The pharmaceutical distribution layer of Europe is not where the public watches for risk. The cameras point at manufacturers, at hospitals, at regulators. But between those layers sits a network of mid-sized distributors that move branded medication across borders, manage cold chain logistics, and handle some of the most sensitive data flows in the regulated economy. Most of them are running on infrastructure that was built before NIS2 existed.
This is a study of one of them. The company name is withheld; the operating profile is real. We will call it Distributor A.
Distributor A operates from a single jurisdiction in Southern Europe. It holds active commercial relationships with several large pharmaceutical manufacturers. Its IT department is small. Its compliance officer also manages regulatory affairs and partly oversees commercial operations. By any structural measure, this is a small organization handling outsized institutional weight. And under the new European compliance environment that came into force during 2024 and 2025, this gap between operational scale and infrastructural scale is no longer absorbed by goodwill or longstanding relationship. It is now audited.
The new regulatory perimeter
The Network and Information Security Directive 2 (NIS2) extended the scope of European cybersecurity obligations to a broader set of operators, including significant portions of the pharmaceutical supply chain. For distributors that handle branded medication, the practical consequence is that their pharmaceutical clients are now required to verify the cybersecurity posture of their distribution partners as part of their own compliance obligations.
This is not theoretical. In practice it means that during 2025 and 2026, mid-sized European distributors began receiving compliance questionnaires from their pharma principals — questionnaires that previously did not exist, or that existed in much lighter form. The questionnaires ask, in technical detail, about access management, incident response capability, data flow segmentation, encryption posture, audit logging, and supply chain risk management.
Distributor A received its first such questionnaire from one of its principals in the second half of 2025. It ran to dozens of pages. After considerable effort by the internal team, the organization produced a response. The internal assessment conducted afterwards identified a significant gap between what the questionnaire required and what the organization could honestly claim to have implemented.
The internal report on this gap was filed. No external decision was made. The compliance officer noted the situation. Operations continued.
The structural drift
How does an organization arrive at a state where a large portion of its required compliance controls are not in place? The temptation is to assume neglect. The reality, in this case, is closer to drift.
Distributor A was founded in the late 1990s as a regional logistics operation. Its first IT investments were made in the early 2000s. The infrastructure has been extended, patched, and partly migrated since then, but never structurally rebuilt. The compliance frameworks under which it operated for the first twenty years of its life were primarily about cold chain integrity and product traceability: physical compliance, not informational.
When digital compliance obligations began to arrive in the 2010s, they did so in waves. The General Data Protection Regulation in 2018 was the first wave that meaningfully affected the organization. It was absorbed through a combination of legal advisory, template policies, and minimal technical change. The infrastructure remained essentially what it had been before. The compliance documentation was updated; the underlying systems were not.
This is the pattern across most mid-sized regulated distributors in Southern Europe. Compliance documentation has been adapted, layer by layer, to the new regulatory environment. The infrastructure underneath has not been adapted in proportion. The result is what compliance professionals privately call a paper-and-spreadsheet compliance layer: documents and policies that describe what should be happening, sitting on top of systems that do not enforce what the documents claim.
The audit asymmetry
Until recently, this gap was tolerable because the audit pressure on distributors came from regulators directly, and regulators were operating with limited capacity and a long backlog. The probability that any given distributor would be audited in detail in any given year was low. The cost of preparing for a possible audit was therefore weighed against a small probability of facing one.
NIS2 changes this calculus structurally, not incrementally. The new regulatory architecture pushes audit pressure from the regulator downward, through the regulated entities, to their suppliers. Pharmaceutical manufacturers are now responsible for the compliance posture of their distribution network as part of their own audit perimeter. The result is that audits no longer arrive from regulators with limited capacity. They arrive from clients with substantial commercial leverage.
This is the asymmetry that distinguishes the current period from the previous twenty years. A regulator that finds a gap can issue a notice, a fine, or a corrective action plan. A pharmaceutical client that finds a gap can switch distributor.
The four structural failures
The gap between Distributor A's compliance posture and the requirements it now faces is not a single deficit. It is structured along four distinct axes, each of which requires a different kind of intervention.
One: Identity and access
Most regulated distributors of this size operate without a unified identity and access management layer. Email accounts, ERP accounts, warehouse system accounts, document repositories, and external portal access are managed separately. When a person leaves the organization, the process of revoking access is partly manual, partly forgotten, and impossible to audit. NIS2-aligned audits expect a documented, automated, regularly reviewed access lifecycle. Distributor A has none of these.
Two: Logging and traceability
Operational systems generate logs. The question is whether the logs are centralized, retained for the regulatory minimum, protected against tampering, and queryable for audit purposes. In Distributor A's infrastructure, logs exist in each system in isolation, with inconsistent retention policies and no centralized auditable store. When the audit asks for the access record of a specific document over a specific period, assembling the answer requires manual extraction from multiple systems, with no guarantee of completeness.
Three: Data segmentation
Pharmaceutical distribution involves several distinct data domains: commercial data (orders, pricing, contracts), product data (batch numbers, expiration dates, cold chain records), personal data (customer contacts and, in some jurisdictions, prescription information), and pharmacovigilance data where applicable. NIS2 expects these domains to be segmented at infrastructure level. In Distributor A's case, most of this data flows through systems where segmentation exists only at application level, which means an account with broad access can in practice cross domains in ways the policy claims it cannot.
Four: Incident response capability
When something goes wrong, the organization is expected to have a documented and rehearsed incident response process covering detection, containment, communication to affected parties within regulatory windows, and post-incident analysis. Distributor A has a document describing this process. It has never been rehearsed. The person designated as incident response lead also handles several other operational functions.
The cost of the gap
The cost of an unresolved compliance gap is contingent: it only materializes if something happens. But contingent does not mean negligible. It means probabilistic, and the probabilities in Distributor A's situation are no longer low.
The consequences of a failed supplier audit are commercial, not just regulatory. A pharmaceutical manufacturer that identifies a compliance gap in its distribution partner faces its own regulatory pressure to act. The response options range from a corrective action plan with a deadline to a reallocation of volume to more compliant suppliers. Either outcome is materially worse for the distributor than the cost of remediating the gap proactively.
The core dynamic is this: the cost of staying where they are is absorbed invisibly across time. The cost of remediating is concentrated and visible. Organizations systematically underweight the former relative to the latter. This is not irrationality. It is the natural output of budget processes that reward visible spending and absorb invisible risk.
Why this is structural, not incidental
It would be easy to read this case as a story about one organization that fell behind. But Distributor A is not an outlier. It is a representative sample of an entire layer of European mid-market regulated distribution.
The reasons are structural. Mid-sized regulated distributors in Southern Europe operate at a margin profile that does not naturally support discretionary infrastructure investment. They have grown through commercial expansion, not through infrastructural transformation. Their leadership comes predominantly from commercial, operational, and regulatory backgrounds, not from technology. Their relationship with technology vendors has historically been transactional: buy when needed, replace when broken, never structurally redesign.
At the same time, the regulatory environment in which they operate has tightened significantly in less than a decade. GDPR in 2018, expanded pharmacovigilance obligations in 2019, the European Health Data Space framework progressing through 2023 and 2024, NIS2 in 2024, the upcoming AI Act provisions. Each layer adds requirements that the previous infrastructure was never designed to satisfy.
The result is a sector-wide gap between organizational maturity and infrastructural maturity that is widening, not narrowing. Most organizations in this layer will reach the point where their infrastructure becomes commercially disqualifying before they reach the point where they decide to rebuild it. The question is which event arrives first.
What happens next
For Distributor A, three scenarios are realistic over the next twenty-four months.
In the first scenario, one of its principals conducts a deeper audit, identifies the structural gap, and either issues a corrective action plan with a deadline or moves a portion of its volume to a more compliant distributor. The organization is then forced to remediate under time pressure, at higher cost than a planned program would require.
In the second scenario, an incident occurs that triggers regulatory attention and consequent disclosure to principals. The cost trajectory is similar to the first scenario, but accelerated and with public visibility.
In the third scenario, the organization decides to remediate proactively, before any external trigger. This is the lowest-cost path, but it requires a strategic decision that mid-sized organizations of this profile rarely take in the absence of external pressure.
Across the broader sector, the pattern of the last five years suggests that the audit and the incident arrive first far more often than the proactive decision does.
What this study is, and what it is not
This study is a documentation of a structural condition. The Spies Files does not sell remediation, advisory, or implementation services. Our position is that the gap in mid-market regulated distribution exists, has predictable consequences, and is presently invisible in most strategic conversations within the affected organizations.
The intended reader is whoever inside or adjacent to one of these organizations needs to articulate the gap in terms that can move a budget decision. What is done with this analysis is outside the scope of this publication.
The next study examines a parallel structural drift in a different sector: the digital infrastructure of national sports federations in the Iberian Peninsula. Different industry, same pattern.