions

Are farms or agricultural cooperatives in scope?
No. Annex II Section 7 covers industrial production and processing, not primary production. The Finnish Food Authority — acting as the official NIS2 supervisory body for food-sector compliance — confirms primary agricultural production falls outside the directive’s scope, even where a cooperative undertakes limited on-site processing.

We process food but also operate retail stores. Which operations are covered?
Retail operations are explicitly excluded from Annex II Section 7. The processing and wholesale distribution activities are in scope. Where both activities share IT infrastructure — a common ERP instance, for example — that shared infrastructure is in scope and must be assessed as part of the processing operation’s compliance programme.

Our ERP is hosted by a US cloud provider. Do they need to comply with NIS2?
Not necessarily — ERP vendors to food operators are not themselves classified as Annex II entities in most cases. You are required under Article 21(2)(d) to assess that provider’s cybersecurity posture. Request SOC 2 reports, penetration test summaries, and breach notification procedures. The compliance obligation rests with you, the food operator.

We employ 45 people and turn over €8 million. Are we exempt?
Generally yes — both thresholds for a medium-sized enterprise exceed your current scale. The exception: member states can designate smaller entities as critical operators if they are essential to food security or public health in the national context. Verify with your national supervisory authority if uncertain.

What penalties apply to food operators that fail to comply?
Important Entities face administrative fines of up to €7 million or 1.4% of global annual turnover, whichever is higher. Unlike Essential Entities, Important Entities are subject to reactive supervision — national authorities investigate following an incident or complaint rather than through proactive scheduled audits.

Sources

Article 21 — Cybersecurity Risk-Management Measures (NIS2 Directive)
JBS S.A. Ransomware Attack — Wikipedia
Finnish Food Authority — NIS2 in the Food Industry (cited inline)
Industrial Cyber — Manufacturing Ransomware Surge 2025 (cited inline)
NIS 2 Food Sector Controls — ISMS.online
Cybersecurity in the Food Industry: NIS2 and Critical Infrastructure — Endian
Revisiting Threats to Food and Beverage Cybersecurity — TXOne Networks
Recent Cyber Attacks on Food and Agriculture Sector — Wisdiam

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.