Why 2025 is a wake-up call for supply chain cybersecurity

Significant cyberattacks and threats against logistics providers this year caused widespread operational delays, highlighting the direct link between digital security and the physical movement of goods. The incidents of 2025 have served as a stark wake-up call, demonstrating that supply chain vulnerabilities are no longer confined to shipping lanes and warehouses but extend deep into the digital infrastructure that underpins global trade. For companies across Europe, these events have revealed a critical blind spot: the operational and financial risks emanating from cybersecurity weaknesses within their logistics networks. This reality is forcing a long-overdue reckoning, compelling a shift from viewing cybersecurity as a siloed IT issue to treating it as a core pillar of strategic risk management and operational resilience.

This article examines how recent cyberattacks have served as a catalyst for the logistics industry, prompting a necessary shift toward embedding cybersecurity at the heart of strategic planning. It will analyze the evolving threat landscape and dissect how new European regulations, specifically the NIS 2 Directive and the AI Act, provide both a mandate and a framework for mitigating these growing risks.

This article was written by Mario van den Broek ([email protected]) and Marius Ungureanu ([email protected]). Mario and Marius are consultants with RSM Netherlands Business Consulting with a focus on supply chain management.  

The New Threat Landscape: When Digital Risks Become Physical Disruptions

The year 2025 will be remembered as the moment the theoretical threat of supply chain cyberattacks became a tangible, costly reality. High-profile breaches targeting major logistics firms and port operators have evolved beyond data theft, resulting in direct physical disruptions. This new threat landscape exposes the deep-seated interdependencies of modern supply chains. A single breach at a third-party logistics (3PL) provider, a port terminal, or a software vendor can trigger a domino effect, impacting manufacturers, retailers, and end consumers. The very technologies that have driven efficiency, such as IoT-enabled tracking, automated warehousing, and integrated logistics platforms, have also expanded the attack surface, creating new entry points for cybercriminals. The incidents of this year have made it painfully clear that a company’s cybersecurity posture is only as strong as its weakest link, which is often a trusted partner in its supply network.2

Regulatory catalysts: the role of NIS 2 and the AI Act

As the threat landscape intensifies, European regulators are taking decisive action to mandate a higher standard of digital resilience. Two key pieces of legislation are set to reshape cybersecurity expectations for the supply chain and logistics sector: NIS 2 Directive3 and the EU AI Act.4

The NIS 2 Directive, which builds on its predecessor, significantly expands its scope to include "important" entities within the transport sector. Logistics providers, port operators, and other key supply chain stakeholders are now subject to stringent risk management and reporting requirements. The directive requires these organizations to implement comprehensive cybersecurity measures, including supply chain security risk assessments, incident handling protocols, and business continuity plans. Non-compliance carries severe financial penalties, making it a matter of concern for the board. NIS 2 forces companies to look beyond their own four walls and actively manage the cybersecurity risks posed by their direct suppliers and partners.

Simultaneously, the AI Act introduces a new layer of governance for companies leveraging artificial intelligence to optimize their supply chain operations. As AI becomes embedded in demand forecasting, route optimization, and automated warehousing, the act imposes a risk-based framework to ensure these systems are secure, robust, and transparent. For "high-risk" AI applications, such as those used in managing critical infrastructure, the legislation mandates rigorous data governance, human oversight, and cybersecurity controls throughout the AI lifecycle. This ensures that the algorithms driving supply chain decisions are not only efficient but also resilient to manipulation or failure, preventing the catastrophic disruptions that could arise from a compromised AI system. 

A Strategic Roadmap to Supply Chain Resilience

In this new era of heightened risk and regulation, a reactive, compliance-focused approach to cybersecurity is insufficient. Leading organizations are adopting a proactive stance, building resilience into the very fabric of their supply chain strategy. This approach is structured around three key actions:

1. Implement Holistic Risk Assessment: Companies must move beyond traditional cybersecurity audits to conduct comprehensive, end-to-end assessments of their entire supply chain risk. This involves mapping the entire digital ecosystem, from software vendors and cloud providers to 3PLs and freight forwarders, to identify hidden dependencies and potential vulnerabilities. The goal is to understand not just your own security posture but that of every partner with access to your systems or data.
2. Align Cybersecurity with Corporate Strategy: Cybersecurity can no longer be delegated solely to the IT department. The risks are too closely tied to operational continuity and financial performance. Decisions about digital security must be integrated with broader strategic planning, including procurement, partner selection, and business continuity. This alignment ensures that resilience is a shared responsibility across the organization, championed by the C-suite and embedded in the corporate culture.

Invest in Resilient Technologies and Frameworks: Building a defensible supply chain requires investment in technologies and frameworks designed for resilience. This includes adopting a "zero-trust" security architecture, where no user or device is trusted by default, and leveraging AI-powered threat detection to identify and respond to anomalies in real-time. Furthermore, adherence to frameworks like that provided by NIS 2 should not be seen as a compliance burden but as a strategic roadmap for building a robust and defensible digital infrastructure.

Forward Thinking

The companies that thrive in this new environment will be those that embrace this paradigm shift. By moving beyond mere compliance and proactively embedding cybersecurity into their strategic planning, they will not only shield themselves from the devastating impact of digital disruptions but also build more transparent, trustworthy, and resilient supply chains. In a world where the reliability of physical goods flow is inextricably linked to the security of digital information, a proactive cybersecurity strategy is the ultimate guarantee of business continuity and market leadership.

Companies must develop integrated risk models that map digital vulnerabilities to their physical, operational, and financial consequences. This means moving beyond simplistic calculations of data breach costs to rigorously modeling the full business impact of a multi-day port closure, a fleet-wide OT compromise, or a corrupted AI forecasting model. This holistic view of cyber-physical risk must be the new baseline for effective governance, strategic planning, and demonstrating due diligence to regulators and shareholders alike.

The investments required for NIS 2 and AI Act compliance should not be viewed as a cost burden, but as a strategic investment in trust and resilience. In a world where supply chain partners are mandated to scrutinize each other's security posture, a demonstrable and certified robust security framework becomes a powerful commercial asset. Organizations should proactively market their compliance and advanced security capabilities as a key differentiator. Doing so will attract and retain high-value customers who are themselves under regulatory pressure, secure preferential terms with insurers who are re-evaluating cyber risk and ultimately position the organization as a trusted and resilient leader.  

RSM is a thought leader in the field of Strategy and Digital Law consulting. We provide frequent insights through training and the sharing of thought leadership, based on our detailed knowledge of industry developments and practical applications gained from working with our customers. If you have any questions, please contact one of our consultants.