NIS2: cybersecurity becomes a board responsibility in transport
Adopted 2026-06-14 · updated 2026-06-16 · ≈ 1 min read · 
edited by Dirk Baaijen
Transport is an essential sector under NIS2 (Directive (EU) 2022/2555). Medium and large entities must take risk-management measures, report incidents quickly and place cybersecurity at board level. NL: the Cyberbeveiligingswet (NIS2) takes effect 1 July 2026.
Download the regime cheat sheet (PDF) ↓
NIS2 (Directive (EU) 2022/2555) is not a niche rule for IT firms — it reaches the heart of transport. Air, rail, road and water transport are explicitly on the list of essential sectors, and medium and large entities in those sectors fall under the obligation.
What NIS2 requires
Three elements are decisive.
- Risk-management measures. Entities must take appropriate technical and
organisational measures — from supply-chain security and vulnerability management to continuity and training.
- Incident reporting. Significant incidents must be reported quickly to
the national authority: an early warning within 24 hours and a formal notification within 72 hours.
- Management accountability. NIS2 places responsibility for compliance
explicitly with management, including a duty to undergo training. Cybersecurity thus becomes a boardroom matter, not an IT detail.
State of play
The transposition deadline was 17 October 2024; in the Netherlands the Cyberbeveiligingswet (the NIS2 transposition) takes effect 1 July 2026. Implementation in national law differs by Member State and is still under way in part of the EU; the Commission has opened infringement procedures against Member States that are late. The principle, however, is settled: transport entities above the threshold must comply.
What it means for you
Two questions determine your position:
- **Have you set up the risk-management measures and the reporting procedure
(24h/72h)?** Their absence is directly enforceable.
- Is board-level accountability for cybersecurity assigned? NIS2 makes
management answerable.
Want to know which EU regimes besides NIS2 affect your organisation — the Data Act, eFTI, EMSWe, the AI Act — and where your readiness stands? Take the Transport & Logistics scan.
Sources
- https://eur-lex.europa.eu/eli/dir/2022/2555/oj
Directive (EU) 2022/2555 (NIS2): cybersecurity duties for essential and important entities; transposition by 17 October 2024. - https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
European Commission — NIS2: scope (18 sectors, including transport), risk management and management accountability.
Read next
NIS2: the guide to cybersecurity and management duties
NIS2 makes cybersecurity a board-level responsibility for essential and important entities — including transport and logistics. This guide brings together who is in scope, which measures and reporting duties apply, management liability, and supply-chain obligations.
Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet
A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.
AI in telecom: network management, fraud detection and NIS2
Telecom operators use AI for network optimisation and fraud detection. The AI Act mainly affects fraud detection that assesses customers, while NIS2 imposes strict requirements on the cybersecurity and incident reporting of this essential infrastructure.