NIS2 in Transport and Logistics: Public Transit, Rail, Freight

April 27, 2026· Category: NIS2· As of: 2026-05-02· Reading time: ~5 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

Transport is a NIS2 sector: public transit, rail (DB and private), freight forwarders, airports, ports
Threshold: 50+ employees and EUR 10M turnover; KRITIS-Transport carries additional duties
Pure shippers are typically not in scope; logistics operators with proprietary IT are
OT/IT convergence in signaling and ETCS systems creates the largest risk surface
Recent enforcement: DB IT incident 09/2025; Hamburg port phishing case 03/2025 (EUR 50K fine)

1. Who is in scope?

Public-transit operators, rail companies (DB and private), freight forwarders from 50 employees and EUR 10M turnover, airport operators, and port operators. KRITIS-Transport thresholds apply on top: rail from 1 billion passenger-kilometers, ports from 50M tonnes of goods, airports from 5M passengers per year.

2. OT/IT convergence

Transport control systems (ETCS, interlocking, signaling) were historically isolated from IT. Convergence with corporate IT has turned them into a cyber risk. Reference standards: IEC 62443, BSI ICS-Compendium, and sector guidance from EBA (Federal Railway Authority).

3. Notable incidents 2024-2025

DB IT incident, September 2025: interlocking software defect cascaded into nationwide delays
Port of Hamburg, March 2025: phishing led to a EUR 50,000 administrative fine plus public attention from the supervisor

4. Supply-chain audit

Prioritize OEMs (Siemens Mobility, Alstom, Bombardier) and IT service providers. Sector-specific audit topics: secure-by-design evidence for safety-critical signaling, vulnerability disclosure, and patching SLAs for trackside equipment.

5. Incident-reporting channels

NIS2 24/72/30 to BSI is mandatory. Sector-specific channels run in parallel: Federal Railway Authority (EBA) for rail, Federal Ministry of Transport (BMDV) for cross-cutting incidents. Coordinate communications to avoid contradictions across notifications.

Summary

Transport sits at the cybersecurity frontline because OT systems can fail visibly and at scale. The practical NIS2 program combines IEC 62443 for OT, ISO 27001 for IT, and a sector-specific incident-reporting playbook with EBA / BMDV contacts pre-mapped.

View NIS2 Kit →

Frequently Asked Questions

Are freight forwarders affected?

From 50 employees + EUR 10 million + 'Transport' sector. Pure freight shippers usually NOT; freight forwarders with logistics IT YES.

KRITIS thresholds?

Rail: from 1 billion passenger-kilometers. Port: from 50 million tonnes of cargo. Airport: from 5 million passengers/year.

Sources

Directive (EU) 2022/2555 — NIS2 (transport sector) (As of: 2026-05-02)
BSIG 2025 (Section 30 measures) (As of: 2026-05-02)
BSI — NIS-2 FAQ (as of: ongoing)

Tools & self-assessments

NIS2 Readiness Check Assess your NIS2 readiness in 10 minutes. Fining Calculator Estimate the potential fine exposure for your organisation. NIS2 Self-Test Am I in scope? Check thresholds and sector criteria. NIS2 Mandatory Measures Audit 10 mandatory measures from Section 30 BSIG with maturity rating.