The amendment to the Cybersecurity Act transposing the NIS 2 Directive has also brought new obligations for food processing and distribution businesses. The leader of the Slovak meat processing industry decided to react in a timely and systematic manner. In cooperation with GAMO a.s., it went through a comprehensive process of evaluation, analysis and strengthening of its cyber resilience.
As a result of the systematic approach that MECOM GROUP launched already in 2023 and developed during 2024, the new legal requirements were successfully met. In February 2025, the company registered as an operator of a critical core service in food production and distribution. It has a clear overview of its cyber security posture, has mapped risks and their impacts, and has developed a plan of specific actions with clearly prioritised priorities and responsibilities.
The company’s management is aware that cybersecurity is not a one-off project, but a long-term process that requires regular review and updating. Thanks to this approach, the company has gained not only compliance with legislation, but also increased resilience to incidents and the trust of partners for whom reliability is key in today’s digital environment.
New legal obligations for the food sector
Act No. 69/2018 Coll. on Cybersecurity, as amended in 2025, introduced stricter rules for a number of sectors in the field of industry, distribution or service provision, including critical infrastructure. These include “food production, processing and distribution” – i.e. businesses engaged in wholesale distribution and industrial food production and processing.
MECOM GROUP s.r.o. has thus become an entity subject to the obligations of the Act and, given its position on the market, is designated as a provider of a critical essential service. The company decided not to wait for 1 January 2025, when the amended Cyber Security Act was due to come into force, but to act proactively and professionally.
Strategic approach: leadership involvement and expert assistance
Cybersecurity is not just a technical task for the IT department – it’s a strategic issue with implications for business operations, supply chain and reputation. MECOM GROUP s.r.o. therefore involved the management in the preparation process from the beginning and invited experts from GAMO to cooperate.
The first step was a GAP analysis – an independent assessment of the status and level of security measures in the company with the requirements of the law and related decrees. The analysis showed where there were strengths and also identified areas that would require additions or adjustments. The results of the GAP analysis included detailed suggestions in the areas of security processes, procedures, and, in part, suggestions for new technologies.
Inventory of IT assets and their categorisation
Based on the results of the GAP analysis, a mapping of IT assets used in MECOM GROUP s.r.o. followed, i.e. an inventory of what should be subject to cyber protection. Not only physical servers, computers, network infrastructure, but also software, data, human resources and the premises in MECOM GROUP itself. At the same time, priorities were identified – critical assets in terms of value to the company, based on security attributes: confidentiality, integrity, availability.
Linkages between assets were also recorded in the asset catalogue. In parallel with this activity, the IT department also updated the topology map of the IT infrastructure on which the asset catalogue is based.
Risk analysis: practical scenarios and concrete measures
The identification of key assets and processes was followed by a risk analysis that identified the most serious risks to individual IT assets. For each identified asset – servers, applications, data or processes – the likelihood of a specific threat occurring and its potential impact was determined. At the same time, for each risk, the owner responsible for its management and treatment was identified. The result was a list of risks that:
- They can only be monitored,
- It is essential to treat.
BIA Business Impact Analysis: what’s most valuable to the company
The asset catalogue was also the basis for the BIA, Business Impact Analysis. The aim was to identify which processes and services were most critical to the company and which failure would pose a significant threat to the continuity of production and subsequent distribution of products.
MECOM GROUP has identified key processes in terms of planning, sales, purchasing, production, dispatch and other areas and has determined:
- Key processes and their owners,
- IT assets necessary for the full functionality of the process.
Subsequently, the process owners together with the IT manager determined:
- The level of impact in the event of a failure – financial, internal processes, reputational consequences, breaches of contractual or legal obligations,
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO) requirements,
- Vital persons who are essential to the restoration of operations in the event of an incident.
With this step, the company has prioritized which processes, or which IT assets, are critical and of the highest importance for maintaining production continuity.
Vulnerability analysis of the system and network environment
The analytical activity was also supported by a practical examination of the state of IT and OT technologies aimed at detecting network cyber threats in a non-invasive manner. Based on automated analysis of network traffic and data flows using AI, the objective was to search for cyber threats and security anomalies, i.e. potentially dangerous events.
From the findings that emerged from the detection of network cyber threats, a list of critical IT assets was compiled, along with a proposal to resolve the most serious detections. Specific suggestions were prepared on how to increase resilience to cyber risks – whether by applying hardening rules, adjusting network elements, forcing updates, disabling poorly secured protocols if they are not being used, and more.
At the same time, a picture was obtained of what vulnerabilities are undertreated and with what level of severity.
Cybersecurity as part of business strategy
This case shows that even a manufacturing company outside the IT sector can (and must) actively work to increase its resilience. Early response, management buy-in and expert handling of the entire process ensured that the company was prepared not only for new responsibilities but also for real threats.
Cybersecurity is becoming a competitive advantage – not just in terms of regulation, but especially in terms of credibility for customers, partners and the public.
Recommendation for other companies
- Don’t wait for an audit – start with an audit and GAP analysis.
- Gain management support and identify internal process owners.
- Don’t forget staff training – safety starts with people.
- Approach cybersecurity as an ongoing process, not a one-off project.
