The revised directive on the security of network and information systems (NIS2) will apply to postal service providers, including providers of courier services, that have more than 50 employees and a total annual turnover of €10m or more. This includes all providers that provide at least one of the four steps in the postal delivery chain, excepting transport.

Postal service providers must establish a cybersecurity risk mitigation strategy that:

• assesses the risks associated with their network and information systems;
• implements security policies to address the identified risks;
• establishes access control policies and uses authentication solutions to prevent unauthorised access;
• includes an incident handling procedure in response to cyberattacks; and
• establishes a service continuity strategy, including disaster recovery.

Postal providers must also notify significant security breaches within 24 hours to the national computer security incident response team.

As so-called “important entities” under NIS2, postal providers are subject only to ex post supervision.

For more information and to access our postal NIS2 report, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our Postal intelligence service.