Food security meets cybersecurity

However, along with the increased benefits, come risks. Cybersecurity threats are now, sadly, a part of life and there is no minimum business size or reach that dictates who is targeted. The implications of a cyber-attack on a business can be crippling, ransom, data theft – personnel, business and intellectual property, reputation damage, system lock outs, and more. Along with the penalties, legal liability, and suspension of operations that are all possible outcomes of failure to comply with government legislations.

The main concerns of any food processor are: is my data safe, is there data continuity, and what is my digital partner doing to protect businesses, supply chains and customers from the risks?

Globally, government regulations for cybersecurity within the food supply chain have incredible variance. For example, Singapore has clear regulatory requirements, while the US offers security guidelines and frameworks. However, there is a high awareness of the rapidly evolving challenges in protecting the global food supply chain from cyber-attacks.

In 2024 the EU and Singapore both implemented extended regulatory requirements, with China doing the same in 2025. As AI becomes more integrated into business, cybersecurity regulations will expand and become more stringent internationally.

For example, a future regulatory change on the table is the US Farm and Food Cybersecurity Act currently under legislative consideration. If approved, it will have effects on the requirements of US food processors.

EU and EEA regulatory shifts in 2024 

Just as the EU has increased stringency on traceability regulations, they have also implemented cyber security regulations to bolster safety, trust and standardize cybersecurity requirements.

Entering into force on 10 December 2024, the EU Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying software or hardware products with a digital component. CRA regulations include:

1. Mandatory security measures that ensure manufacturers meet cybersecurity standards throughout the lifecycle of products. Including regular updates and security patches to address vulnerabilities. 
2. Required reporting to relevant authorities of any exploited vulnerabilities within 24 hours of discovery to enable rapid response.
3. The CRA applies to connected hardware and software including IoT devices and industrial systems. There are exceptions to products already covered by sector-specific regulations.
4. Unified framework to harmonize rules across the EU and foster trust.

This is great news for food processors adopting digital systems in the EU, as the updated CRA offers another layer of checks to technology. 

On 17 October 2024, the EU-wide cybersecurity legislation, the NIS2 Directive, came into effect. It augments CRA and updates previous rules with the aim of creating a robust and unified cybersecurity framework across Europe to safeguard critical supply chains. NIS2 provides the baseline of security standards, leaving the space for Member States to adopt and enforce stricter cybersecurity measures.  

The food supply chain is one of the industries captured within NIS2’s expanded scope. For food processors the direct implications include: 

• Business within the NIS2 scope must implement robust cybersecurity measures and procedures including:
  • Risk analysis and management
  • Incident management 
• Incident reporting of cybersecurity incidents that cause significant disruption is stricter:
  • Initial notifications within 24 hours
  • Detailed report within 72 hours
• Company leadership is held accountable for compliance
• Food processors must evaluate the practices of their suppliers and partners and ensure cybersecurity practices

Singapore expanded the scope of regulations to:

• Adapt to new technologies and business models
• Increase regulatory oversight
• More stringent cybersecurity standards
• Increased supply chain scrutiny
• Enhanced incident reporting

China new Regulations fast-moving and fluid

In China, regulations and rules around cybersecurity and data protection continue to be fast-moving and fluid. While the most recent Network Data Security Management Regulations, released in January 2025 concern personal data protection for Mainland China residents, it is critical to note the fast-moving fluidity of the data protection framework.  Processors based in China or with China-based supply chain partners should continue to watch the space. Particularly as compliance assessment and reporting are expected to be of high focus throughout 2025.

Is the industry shifting faster than regulators?

The food industry's growing reliance on digital systems in hardware, software and cloud computing highlights, plus rapid advances in AI technology, predicate the need for comprehensive cybersecurity approaches worldwide. The varied levels of governmental legislation and regulations across countries and regions seem to contrast the complex international supply chains which exist in today’s food industry.

As the cyber risk landscape evolves, it is often up to individual businesses in different regions to proactively adopt cybersecurity frameworks that help them avoid vulnerabilities.

In response, frameworks such as NIST Cybersecurity Framework in the US and global certifications like ISO/IEC 27001 are gaining traction. They present a way of building consumer and partner trust in the digital arms of businesses, as well as bolstering a security supply chain.

The advantage of certifications such as ISO/IEC 27001:2022 is its international recognition as a standard for managing information security. The process of gaining certification requires the establishment, implementation, maintenance and continuous improvement of an information security management system (ISMS). There are a few reasons why this is worth the effort:

• Enhanced information security
• Assists in compliance with legal and regulatory requirements e.g. GDPR, HIPAA, NIS2
• Improves customer and stakeholder trust
• Improves resilience through, proactive risk management, continuous improvement, accountability, considered plans and measures in place
• Global recognition simplifies doing business across borders

Going through the complex process of ISO certification may not be the best option for all food processors, however it can still be used as a guide when choosing digital partners.

Making your business more cyber resilient

Whether needed to meet regulatory compliance, or for forward thinking companies looking to protect themselves, partners and consumers. Food processors of all sizes can take several strategic steps that address potential vulnerabilities, improve resilience and safeguard their operations:

1. Evaluate and engage digital partners that have ISO/IEC 27001:2022 certification
2. Implement cybersecurity frameworks
3. Employee awareness and training
4. Secure operational technology and control systems,
5. Expand security on newer threats such as IoT and AI-driven cyberattacks
6. Disaster recovery plans
7. Cyber Insurance
8. Compliance with cybersecurity regulations

The above list is useful for food processors of all sizes, but it is worth noting that smaller businesses will have unique challenges when it comes to implementing effective cybersecurity, such as limited technical and financial resources. There are several actions that can help overcome these added hurdles:

1. Seek third-party expertise
2. Choose partners/suppliers that show a mature level of cybersecurity
3. Focus on training and awareness
4. Prioritize compliance
5. Adopt scalable frameworks

Food security meets cybersecurity

Network and information systems have developed into a feature of everyday life with fast digital transformation and interconnection, including cross border exchanges. While it brings with it incredible advantages in data tracking and monitoring to improve food safety and minimize waste of valuable resources. It has also led to an expansion of the cyber threat landscape and with that, new challenges requiring all of us to adapt, coordinate and innovate responses to the increasing number and sophistication of cyber threats. 

The security of our food supply chain is a shared responsibility. As we improve sustainability by digitally transforming our food landscape, it must be paired with robust cybersecurity to protect supply chains globally. 

Concerned about the cloud and security? We’re happy if you are. Cybersecurity is a crucial element in maintaining a successful and safe food processing landscape. Which is why we are always available to discuss your concerns and requirements, to explain not only how we are addressing these challenges within JBT Marel, but how we can help you address your own security challenges. 

Reach out to the digital team today