Cybersecurity, the NIS Directive and our essential service providers

Steven Kenny

The global COVID-19 pandemic has created many challenges for us all. What has become apparent throughout is how reliant society is on the operators of essential services (OESs) and digital service providers (DSPs). In these unprecedented times we have certainly seen some of the OESs being pushed to their limits. This should make us reflect on the impact that this could have on society should one of the key sectors or organisations fail.

With daily reports being issued by the media regarding increased activities in relation to cyber attacks, the need to be vigilant when it comes to cybersecurity has never been so important. The heightened risk posed to us as individuals, and to businesses, has resulted in a joint advisory being issued by the United Kingdom’s National Cyber Security Centre (NCSC), and the United States’ Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). This advisory provides information on exploitation by cyber criminals and Advanced Persistent Threat (APT) groups during the current COVID-19 pandemic.

The critical role of the NIS Directive

With an understanding that cybercrime is a key focus for the criminal fraternity, and acknowledgement that we are all reliant on OESs and DSPs, the first piece of EU-wide legislation on cyber security, the NIS Directive, remains absolutely critical. However, it is important to understand which businesses are classed as essential services. OESs and DSPs will include some of the largest organisations and many well-known names across Europe. They will cover banks, energy and power network operators, air, road and rail transportation providers, telecommunications companies, health providers, water suppliers, food suppliers and operators of digital infrastructure.

It is no surprise that we see health providers on this list. With our National Health Service already being pushed to the limits, it’s hard to comprehend the devastating impact of another WannaCry incident right now. What has been less anticipated is that food suppliers have been integral to keeping society operational, and yet, for many, have not traditionally been viewed as an essential service in the same regard as health or energy.

This is why both the NIS Directive and the UK CNPI (Centre for the Protection of National Infrastructure) reference food suppliers and operators as OESs. More than ever the food supply chain is operating at its maximum and we have seen unprecedented levels of recruitment taking place by food retailers. As well as many others, these are our front line operators, feeding our nation and keeping families and homes operational.

Protecting service providers

With strategies being formulated and some measures already being put in place to slowly ease society back into a ‘new normal’ as the numbers of new COVID-19 infections begin to consistently drop, it would seems like the right time to reflect. We should acknowledge the importance of food related organisations during this crisis, and, the importance of assuring that they can continue to operate even in the event of a cyber attack on their systems. Never has it been so important to help food retailers and those in the food supply chain evaluate their cybersecurity strategy and look closely at their supply chain, including in depth due diligence on their vendors and partners.

Crucially, it’s important that we reach a point where food organisations are able to confirm that they have the processes, policies and infrastructure in place to support NIS Directive compliance. Compliance shouldn’t be seen as a box ticking exercise, but something that is implemented because it’s the right thing to do. More than ever we need to help these businesses to understand the importance of increasing their security and taking the necessary measures to protect themselves and the service they provide to us all. Their contribution has never been so evident and their work so appreciated. Reducing the chance of a serious cyberattack is the next big challenge.

Download our GDPR and cybersecurity whitepaper to find out how to make cybersecurity in retail a priority:


GDPR & cybersecurity whitepaper