When we ran a NIS2 scope assessment for a fish processing business operating out of Killybegs, Donegal, the owner's first response was that it could not possibly apply to him. His business filleted and packaged fish. It was not a technology company. It was not critical national infrastructure. He had 65 staff and turned over just over €12 million. By the end of the assessment, it was clear that his business was almost certainly in scope as a food production entity under NIS2 Annex I — and had been since the transposition deadline passed.
Most Irish fish processing business owners have never heard of NIS2. Those who have assume it applies to technology companies and critical infrastructure — not to a fish filleting plant in Donegal or a smoked salmon operation in West Cork. They are wrong, and the consequences of that assumption are about to become real.
WHAT: Why Fish Processors Are in Scope for NIS2
The Network and Information Security Directive 2 applies to entities operating in sectors listed in its Annexes and meeting size thresholds. NIS2 Annex I includes "Production, processing and distribution of food" as a sector of high criticality. A fish processing business that meets the size thresholds — more than 50 employees or annual turnover exceeding €10 million — is almost certainly in scope as a food production entity under the Essential Entities category.[^1]
Even businesses below those thresholds may face obligations. NIS2 extends requirements down the supply chain. If your fish processing business supplies a larger entity that is itself in scope — a major retailer, a food service distributor, a multinational food company — you may face contractual requirements to meet NIS2-equivalent standards regardless of your own size. This supply chain pressure is already visible: major Irish retail chains and European food service buyers are beginning to include cybersecurity questionnaires in supplier qualification processes.
The obligations under NIS2 for in-scope food processors are substantial. They include risk management measures, incident reporting within 24 hours, supply chain security assessment, business continuity planning, and board-level accountability. Directors of in-scope entities face personal liability for cybersecurity failures. The NCSC Ireland has published guidance on the CyFUN framework as the preferred approach for Irish organisations demonstrating NIS2 compliance.
Does your fish processing business have more than 50 employees or turn over more than €10 million? Book a free 20-minute strategy call — we work with food production and processing businesses across Donegal and can confirm your NIS2 scope status within a single session.
WHAT NOW: The Compliance Obligations That Overlap With Food Safety Law
The fish processing industry faces a unique compliance challenge: cybersecurity obligations under NIS2 overlap directly with existing obligations under EU food safety law, creating a situation where a single cyber incident can trigger multiple simultaneous regulatory consequences.
EU food safety traceability. EU Regulation (EC) 178/2002 requires food businesses to maintain full digital traceability — the ability to trace any product through all stages of production, processing and distribution. For fish processors, this means maintaining digital records linking every batch of finished product back to the vessel, catch, landing, and processing steps. If ransomware destroys your traceability data, or renders it inaccessible, you cannot comply with your food safety obligations. Product batches with compromised traceability data must be withdrawn from the market — not because the product is unsafe, but because you cannot prove it is safe. This is a cybersecurity incident that becomes a food safety enforcement matter.
SFPA digital reporting. The Sea-Fisheries Protection Authority requires digital reporting of catch data, landing declarations, and compliance documentation. A compromised SFPA login — secured with nothing more than a username and password, which is the current state for most Irish fish processors — could be used to submit false declarations, alter catch records, or access commercially sensitive competitor information. Multi-factor authentication on every SFPA-facing system is not optional. It is the minimum control required to protect your regulatory standing with the SFPA.[^2]
GDPR and crew health records. Fish processing businesses hold personal data that triggers GDPR obligations — crew health records, employment contracts, payroll data, and in some cases biometric access control data. A data breach involving crew health records requires reporting to the Data Protection Commission within 72 hours. For a small fishing business without a dedicated HR or compliance function, managing this obligation alongside the operational disruption of a cyber incident is extremely challenging. Storing personal data — particularly health records — separately from operational systems, encrypted at rest, and backed up independently is the practical step that prevents a single ransomware incident from compromising everything simultaneously.[^3]
The workforce training challenge. The fishing industry faces a compliance challenge that is genuinely distinct from other sectors. Many processing plants scale their workforce dramatically during peak seasons, bringing in temporary workers who may be on site for weeks. Training these workers on basic cybersecurity — do not plug in unknown devices, do not share passwords, report anything suspicious — before they start handling systems is a logistical challenge that most plants do not currently attempt. Phishing emails targeting workers may arrive in languages other than English. A five-minute induction delivered in the worker's language, covering the three behaviours that matter most, is more effective than any comprehensive English-language programme that nobody completes.
WHY IT MATTERS: The Multi-Regulatory Exposure
Irish fish processors operating without adequate cybersecurity controls face a regulatory exposure that stacks across multiple authorities simultaneously. The NCSC Ireland can act under NIS2 on incident reporting and risk management failures. The SFPA can act on catch data integrity and reporting failures. The Data Protection Commission can act on personal data breaches involving crew records. The Food Safety Authority of Ireland can act on traceability failures. A single ransomware incident can trigger all four simultaneously — making the remediation and regulatory response far more complex and costly than in any single-regulator sector.
An Garda Síochána's National Cyber Crime Bureau has increasingly engaged with the food processing and fishing sectors as cybercriminal groups have recognised that perishable goods processing creates pressure to pay ransoms quickly. The leverage available to attackers in this sector — perishable stock, regulatory reporting windows, EU export documentation — makes it a disproportionately attractive target.
A single cyber incident in fish processing can trigger food safety withdrawal obligations, SFPA reporting failures, GDPR breach notifications, and NIS2 penalties simultaneously.
WHAT NEXT: Three Actions for Irish Fish Processors
1. Determine your NIS2 scope. If you have more than 50 employees or turn over more than €10 million, conduct a formal scope assessment. Contact the NCSC Ireland for guidance on entity classification. Document the assessment regardless of the outcome — it demonstrates active governance.
2. Enable MFA on every system that faces external access — email, SFPA portals, your ERP or production management system, and any remote access your IT provider uses. Default credentials on production systems, barcode scanners, and packaging equipment should be changed if they have not been already.
3. Audit your traceability system's resilience. Identify where your traceability data is stored, how it is backed up, and what happens if the primary system is unavailable for 48 hours. If you cannot answer these questions confidently, that is your highest-priority gap.
Related Reading
- NIS2 Board Liability: Can Irish Directors Be Personally Liable?
- NIS2 Cost of Non-Compliance: Why Irish SMEs Cannot Ignore It
- Incident Response Planning: What to Do Before a Cyber Attack Hits
[^1]: NCSC Ireland — NIS2 food production sector guidance: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — National Cyber Crime Bureau on fishing industry cybercrime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland — breach notification for employers: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.