4 min to read

Cybersecurity and the food supply chain

Date
02 October 2015

iStock_000018370134Large

Cybersecurity is an increasingly important issue for many in the food and beverage sector as the growing reliance on information systems for business critical functions means cybersecurity incidents can have serious consequences including business disruption and reputational harm.  Worryingly the 2013 Global Security Report by Trustwave suggests that 24% of cyber-attacks during 2012 were directed at businesses in the food and beverage sector, second only to the retail sector (45%).

New Legislation

In this context the European Parliament voted on 13 March 2014 to approve the draft Network and Information Security Directive (known colloquially as the Cybersecurity Directive), which contains new rules designed to improve the cybersecurity of the European Union and will place new regulatory obligations on many businesses in the food supply chain.

The Directive aims to facilitate information sharing about cybersecurity threats between the public and private sectors and between Member States.  It also sets out in broad terms the obligations that Member States will be expected to impose at industry level on private undertakings providing certain critical infrastructure within the EU.  Chapter IV of the Directive details these obligations, which include a requirement that critical infrastructure providers have an adequate strategy and take appropriate steps to deal with cybersecurity threats and report significant breaches of their information system to a national authority (“Chapter IV Obligations”).

Chapter IV Obligations will apply to those critical infrastructure operators identified in Annex II of the Directive which, unsurprisingly, include providers of energy, transport, healthcare and financial markets infrastructure.  However during the committee stage in the European Parliament Annex II was amended to include the “food supply chain” within the list of critical infrastructure operators to which Chapter IV Obligations apply and this amendment was included in the text approved by the European Parliament.

Very little information is currently available to explain which businesses will be considered part of the “food supply chain” for the purposes of the Directive’s Chapter IV Obligations.  At its broadest, it could cover any business involved “from farm to fork” e.g., farming, processing, manufacture, storage, distribution and retail.  However, the Directive does qualify that the Chapter IV obligations will only apply to a ‘market operator’ if it is an operator of infrastructure, ‘the disruption or destruction of which would have a significant impact in a Member State’.  The Directive also explicitly excludes ‘microenterprises’ (i.e.,  business with fewer than 10 employees and whose annual turnover and/or annual balance sheet total does not exceed €2 million) from the Chapter IV Obligations, unless they are a subsidiary of another larger market operator caught by the Directive.

Although these exemptions will provide some comfort for smaller businesses, many questions remain for larger operators.  For example will supermarkets with retail, storage and processing facilities be covered by the Chapter IV obligations? If so, will the obligations to report information security breaches to a national regulator apply to the whole of their business or only certain parts?

The Future

MEPs were strongly in favour of the current draft of the new rules, with the ‘yes’ vote winning by 521 votes to 22.  Now the current draft of the Directive has been approved by the European Parliament, it will be negotiated with the European Commission and the Council.  The Directive is unlikely to complete the legislative process before the end of the current European Parliament’s term, meaning there is the possibility that the process will not be continued in the new Parliament starting in May 2014.  However, given the strong support of MEPs in this vote this is unlikely.

For further information about the Directive and the implications for those caught by the Chapter IV obligations see the analysis of the current draft of the Directive recently written by Bird & Bird’s Cybersecurity team here and their analysis of the original proposal here.

Author: Toby Bond

Associate

UK

Tel: +44 (0)20 7415 6000

Share
Written by
Clarity Admin
Clarity Admin
Related articles
Smart Contracts – Recognising and Addressing the Risks
4 min to read
29 December 2021
Smart Contracts – Recognising and Addressing the Risks
Smart contracts, where some or all of the contractual obligations are defined in and/or performed automatically by a computer program, are expected to have a significant impact on the way business is...
Technology Projects: Managing the Risks of Innovation and Change Part 3: Contract Reset and Dispute Resolution
Technology Projects: Managing the Risks of Innovation and Change Part 3: Contract Reset and Dispute Resolution
Customers in long-term technology projects can find that while they have been working towards their chosen solution a more advanced, cheaper, or simply more desirable technology has become available....
Digital dispute resolution rules to facilitate rapid and cost-effective resolution of disputes involving novel digital technologies
Digital dispute resolution rules to facilitate rapid and cost-effective resolution of disputes involving novel digital technologies
While some saw the development of products using blockchain technology leading to the demise of disputes, the reality is that disputes in the arena of digital technology are increasing in number. Lawtech’s...
Technology Projects: Managing the Risks of Innovation and Change Part 2: During the Life of the Project
Technology Projects: Managing the Risks of Innovation and Change Part 2: During the Life of the Project
Customers in long-term technology projects can find that while they have been working towards their chosen solution a more advanced, cheaper, or simply more desirable technology has become available....
Cookies
We use analytics cookies to help us understand if our website is working well and to learn what content is most useful to visitors. We also use some cookies which are essential to make our website work. You can accept or reject our analytic cookies (including the collection of associated data) and change your mind at any time. Find out more in our Cookie Notice.