Which Courier Networks Fall Under NIS2 — And What Art. 21(2)(i) Demands of Their Parcel Tracking Systems

On 22 December 2025, a DDoS attack claimed by the pro-Russian group NoName057 knocked La Poste’s Colissimo parcel tracking platform and La Banque Postale’s digital banking services offline during peak Christmas shipping season. [4] The attack persisted into the following day, leaving customers unable to track parcels at one of the highest-volume moments in the French postal calendar.

Under NIS2, La Poste had a 24-hour window from the moment it became aware the disruption met the “significant” threshold to submit an early warning notification to its national competent authority. A tracking portal outage of that scale, at that time of year, almost certainly crossed that threshold.

For compliance officers at commercial parcel networks — DPD, GLS, Evri, or any of the hundreds of regional courier companies now within NIS2’s reach — the La Poste incident raises three questions this guide addresses directly:

• Is your courier network actually in scope under Annex II, or does the transport exclusion apply?
• Does NIS2 treat commercial couriers differently from designated Universal Service Providers (USPs) like La Poste?
• What does Article 21(2)(i) — human resources security, access control policies, and asset management — mean specifically for WMS, TMS, and parcel tracking platforms?

Which Postal and Courier Operators Are Covered Under Annex II, Section 3

Annex II, Section 3 of the NIS2 Directive covers postal service providers as defined in the EU Postal Services Directive (97/67/EC), including providers of courier services. [3] That cross-reference anchors the NIS2 definition to the sector’s existing regulatory framework: postal services are those involving the clearance, sorting, transport, and delivery of postal items. [2]

NIS2 scope for postal operators follows a single operational test: the entity must provide at least one step in the postal delivery chain — clearance, sorting, transport, distribution, or pick-up services. [3] This deliberately broad formulation captures operators who do not run the full chain end-to-end, such as dedicated sortation hubs or pick-up-point networks.

The transport-only exclusion

The most misunderstood boundary in Annex II, Section 3 concerns transport. NIS2 explicitly excludes transport services that are not undertaken in conjunction with one of the covered delivery chain steps. [3] A long-haul road haulier contracted to move sealed pallets between DHL hub facilities — performing only trunk transport, with no sorting, no clearance, and no last-mile distribution — is not a postal service provider under Annex II. That same operator may fall within Annex I as a road transport entity if it meets the relevant size thresholds, but the postal compliance obligation does not apply.

Operator type	Primary activity	Annex II postal scope?
National postal operator (La Poste, Deutsche Post, PostNL)	Clearance + sorting + distribution + last-mile	✓ IN — if ≥50 staff or ≥€10M turnover
Commercial parcel network (DHL Parcel, DPD, GLS)	Sorting + hub distribution + last-mile	✓ IN — if ≥50 staff or ≥€10M turnover
Regional courier (collection, sortation, last-mile)	Pick-up + sorting + distribution	✓ IN — if ≥50 staff or ≥€10M turnover
Parcel locker network (InPost, DHL Packstation)	Pick-up services	✓ IN — pick-up is explicitly a covered step
Outsourced sortation provider	Sorting only	✓ IN — sorting is a covered step
Long-haul haulier (trunk transport only)	Transport only, no sorting or distribution	✗ OUT under postal scope (assess separately as Annex I road transport)
SaaS route-optimisation provider	Software only — no delivery chain step performed	✗ OUT — unless qualifying as Annex I digital infrastructure
Sole-trader courier	Single-person delivery	✗ OUT — below size thresholds

Size thresholds for Important Entity classification

The Annex II threshold uses an “or” — not an “and.” A postal or courier operator qualifies if it has at least 50 employees OR an annual turnover exceeding €10 million. [3] Either criterion is sufficient. A 55-person regional courier generating €8 million in revenue is in scope. A 30-person courier generating €15 million is equally in scope.

Almost all postal and courier operators meeting these thresholds qualify as Important Entities — the lower NIS2 classification — subject to reactive, ex-post supervision rather than proactive ex-ante audit. An entity is only classified as Essential if a member state specifically designates it based on national criticality criteria. For most commercial parcel networks, Important Entity status is the operative classification.

See also: NIS2 Annex II, Section 3: 5 Compliance Priorities for Postal and Courier Operators for an overview of sector-specific incident risks.

Does NIS2 Treat USPs and Commercial Couriers Differently?

Short answer: no. Article 21 obligations are identical for a designated Universal Service Provider and a commercial parcel network operating in the same member state at the same employee count.

The Annex II definition — “postal service providers, including providers of courier services” — was drafted without compliance tiers based on service category. A national USP operating under universal service obligation (USO) under Directive 97/67/EC and a private parcel carrier with no USO designation face identical Art. 21 security requirements, the same Art. 23 incident reporting timeline, and the same penalty exposure.

The distinction between USPs and commercial couriers matters in three practical respects, though none of them change the underlying Art. 21 obligations:

1. Existing regulatory oversight. USPs are defined under Directive 97/67/EC as the public or private entity providing universal postal service or parts thereof within a member state. [2] As designated operators, USPs have historically been subject to supervision by national regulatory authorities (NRAs), which in some member states included basic cybersecurity and resilience requirements. A commercial courier — DPD, GLS, Evri — typically starts NIS2 implementation without that regulatory baseline and faces a larger documentation gap to close.

2. Essential Entity designation potential. Member states may designate specific entities as Essential regardless of size, based on the entity’s criticality to societal or economic functions. A national USP operating as the sole delivery network in a small member state is a plausible target for such designation, which would impose proactive audit and shorter corrective action timelines. Most commercial parcel networks will remain Important Entities absent specific designation.

3. Financial services subsidiaries. USPs with banking arms — La Banque Postale in France, PostFinance in Switzerland, Postbank in Germany — operate those activities under DORA (Regulation 2022/2554), which is lex specialis for financial entities and displaces NIS2 for in-scope financial operations. The postal and logistics divisions of those same groups remain under NIS2. This creates internal compliance complexity for USP conglomerates that commercial couriers do not face.

For a compliance officer at DPD, GLS, or Evri: none of these distinctions reduce your Art. 21 obligation. The practical asymmetry runs the other way — you may be building documentation from a blank page while a USP has legacy compliance structures to adapt.

Germany: the nearest enforcement deadline

Germany’s NIS2 Implementation Act (NIS2UmsuG) entered into force on 6 December 2025 with no transition period. [7] Postal and courier operators within Germany that meet the size thresholds were required to register with the Bundesamt für Sicherheit in der Informationstechnik (BSI) by 6 March 2026. Any in-scope operator that has not yet registered is already in breach of that registration obligation.

Art. 21(2)(i) Applied to Parcel Operations: Three Obligations in One Clause

Article 21(2)(i) of the NIS2 Directive requires entities to implement “human resources security, access control policies and asset management.” [1] This single clause contains three distinct compliance obligations, each of which maps directly to operational realities in parcel networks that competitors and generic compliance guides consistently miss.

Component 1: Asset Management

Asset management under Art. 21(2)(i) means maintaining a comprehensive, classified inventory of every network and information system supporting your parcel operations — not only the systems your IT team recognises as traditional IT assets.

For a mid-size parcel operator, that inventory spans three tiers of criticality: [5] [6]

Asset tier	Systems	Classification rationale
Critical (Tier A)	Warehouse Management System (WMS), Transportation Management System (TMS), parcel tracking platform, tracking API endpoints	Disruption = direct service failure; contains customer personal data; public-facing availability expectation
Important (Tier B)	Handheld driver PDAs, barcode scanners, RFID readers, parcel locker control systems, customs EDI gateways	Compromise = operational disruption; personal data risk; supply chain integrity
Standard (Tier C)	Fleet telematics, route-optimisation analytics, BI reporting platforms	Compromise = indirect operational impact; less direct exposure to customer data

The WMS is frequently the highest-consequence asset in a parcel hub: it controls sorting logic, gate access at hub facilities, and in automated operations, conveyor routing decisions. A WMS compromise can cause physical mis-sorting at scale and loss of operational control over the hub — with direct reputational and financial consequences. It requires the same asset management rigour as a financial institution’s core banking system.

Asset management in practice means assigning a named owner to each classified asset, documenting its security requirements, and including it within the scope of your Art. 21(2)(a) risk assessment. [5] See also: NIS2 Asset Management Requirements for the full governance framework.

Component 2: Access Control Policies

Art. 21(2)(i) requires “access control policies” — a formal framework governing who accesses which system, under what conditions, and with what verification. [1] For parcel operators, the access population is more diverse and presents structural challenges that office-only organisations do not face.

Role	System access	Required control
WMS administrator	Full WMS configuration, sorting rule editing	Privileged: MFA + session recording + just-in-time provisioning
Sortation engineer	Machine programming interfaces	Elevated: MFA + change approval workflow
Hub warehouse staff	Scanner login, gate access	Standard: role-based with shift-scoped time windows
Last-mile driver (employed)	Delivery app — address data, proof-of-delivery capture	Standard: device-enrolled MFA, app with remote wipe capability
Last-mile driver (contractor or gig)	Same delivery app, personal unmanaged device	High-risk: MDM enrolment or restricted web-only portal; same-day access revocation on contract end
B2B tracking API client	Shipment status API endpoints	API key with rate limiting, IP restriction, quarterly rotation

The gig-economy access control gap

Seasonal and gig-economy delivery drivers represent the most structurally difficult access control challenge in the postal sector. These workers access systems containing millions of delivery addresses — personal data under GDPR and a target for fraud, address scraping, and parcel interception — using personal mobile devices that the operator cannot manage or remotely wipe.

Art. 21(2)(i) does not prescribe device management, but the access control policy must be “appropriate and proportionate” to the risks posed. [1] For personal-device access to customer address data and delivery instructions, proportionate controls include: a restricted web-only portal rather than a native app where technically feasible, minimum data exposure per journey leg (driver sees only the next 5 deliveries, not the full day’s manifest), and same-day access revocation on contract termination — not a manual IT ticket submitted 72 hours later.

See also: NIS2 Access Control Policy Requirements for the full implementation framework.

Component 3: Human Resources Security

High workforce turnover in the postal sector — warehouse staff, seasonal peaks, gig drivers — makes the HR security component of Art. 21(2)(i) particularly acute. Three controls matter most: [5]

• Pre-employment screening proportionate to the role. A WMS administrator with privileged system access warrants background verification. A parcel sorter with scanner-only access to a constrained role does not require the same level of screening. The screening programme must be documented and role-calibrated, not uniform.
• Secure offboarding. Access must be revoked without undue delay on departure. In a warehouse environment where scanner credentials are role-based rather than individual, this requires individual credential assignment and automated deactivation on HR system update — not a manual IT request submitted after the farewell lunch. This is a routine audit finding in logistics-sector access reviews.
• Seasonal workforce management. Christmas-peak temporary workers require access profiles with defined end dates and automatic expiry. Failed revocation of seasonal credentials is the most predictable post-peak vulnerability in the sector.

Applying the Other Nine Art. 21 Measures to Postal Operations

Art. 21(2)(i) is the most operationally distinctive measure for parcel networks, but the remaining nine obligations each carry sector-specific implications worth noting.

(a) Risk analysis and information system security policies. The risk analysis must reflect the operational technology in your network. WMS failure, parcel tracking API unavailability, and hub sorting automation disruption are service disruption risks with direct customer and financial impact. Quantify the exposure: WMS unavailability for 4 hours during peak season has calculable consequences in mis-sorted parcels, customer compensation claims, and re-processing costs. Generic IT risk registers that treat WMS as a standard back-office application fail this test. See also: NIS2 Risk Assessment Requirements.

(b) Incident handling. The La Poste DDoS of 22 December 2025 — which took Colissimo parcel tracking offline during peak Christmas season [4] — is the sector’s reference incident for Art. 21(2)(b) and Art. 23. Your incident handling procedure must define a “significant incident” threshold in operational terms: a tracking portal unavailability of 4 hours during peak season is a candidate for Art. 23 early warning. Two hours during off-peak may not be. That classification decision must be documented in advance, not made ad-hoc during the incident. See also: NIS2 Incident Reporting Requirements.

(c) Business continuity, backup, and disaster recovery. When Royal Mail’s international operations were struck by LockBit ransomware in January 2023, international parcel exports were halted for an extended period — a service disruption that would trigger Art. 23 reporting under today’s NIS2 framework. The BCP question for any hub-based parcel network: what is the manual operating procedure when the WMS is unavailable? Paper-based sorting contingency, alternative hub routing, and customer communication protocols need documented and rehearsed procedures. Operators who assume “IT will restore it within 4 hours” without testing that assumption are carrying an Art. 21(2)(c) gap.

(d) Supply chain security. Parcel networks operate through third-party dependencies: last-mile delivery franchisees or subcontractors, customs clearance agencies, EDI connectivity providers, and parcel locker hardware suppliers. Under Art. 21(2)(d), your security programme must assess each direct supplier’s cybersecurity posture and include proportionate contractual security requirements. [1] A last-mile franchise network with TMS access is a direct supplier — their credential security and patching practices are your supply chain risk. See also: NIS2 Supply Chain Security Requirements.

(e) Security in network and information system acquisition and maintenance. WMS and TMS platforms from major vendors receive regular security patches. Art. 21(2)(e) requires documented patching procedures and vulnerability management. Parcel tracking APIs with unpatched authentication vulnerabilities have been repeatedly demonstrated as exploitation targets in proof-of-concept research — documented patching windows for production WMS instances are a baseline obligation.

(g) Cyber hygiene and cybersecurity training. Delivery drivers are a high-phishing-risk population. Social engineering via fake parcel delivery notifications — a common attack vector for credential harvesting — can compromise driver app access. Training must address phishing recognition, personal device hygiene for staff using personal devices for work-related systems, and the reporting channel for suspected compromises.

(j) Multi-factor authentication. Art. 21(2)(j) requires MFA for access to network and information systems. [1] For parcel operators, this applies to: WMS and TMS login, the customer-facing tracking portal’s administrative interface, hub network remote access, and any cloud-hosted parcel data platform. Driver apps authenticating from personal devices should use biometric or OTP as the second factor — the alternative of password-only access to systems containing customer addresses is disproportionate to the risk.

Enforcement Timeline, Registration Deadlines, and Penalty Exposure

Article 34(5) of the NIS2 Directive sets maximum penalties for Important Entities at €7 million or 1.4% of total global annual turnover, whichever is higher. These are ceiling figures; national competent authorities apply graduated sanctions beginning with corrective orders. However, graduated does not mean indefinite — persistent non-compliance following a corrective order can escalate to financial penalties without further warning.

For a parcel network with €200 million in global revenue, the upper bound is €2.8 million (1.4% of turnover). For a €1 billion operator, it is €14 million. The €7 million absolute floor protects smaller operators from the proportionate calculation only when their 1.4% figure would exceed €7 million — for most mid-size couriers, 1.4% of turnover is the operative figure.

Registration deadlines by jurisdiction

NIS2 requires in-scope entities to self-identify to their national competent authority. Timelines vary by member state:

Jurisdiction	Status	Key deadline
Germany	NIS2UmsuG in force 6 December 2025 [7]	BSI registration: 6 March 2026 — now passed for most entities
EU (general)	Most member states transposed NIS2 by October 2024	Enforcement active — check your NCA’s registration portal
Netherlands	Cybersecurity Act expected Q2 2026	Registration window opening — monitor ACN/RDI for postal sector guidance

Postal and courier operators that have not registered in transposed jurisdictions are technically in breach. Most national competent authorities have prioritised registration and initial gap assessment before formal penalty proceedings — but that prioritisation reflects enforcement capacity, not regulatory tolerance. The grace period is narrowing.

Management accountability under Art. 20

Art. 20 of the NIS2 Directive requires management bodies to approve cybersecurity risk management measures and oversee their implementation. This is an independently enforceable obligation — a competent authority can sanction an organisation for failing Art. 20 governance requirements even when the underlying Art. 21 technical controls are otherwise sound. For parcel operators, board-level approval of the Art. 21 security programme is not a formality; it is a prerequisite for demonstrating compliance.

NIS2 Compliance Checklist for Postal and Courier Operators

The following table sequences implementation by priority, based on typical compliance gap profiles for Important Entity postal operators starting from a partial or undocumented baseline.

Priority	Action	Art. 21 measure	Role	Effort
1	Register with national NCA and confirm Important Entity classification	Registration obligation	Compliance Officer	Low
2	Build asset inventory: WMS, TMS, tracking platform, driver apps, parcel lockers, EDI gateways	Art. 21(2)(i)	IT Lead	Medium
3	Define access tiers and document access control policy with joiner-mover-leaver procedures	Art. 21(2)(i)	IT Lead + HR	Medium
4	Implement seasonal worker credential scoping with auto-expiry	Art. 21(2)(i)	HR + IT	Low
5	Conduct initial risk assessment covering WMS failure, tracking portal outage, hub ransomware scenarios	Art. 21(2)(a)	CISO	High
6	Define “significant incident” threshold and document incident classification framework	Art. 21(2)(b)	CISO + Legal	Medium
7	Assess top 10 direct suppliers including last-mile franchisees and EDI providers	Art. 21(2)(d)	Procurement + CISO	High
8	Deploy MFA for WMS, TMS, and hub network remote access	Art. 21(2)(j)	IT Lead	Medium
9	Document BCP for WMS unavailability: manual contingency, re-routing protocol, customer comms	Art. 21(2)(c)	Operations + IT	High
10	Obtain formal board approval of Art. 21 security programme	Art. 20	Board / C-Suite	Low

Role responsibilities

Role	Primary Art. 21 responsibilities
Board / C-Suite	Art. 20 approval of security measures; penalty exposure ownership; budget sign-off for implementation
CISO / IT Security	Art. 21(2)(a) risk assessment; (b) incident response programme; (i) access control policy; (j) MFA deployment
IT Lead	Asset inventory (WMS/TMS/tracking); patching procedures; access provisioning and deprovisioning automation
HR	Art. 21(2)(i) joiner-mover-leaver procedure; seasonal worker credential scoping; offboarding protocol
Legal / Compliance	NCA registration; Art. 23 reporting trigger definition; supplier contract security clauses
Operations	BCP manual contingency procedures for WMS/TMS failure; communication protocol for service disruption

Frequently Asked Questions

Does NIS2 apply to parcel locker networks?
Yes. Pick-up services are explicitly listed as a covered step in the Annex II delivery chain. [3] A parcel locker network operator above the 50-employee or €10 million threshold — InPost, DHL Packstation, or a national equivalents — providing pick-up services is in scope as an Important Entity.

We outsource our sortation to a third-party logistics provider. Does that remove us from scope?
No. Outsourcing a delivery chain step does not remove your organisation from scope. NIS2 scope is determined by whether your organisation provides the service, not by whether it operates the infrastructure directly. Your third-party sortation provider may also be independently in scope — each entity is assessed individually.

Our courier network operates in multiple EU member states. Do we register in each?
Art. 26 of NIS2 establishes jurisdiction based on your main EU establishment. Multi-state operators are generally supervised by a single lead national competent authority, though member states where you provide services may retain notification and cooperation rights. Confirm the applicable lead NCA in your primary member state of establishment.

Does the transport exclusion apply if our road freight division also handles parcel distribution?
No. The exclusion applies only to transport services genuinely disconnected from any other delivery chain step. If your road freight operation performs distribution or sortation in addition to trunk transport, it does not qualify for the exclusion. Separation into a distinct legal entity changes the analysis at the entity level — consult a legal specialist if this boundary applies to your group structure.

Sources

1. NIS2 Directive (EU) 2022/2555, Article 21 — Cybersecurity Risk-Management Measures — nis-2-directive.com (primary text)
2. Directive 97/67/EC — Common Rules for the Development of the Internal Market of Community Postal Services — EUR-Lex
3. NIS2 Directive Requires Postal Providers to Take Measures on Cybersecurity — Cullen International
4. La Poste, France — DDoS Impact Summary (December 2025) — MazeBolt
5. NIS2 Article 21 Risk Management Measures Explained: All 10 Controls — Glocert International
6. NIS2 for Logistics and Transportation: Requirements and Implementation — nFlo
7. Germany Implements NIS2: Immediate Effect, Broad Scope, Near-Term Registration — Reed Smith

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.