How NIS2 Article 21(2)(d) Applies to Food Supply Chains: Cold Chain Firmware, ERP Integrations, and Tier-1 Supplier Risk

Food manufacturers have spent years digitising their supply chains to satisfy Article 21(2)(d) of Directive (EU) 2022/2555 and the traceability obligations embedded in food law. The ERP connections that track lot numbers, the telematics systems that log cold-chain temperature, the ingredient portals where tier-1 suppliers upload certificates of analysis — all of it was built for food safety. Under NIS2, those same systems now define your cybersecurity supply chain obligation.

The Food and Agriculture Sector Information Sharing and Analysis Center has identified 72 active threat actors targeting food supply chains, 58 of whom specifically employ supply chain compromise techniques. The question is not whether your industry is a target — it is which of your digital supplier relationships fall inside NIS2 Article 21(2)(d), and what documentation will satisfy a competent authority audit.

This guide starts with who in the food sector must comply, maps the precise technology categories that Art.21(2)(d) captures, and provides a tiered supplier classification framework with the evidence trail required for audit readiness.

Which Food Sector Businesses Fall Under NIS2?

The food sector sits in Annex II of NIS2 Directive (EU) 2022/2555, classifying qualifying organisations as important entities under Article 3(2). The Annex II food sector entry covers industrial food production, processing, and wholesale distribution — not the full farm-to-fork chain.

The Finnish Food Authority’s NIS2 guidance — reflecting national transposition — gives the clearest statement of what is included and what is not. Included activities: industrial food production and processing, and wholesale distribution of food. Explicitly excluded: primary production (farming, fishing, livestock), feed production, retail trade in food, food storage as a standalone service, food transport as a standalone service, food contact material operations, and food service operations such as restaurants and catering.

Size threshold for important entity status: 50 or more employees or annual turnover exceeding €10 million (the medium-enterprise ceiling referenced in Article 3(2) of NIS2). Both thresholds are ORs — meeting either one qualifies the organisation.

One exception applies: if your national competent authority or the Critical Entities Resilience (CER) Directive (EU 2022/2557) designates your organisation as critical infrastructure, you qualify as an essential entity regardless of headcount or turnover. Essential entity status triggers the stricter supervision regime and the higher penalty tier under Article 34(4).

Organisation Type	NIS2 Status	Basis
Packaged food manufacturer, 200 employees, €80M turnover	Important entity	Annex II food production; size threshold met on both counts
Dairy processor, 55 employees, €15M turnover	Important entity	Processing covered; meets employee and turnover thresholds
Food ingredient wholesaler, 60 employees, €22M turnover	Important entity	Wholesale distribution in scope; thresholds met
Arable farm, 30 employees, €8M turnover	Out of scope	Primary production excluded from Annex II
Grocery retail chain, 3,000 employees	Out of scope	Retail trade excluded unless CER-designated
Cold storage operator, standalone logistics, 45 employees	Likely out of scope	Standalone storage/transport excluded; confirm with national NCA

For a definitive scope determination, check with your national competent authority. The NIS2 scope guide covers the entity classification framework in detail, including the CER Directive intersection and member-state discretion to designate additional entities.

What Article 21(2)(d) Actually Requires

Article 21(2)(d) requires entities to implement measures covering “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” Three dimensions of assessment follow directly from the directive’s text:

• Vulnerabilities specific to each direct supplier — a generic vendor risk rating is not sufficient. You must assess what could go wrong with this particular supplier’s systems and how that failure could reach your network or operations.
• Overall quality of cybersecurity products and practices — does the supplier maintain documented security policies, patch management, and incident response capabilities? Are their products built with security embedded in the development lifecycle?
• Secure development procedures — particularly important for software and platform suppliers: how is code reviewed, tested, and signed before release?

The operative phrase is “direct supplier.” Article 21(2)(d) does not impose compliance obligations on your grain farmer or salt producer as such — it targets suppliers of ICT products and services: organisations with network or system access to your operations, or whose software, firmware, or platforms are embedded in your operational infrastructure. A grain supplier without any direct ICT system connection to your organisation is unlikely to fall within the provision’s scope. The recitals to the directive encourage extending due diligence further down the chain (your supplier’s suppliers), but the binding assessment obligation starts with direct contractual relationships.

“Appropriate and proportionate” is the governing standard. A €15M dairy processor and a €2B beverage manufacturer face the same legal requirement — but proportionality means assessment depth scales with your exposure, your supplier’s criticality to essential functions, and your practical ability to demand audit rights and contractual commitments.

The NIS2 supply chain security guide covers the full Article 21(2)(d) assessment methodology, including contractual flowdown obligations and supplier register structure.

How Codex Traceability Obligations Create NIS2 Supplier Dependencies

The connection between food safety law and NIS2 supply chain obligation is structural rather than incidental.

FAO/WHO Codex Alimentarius standard CXG 60-2006 defines the “one step back, one step forward” traceability principle: at any stage in the food chain, an operator must be able to identify where a product came from and where it went. Regulation (EC) No 178/2002, Article 18 — the EU general food law — translates this principle into binding EU law. Every food manufacturer subject to that regulation maintains digital batch records to prove traceability: lot numbers, ingredient sources, processing steps, distribution destinations.

Those records do not exist in isolation. They live in:

• ERP systems (SAP, Oracle, Microsoft Dynamics) that connect to ingredient suppliers’ purchasing portals and inventory systems via API
• Ingredient traceability platforms (TraceGains, Aptean, Intelex) that receive certificates of analysis, supplier declarations, and quality documentation from tier-1 suppliers
• Warehouse management systems with inbound receiving records tied to supplier lot numbers
• Electronic data interchange (EDI) connections that automate purchase orders and advance shipping notices between your system and your supplier’s system

Every one of these connections is an ICT service relationship under Article 21(2)(d). The ingredient portal your tier-1 supplier logs into to upload a certificate of analysis has network-level access to your systems. The ERP API that pulls procurement data from a supplier-operated catalogue is a direct supplier service relationship the directive captures by design.

This is the traceability paradox: the digital systems built to prove food safety compliance are the same systems that expand your NIS2 supply chain assessment scope. Adding more traceability technology — blockchain for lot-level provenance, IoT sensors for real-time condition monitoring — widens the surface area that Art.21(2)(d) requires you to assess.

The threat against those systems is documented and escalating. In March 2025, nation-state actors UNC5221 and UNC5174 exploited CVE-2025-31324, a zero-day in SAP systems, compromising hundreds of large organisations worldwide. The data specifically targeted in those attacks included procurement information and supply chain vendor records — precisely the records food manufacturers generate to satisfy traceability obligations. Active exploitation of SAP vulnerabilities increased 210% between 2024 and 2025, and exploit tools sell for five times their 2020 price on criminal markets.

The practical question for a food compliance officer: which of your tier-1 ingredient suppliers have a direct API or portal connection to your ERP or traceability platform? Each of those relationships is an Art.21(2)(d) supplier requiring documented security assessment.

Cold Chain Technology and Firmware as a Supply Chain Attack Vector

Connected refrigeration systems — including Carrier Transicold and Thermo King units widely deployed across European food logistics — are not simply temperature-controlled boxes. Modern refrigerated trailers and containers run embedded firmware and connect to cloud-based telematics platforms that transmit real-time temperature, location, and fault data, and accept over-the-air (OTA) firmware updates from the manufacturer.

That architecture creates two distinct Article 21(2)(d) supplier relationships:

The telematics platform as an ICT service provider. Your cold chain management function depends on a cloud platform operated by the refrigeration unit vendor or a third-party fleet management provider. That platform transmits operational data that informs release decisions for temperature-sensitive goods, and typically integrates with your warehouse management system or ERP. It is a direct supplier of an ICT service under the directive’s plain reading.

The firmware update supply chain. OTA firmware updates flow from the manufacturer’s development infrastructure through a cloud distribution platform to the refrigeration unit’s control module. If the signing infrastructure or distribution platform is compromised, malicious firmware can be delivered to units across your fleet — potentially modifying refrigeration behaviour to corrupt product, forge temperature logs, or create a network access point into your connected logistics infrastructure.

The threat pattern is grounded in documented behaviour. Food and Ag-ISAC analysis found that 58 of the 72 active threat actors targeting food supply chains specifically employ supply chain compromise techniques, and the documented attack pattern is entry through connected OT assets before pivoting into corporate IT systems. Major food processors including JBS have experienced exactly this pattern: ransomware delivered through systems that were assumed to be operationally isolated but remained reachable via remote maintenance or supply chain channels.

Under Article 21(2)(d), assessing your cold chain telematics provider means establishing:

• Whether the vendor holds ISO 27001 or an equivalent certification with scope covering the telematics platform
• How OTA firmware updates are signed and what integrity verification the device performs before installing an update
• The API authentication model governing the data connection between the telematics platform and your logistics systems (OAuth 2.0 or equivalent; token rotation; scope restrictions)
• The vendor’s patch cycle for the cloud fleet management platform and the embedded firmware separately — these are distinct release cadences

Proportionality applies. A fleet of 12 refrigerated trucks at a regional processor warrants a security questionnaire and written attestation of OTA signing practice. A 400-unit fleet with integrated WMS and ERP connections warrants an independent security review of the telematics vendor’s infrastructure, delivered as a third-party audit report or SOC 2 Type II report.

Classifying Your Tier-1, Tier-2, and Tier-3 Suppliers

Not all supplier relationships carry equal NIS2 weight. The directive’s proportionality principle requires assessment depth to match the criticality of each relationship. The framework below applies the four assessment criteria from DLA Piper’s NIS2 supply chain analysis — dependence level, criticality to essential function, availability of alternatives, and lifecycle resilience — to the food sector supplier landscape.

Tier	Food Sector Examples	Assessment Frequency	Minimum Documentation
Tier 1 — Critical	ERP and ingredient management system vendors; cold chain telematics platform providers; identity and access management (IAM) providers; cloud infrastructure (IaaS); ingredient traceability platforms with direct API connections; EDI network operators with system integration	Annual	Full security assessment or third-party audit report; contractual clauses covering encryption, breach notification, audit rights, and subcontracting conditions; SBOM for software products; open findings register with remediation deadlines
Tier 2 — Important	Logistics management platforms; packaging supplier portals; warehouse management systems without ERP integration; standalone QMS platforms; ingredient price benchmarking services with data access	Biennial, or on significant change to integration scope	Security questionnaire completed and signed; contractual breach notification clause; review triggered by supplier security incident or major platform change
Tier 3 — Monitored	Office productivity tools; email hosting; non-integrated market data services; standalone analytics vendors without system access	On contract renewal or significant supplier incident	Vendor security posture check; confirmation of no unexpected data access scope

The tiering decision hinges on two questions: (a) does the supplier have direct access to your network, systems, or operational data, and (b) would a failure at that supplier directly disrupt your ability to produce, process, or distribute food, or to report a NIS2 incident within the required timeline? If both answers are yes, the supplier belongs in Tier 1.

Role responsibilities matter as much as the classification itself. When a NIS2 supervisory action begins, an NCA will ask not just “was this supplier assessed?” but “who was responsible, and what did they do with the findings?”

Role	NIS2 Supply Chain Responsibility
CISO / IT Security Manager	Own the supplier tier classification; conduct or commission Tier-1 assessments; maintain the supplier security register; present annual risk summary to the board
Procurement	Execute contractual security clauses before onboarding; trigger assessment reviews before renewing Tier-1 supplier contracts
Legal / Compliance	Review contractual cascade obligations; ensure subcontracting conditions flow downstream; advise on NCA reporting obligations when a supplier incident occurs
IT / OT Teams	Maintain device and API inventory; document firmware versions and patch status for all connected equipment; manage API authentication and access scope
Board / C-Suite	Receive annual supplier risk summary; approve residual risk acceptance for Tier-1 suppliers with known open findings

The Audit Evidence Trail a Competent Authority Will Expect

When a national competent authority conducts a NIS2 supervisory action against a food sector entity, the first document requested is typically the supplier security register. The evidence standard is not a statement that suppliers were assessed — it is a timestamped, auditable record of who was assessed, when, by whom, what the findings were, and what remediation was completed or explicitly accepted as residual risk.

The minimum audit evidence trail for Article 21(2)(d) compliance covers five areas:

1. Supplier register. A digital register listing every Tier-1 and Tier-2 supplier with: supplier name, service or product provided, tier classification, date of last security assessment, named internal risk owner, current risk status, and outstanding findings with remediation deadlines.

2. Contractual security clauses. For every Tier-1 supplier, the active service agreement must contain clauses addressing encryption standards for data in transit and at rest, incident notification timelines (within 24 hours of a significant breach), your right to audit the supplier, subcontracting conditions that extend equivalent security requirements downstream, and SBOM delivery obligations for software and firmware products.

3. Assessment records. For Tier-1 suppliers, completed security questionnaires, penetration test or security review reports, ISO 27001 certificates with scope confirmation, and documentation of how assessment findings were tracked to closure or accepted as residual risk.

4. Device and API inventory. Every connected device in your production or logistics environment — cold chain telematics units, IoT temperature sensors, ingredient portal interfaces — must be registered with: device make and model, firmware version, last patch date, data flows to external platforms, and the named internal system owner.

5. Evidence format. Spreadsheets on a shared drive are not an audit trail. The requirement is timestamped, exportable records that demonstrate continuous oversight rather than a snapshot assembled before the supervisory visit.

The traceability paradox has a direct compliance implication: every IoT sensor or blockchain integration added to satisfy food safety regulations triggers an immediate update to your NIS2 supplier register and device inventory. Codex compliance and NIS2 compliance must be maintained in parallel. The NIS2 compliance checklist maps the full Article 21(2) evidence requirements across all ten security domains.

Enforcement Timeline and Penalty Exposure

NIS2 transposition was required across EU member states by October 17, 2024. Enforcement timelines vary by jurisdiction. Germany’s NIS2 Implementation Act was published in the Federal Law Gazette on 5 December 2025 and entered into force on 6 December 2025. Member states were required to establish their entity registration rosters by April 17, 2025, with biennial review thereafter.

For food sector organisations, the penalty framework in Article 34 of NIS2 applies:

Entity Type	Maximum Fine	Article
Important entity (standard food sector classification)	€7,000,000 or 1.4% of total worldwide annual turnover (preceding financial year), whichever is higher	Art.34(5)
Essential entity (CER-designated food operators)	€10,000,000 or 2% of total worldwide annual turnover (preceding financial year), whichever is higher	Art.34(4)

Fines apply specifically when an entity infringes Article 21 (risk management measures, including supply chain security under Art.21(2)(d)) or Article 23 (incident reporting). For a food processor with €100M annual turnover, the 1.4% ceiling represents a potential fine of €1.4 million for inadequate supply chain security measures. For a €500M food manufacturer, the percentage-based ceiling reaches the €7M fixed cap.

Your national competent authority is the authoritative source for registration requirements, supervisory timelines, and jurisdiction-specific implementation details. Contact your member state’s NCA to confirm your registration status and applicable deadlines.

Frequently Asked Questions

My tier-1 ingredient supplier is a small family-owned processor with 18 employees and €4M turnover. Does NIS2 apply to them directly?

No. With fewer than 50 employees and turnover below €10M, that supplier does not meet the NIS2 medium-enterprise threshold and falls outside the directive’s direct scope. However, as your Tier-1 supplier with a portal or API connection to your ERP, they remain a supplier you must assess under your own Article 21(2)(d) obligation. Their small size is a material risk factor: smaller suppliers are less likely to have dedicated security resources, which increases the probability that their systems represent a vulnerability in your chain.

Our cold storage facility is entirely internal — no external customers. Does it fall under Annex II?

Internal cold storage as a standalone function is not a qualifying NIS2 activity. Annex II covers industrial production, processing, and wholesale distribution — not internal logistics as an isolated function. Whether your overall business qualifies depends on your primary revenue-generating activities. If your business encompasses production or wholesale distribution that exceeds the size threshold, those activities bring the entire organisation into scope. Confirm with your national competent authority if your organisational scope is ambiguous.

Our SAP ERP vendor is ISO 27001 certified. Does that satisfy our Article 21(2)(d) assessment requirement?

ISO 27001 certification is strong evidence of sound security practice and significantly reduces the assessment burden for that supplier. However, it does not eliminate your obligation. Article 21(2)(d) requires you to assess vulnerabilities “specific to each direct supplier” — the certification confirms a general security management system is in place, but you must still document: that the certificate scope covers the relevant service and data flows, any open corrective actions from the most recent audit cycle, and any residual risks specific to your integration configuration. Keep a copy of the current certificate with an expiry note in your supplier register.

We are a €35M food ingredient wholesaler with 90 employees. Are we essential or important?

With 90 employees and €35M turnover, you exceed the medium-enterprise threshold on both counts and qualify as an important entity under Annex II. You would become an essential entity only if your national competent authority or the CER Directive designated your distribution operations as critical infrastructure. Contact your national NCA to confirm your registration status.

Key Takeaways

• Food manufacturers, processors, and wholesale distributors with 50 or more employees or €10M+ turnover are NIS2 important entities; primary production, retail trade, and standalone storage or transport operations are excluded from Annex II.
• Article 21(2)(d) targets ICT supplier relationships — your ERP vendor, cold chain telematics provider, and ingredient traceability platform qualify; a grain or packaging material supplier without direct system access does not.
• FAO/WHO Codex CXG 60-2006 traceability compliance creates the ERP integrations and API connections that become Article 21(2)(d) supplier relationships — the same digital systems serve two regulatory masters simultaneously.
• Cold chain telematics providers — including those supplying OTA firmware to connected refrigeration units — are Tier-1 direct suppliers requiring annual assessment, contractual security clauses, and written attestation of OTA signing practice.
• The audit foundation is a digital, timestamped supplier register with tier classifications, last assessment dates, named risk owners, and open findings — built before a supervisory visit, not during one.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. NIS2 Directive (EU) 2022/2555, Article 21 — nis-2-directive.com
2. NIS2 Directive (EU) 2022/2555, Article 3 — nis-2-directive.com
3. Finnish Food Authority (Ruokavirasto), “NIS2 Directive in the Food Sector” — ruokavirasto.fi
4. TXOne Networks, “The Implications of the NIS 2 Directive for the Food Industry” — txone.com
5. Food and Ag-ISAC / Industrial Cyber, “72 Active Threat Actors Targeting Food Supply Chains” — industrialcyber.co
6. DLA Piper, “NIS2 Directive Explained Part 3: Supply Chain Security” — dlapiper.com
7. ISMS.online, “NIS 2 in the Food Sector: Controls” — isms.online
8. Onapsis, “Business-Critical Applications Under Attack: The Rise of SAP, Salesforce, and Oracle Breaches” — onapsis.com
9. Cybertrust365, “Supply Chain Security: What the NIS2 Directive Requires” — cybertrust365.com
10. NIS2 Directive (EU) 2022/2555, Article 34 — nis-2-directive.com
11. FAO/WHO Codex Alimentarius, Principles for Traceability/Product Tracing as a Tool within a Food Inspection and Certification System (CXG 60-2006)