Cybersecurity and the food supply chain

21 April 2014

Cybersecurity is an increasingly important issue for many in the food and beverage sector as the growing reliance on information systems for business critical functions means cybersecurity incidents can have serious consequences including business disruption and reputational harm.  Worryingly the 2013 Global Security Report by Trustwave suggests that 24% of cyber-attacks during 2012 were directed at businesses in the food and beverage sector, second only to the retail sector (45%).

New Legislation

In this context the European Parliament voted on 13 March 2014 to approve the draft Network and Information Security Directive (known colloquially as the Cybersecurity Directive), which contains new rules designed to improve the cybersecurity of the European Union and will place new regulatory obligations on many businesses in the food supply chain.

The Directive aims to facilitate information sharing about cybersecurity threats between the public and private sectors and between Member States.  It also sets out in broad terms the obligations that Member States will be expected to impose at industry level on private undertakings providing certain critical infrastructure within the EU.  Chapter IV of the Directive details these obligations, which include a requirement that critical infrastructure providers have an adequate strategy and take appropriate steps to deal with cybersecurity threats and report significant breaches of their information system to a national authority ("Chapter IV Obligations").

Chapter IV Obligations will apply to those critical infrastructure operators identified in Annex II of the Directive which, unsurprisingly, include providers of energy, transport, healthcare and financial markets infrastructure.  However during the committee stage in the European Parliament Annex II was amended to include the "food supply chain" within the list of critical infrastructure operators to which Chapter IV Obligations apply and this amendment was included in the text approved by the European Parliament.

Very little information is currently available to explain which businesses will be considered part of the "food supply chain" for the purposes of the Directive's Chapter IV Obligations.  At its broadest, it could cover any business involved "from farm to fork" e.g., farming, processing, manufacture, storage, distribution and retail.  However, the Directive does qualify that the Chapter IV obligations will only apply to a 'market operator' if it is an operator of infrastructure, 'the disruption or destruction of which would have a significant impact in a Member State'.  The Directive also explicitly excludes 'microenterprises' (i.e.,  business with fewer than 10 employees and whose annual turnover and/or annual balance sheet total does not exceed €2 million) from the Chapter IV Obligations, unless they are a subsidiary of another larger market operator caught by the Directive.

Although these exemptions will provide some comfort for smaller businesses, many questions remain for larger operators.  For example will supermarkets with retail, storage and processing facilities be covered by the Chapter IV obligations? If so, will the obligations to report information security breaches to a national regulator apply to the whole of their business or only certain parts?

The Future

MEPs were strongly in favour of the current draft of the new rules, with the 'yes' vote winning by 521 votes to 22.  Now the current draft of the Directive has been approved by the European Parliament, it will be negotiated with the European Commission and the Council.  The Directive is unlikely to complete the legislative process before the end of the current European Parliament's term, meaning there is the possibility that the process will not be continued in the new Parliament starting in May 2014.  However, given the strong support of MEPs in this vote this is unlikely.

For further information about the Directive and the implications for those caught by the Chapter IV obligations see the analysis of the current draft of the Directive recently written by Bird & Bird's Cybersecurity team here and their analysis of the original proposal here.

Authors