NIS2 and the Transport Sector
Air, rail, water and road transport operators are covered under NIS2 Annex I. This includes airlines, airports, railway managers, maritime port operators and road transport authorities. Cross-border interdependencies make this sector highly critical.
Key cyber risks in Transport
- ▸Cyberattacks on air traffic management systems
- ▸Ransomware targeting port operations
- ▸GPS spoofing affecting navigation
- ▸Data breaches in passenger booking platforms
Focus obligations for Transport
- ✓Incident response plans for safety-critical systems
- ✓Security of communication and navigation systems
- ✓72-hour incident reporting to the national authority
- ✓Vendor risk management for booking and logistics software
Who is covered?
Examples of in-scope organisation types:
- ·Airlines and airport operators
- ·Rail infrastructure managers
- ·Maritime port authorities
- ·Road transport management authorities
- ·Logistics and freight operators
Is your Transport organisation in scope?
Answer 5 questions and get a personalised NIS2 scope assessment, obligation checklist and readiness score — free.
Check your scope →Transport NIS2 compliance by country
See how national transpositions affect Transport obligations in each EU member state:
Frequently asked questions
Is the Transport sector covered by NIS2?
Yes. The Transport sector is listed in NIS2 Annex I (highly critical sectors). Medium and large organisations in this sector must comply with NIS2 obligations. Air, rail, water and road transport operators are covered under NIS2 Annex I. This includes airlines, airports, railway managers, maritime port operators and road transport authorities. Cross-border interdependencies make this sector highly critical.
Are Transport organisations Essential or Important Entities?
Under NIS2, large Transport organisations are typically Essential Entities. Medium-sized Transport organisations are Essential (large) / Important (medium). The distinction affects supervisory intensity and fine levels.
What are the key NIS2 obligations for the Transport sector?
Incident response plans for safety-critical systems; Security of communication and navigation systems; 72-hour incident reporting to the national authority; Vendor risk management for booking and logistics software. Obligations apply under NIS2 Articles 21 (security measures) and 23 (incident reporting).
Which national authorities supervise NIS2 for Transport in each EU country?
Each EU member state designates a national competent authority for NIS2. Visit any country page on NISDESK to see the specific authority and CSIRT for the Transport sector in that country.
For decision-support purposes only. Exact scope depends on national transposition.