NIS2 Annex.II.2: Postal and Courier Services Cybersecurity Requirements

Secure the operational technology that keeps logistics running: automated sorting systems in distribution centres, fleet management and route optimisation platforms, parcel tracking and tracing, and automated locker networks. Segment these operational systems from corporate IT. Protect customer data across the entire delivery lifecycle. Postal services handle large volumes of personal information - names, addresses, delivery preferences, customs declarations. Encrypt customer data at rest and in transit, enforce access controls so only authorised personnel can see it, set retention policies to minimise how long you store delivery data, and securely dispose of both physical and digital records. Lock down mobile and IoT devices used in delivery operations. Drivers carry mobile devices for route guidance, signature capture, and delivery confirmation. Deploy mobile device management (MDM), enforce app security controls, encrypt communications with central systems, and enable remote wipe for lost or stolen devices. Apply strong access controls to logistics management systems. These systems manage routes, scheduling, and resource allocation - compromising them could enable targeted theft, surveillance of specific shipments, or operational disruption. Use role-based access, require MFA for administrative functions, and log all activity. Build incident response procedures around postal operations. Think through the impact of system outages on delivery commitments, communication with e-commerce partners and customers, fallback procedures for manual sorting and routing, and coordination with law enforcement when incidents involve parcel theft or surveillance. Assess cybersecurity risks from your technology supply chain. Postal services rely on specialised logistics technology providers, e-commerce platform integrations, and customs systems. Each of these dependencies is a potential attack vector.