The new Network and Information Systems Directive (NIS2) came into effect on 18 October 2024 and with it comes an overhaul of the way in which cybersecurity risk management is regulated in Europe.

The major changes brought about by NIS2 include stricter security measures, new incident reporting obligations and will substantially expand enforcement powers for regulators. For stakeholders active in the Automotive, Transport or Logistics sectors, these major changes will impact organisations to differing degrees depending on their core activities and the perceived criticality of their sector to the EU’s critical infrastructure and economy.

Sanctions for non-compliance under NIS2 and related legislation are substantial, with fining powers of up to €10m or 2% of worldwide turnover and (in some cases) sanctions against management and the C-suite. Above all, NIS2 emphasises a proactive approach to cybersecurity and operational resiliency.

This article, part of our NIS2 series, provides a high-level overview of what you need to know for your sector and what steps you need to take now. For a more in-depth insight into NIS2 and its requirements, see our article here.

Note on the UK: this article focuses on the EU’s enhanced cybersecurity regime, which will not apply in the UK. For specific guidance on the steps the UK is undertaking in this space, please contact a member of the Resiliency team.

What does this mean for providers in the transport and logistics sectors?

NIS2 imposes obligations on a broader range of entities, depending on whether they are identified as being ‘essential’ or ‘important’.

For the transport sector, unsurprisingly core transport and freight providers are categorised as ‘essential’ sectors and subject to the most stringent of NIS2’s security requirements. Post and courier services are also regulated under NIS2 but under the less stringent ‘important’ category. Incidents such as the 2017 NotPetya Malware attack on Maersk, the global outage that affected European air cargo operations in 2024, as well as the CrowdStrike Outage in July 2024 which disrupted operations across European ports and rail networks demonstrate the substantial impact on European commerce an incident within this sector can have.

Key service providers to transport infrastructure and freight providers could look to find them directly regulated under NIS2 and not simply by virtue of flow down obligations from their customers. In particular, NIS2 regulates providers of critical systems used by the sector, from vessel traffic services (VTS) – which aid in traffic management within ports or waterways – to Intelligent Transport Systems, such as adaptive traffic signals controls, smart motorways and parking management.

For the logistics sector, NIS2 represents a significant challenge as this sector (like many other sectors now regulated under NIS2) has previously avoided cyber resilience legislation. A wide range of activities conducted by a logistics provider may be regulated be NIS2 as follows:

• Logistics providers which are interconnected with critical infrastructure, such as where the provider manages a fleet, may be directly regulated under the transport categories;
• Organisations which provide core IT infrastructure, such as digital logistics platforms, are likely to be regulated under NIS2’s digital providers category;
• Any logistics provider involved in the distribution of food or chemicals will be directly regulated, under the ‘important’ category; and,
• The majority of logistics providers may find themselves indirectly regulated under NIS2 based on flowdown obligations from their NIS2-regulated customers.

Those organisations undertaking activities which fall within an “essential” sector will be subject to enhanced audit and inspection measures, with each EU Member State regulator conducting regular (and in some cases unannounced) inspections and audits of a company’s information security management frameworks and cybersecurity posture. Where compliance gaps are found, organisations can expect onerous corrective action plans and daily fines for non-conformity. Organisations may also be expected to pay the cost of these audits.

What about automotive providers and OEMs?

With modern vehicles increasingly referred to as 'computers on wheels,' businesses operating within the automotive sector will be impacted significantly by NIS2 due to the significant data flows involved in these vehicles and the growing digitalisation of automotive systems.

As these industries continue their rapid evolution into connected and autonomous vehicles, constantly generating and transmitting data, automotive manufacturers and service providers will need to swiftly ensure their cybersecurity measures are up to standard to remain compliant with NIS2. With supply chains spanning multiple stakeholders, from OEMs to software providers, the automotive sector is uniquely exposed to cybersecurity threats at several stages of production and delivery. 

The proliferation of V2X communication technology brings increased reliance on these networks for fleet management, traffic management, and public safety, whilst increased use of OTA updates for vehicle systems opens the door to malicious actors injecting harmful code into vehicles. Ensuring the resiliency of these networks and the cyber integrity of vehicles under NIS2 will be a legal and operational imperative and organisations must prioritise securing the integrity of all data traffic.

All organisations caught by NIS2 also need to be prepared to meet the new reporting obligations for significant cybersecurity incidents, particularly breaches that compromise the functionality of connected vehicle systems or endanger public safety. Organisations in these sectors must enhance their cybersecurity measures to safeguard the personal and vehicle-generated data gathered by modern vehicles. With the directive strengthening data protection as part of overall cybersecurity compliance, failure to adequately protect this information could lead to regulatory penalties and damage to consumer trust.

Incident management

NIS2 represents a significant cultural change for the way organisations approach incident management, and for the personnel who will need to be involved in that process. 

One of the significant aspects of NIS2 is the emphasis on breach reporting, which requires affected entities to promptly report any cybersecurity incidents to the relevant authority without undue delay and no later than 24 hours after detection of the incident, with more detailed reporting at additional intervals.

In essence, under NIS2:

• A regulated entity’s information security team will need to be sufficiently resourced to ensure they can notify incidents within a 24-hour window
• Information security teams will need to develop new processes for how they identify and classify incidents
• Wider departments (particularly legal, compliance and risk functions) will need to be introduced into the incident management process at an earlier stage in order to consider any impact to the company associated with notification. The presence of significant financial sanctions makes this of key importance
• Members of the entity’s legal, compliance and risk departments will need to be upskilled on aspects of incident classification, containment and mitigation in order to contribute to this assessment.

For further insight into some of the changes to incident classification see our article here.

Registration

With NIS2 comes a new mandatory registration requirement. A regulated entity will be required to register with its competent authority and provide key details about where the organisation provides its services, its IP ranges, and (where applicable) the identity and contact information of its designated representative. 

Providers and suppliers located outside Europe with no legal presence will need to appoint a local representative.

We have ISO 27001 – do we need to do anything?

In short – yes.

While it is true that both NIS2 and ISO 27001 (and other information security management frameworks such as ISO 22301) aim to enhance an organisation’s cybersecurity and resiliency, NIS2 is fundamentally different in its scope.

The mandatory controls under NIS2 are more detailed and will apply to a broader range of organisations (including entities that would typically be segregated under ISO 27001).

In addition, due to the stringent requirements around incident management, reporting and audit, it is highly unlikely an organisation will be able to simply rely on its ISO 27001 certification to achieve NIS2 compliance.

For automotive providers, particularly OEMs and their key suppliers, the TISAX framework, developed by the European automotive association ENX, continues to gain momentum as more automotive manufacturers adopt the standard. TISAX, similarly to other information security standards, allows organisations to certify to differing levels of assurance – known under TISAX as “labels”. For OEMs and key automotive suppliers with an active TISAX certification, compliance with the “Strictly Confidential” and “Very High Availability” labels is anticipated to place those organisations in broad compliance with NIS2’s information security controls; however, the registration, incident management, and reporting requirements of NIS2 will need to be adhered to separately. 

Is there any other legislation to worry about?

Those reading about NIS2 for the first time may understandably think that this is it.

However, for core transport providers, particularly those operating critical transport infrastructure (i.e., airports, road networks, freight terminals, etc.), many providers will also be subject to the EU’s Critical Entities Resilience Directive (CERD), which came into force on 18 October 2024.

The CERD covers similar content to NIS2 as it applies to resiliency, but is far broader in scope in the types of external threats an organisation must prepare for.

For automotive manufacturers or any other organisation involved in the supply of hardware and critical software to either the transport or automotive sectors, focus should also be on the EU’s Cyber Resiliency Act (CRA) – which introduces cybersecurity requirements for products with digital elements (IoT products and devices).

The CRA applies to all IoT products but lays down enhanced measures for hardware used within critical infrastructure. Therefore, for the transport and logistics sectors, telematics and fleet management systems, signal controllers, ticketing systems, railway signalling, navigation equipment, IoT sensors used to monitor storage conditions (e.g., temperature and humidity) and any form of V2X communication device will all fall under intense scrutiny.

Supply chain

It goes without saying that NIS2 places a heavy emphasis on vendor management with regulated organisations being obliged to ensure that cybersecurity is appropriately preserved across the supply chain.

Suppliers to the transport and logistics sectors should expect to receive increased due diligence and vendor assessment questions and be subject to more stringent contractual requirements, while suppliers to Europe’s automotive industry may see an increased emphasis on adherence to TISAX.

Suppliers used to contracting under their own paper should consider taking steps now to update contractual documentation in line with NIS2.

What you need to do now

1. Familiarise yourself with the key requirements of NIS2 – you can read our more in-depth article here as a starting point.
2. Undertake a scoping assessment to assess in more detail whether your business is likely to be in scope of NIS2, bearing in mind its size, sector, the nature of its business, and the Member States in which it operates or into which it provides services.
3. Keep track of the specific NIS2 implementation timeline for your home country – very few Member States were able to implement national implementing laws before the 17 October deadline.
4. Determine and complete registration requirements – for entities with a broad reach across Europe this may be a complicated assessment, potentially requiring multiple registrations.
5. Conduct a gap analysis between NIS2 measures (specifically those required in your home country), against your current cybersecurity posture and implement a rectification and improvement plan.
6. Review and update existing incident management handling processes – you can read more about some of the changes to incident classification here.
7. Start your vendor management process now, given the significant time it often takes to cascade compliance throughout the supply chain.
8. Consider whether key customers are likely to be impacted, and how this should be reflected in key contracts (particularly in B2B settings).

For further information on NIS2 or assistance with the above activities, please engage with our Resiliency team.