Skip to content
AuditFront
Annex.I.2 NIS2

NIS2 Annex.I.2: Transport Sector Cybersecurity Requirements

What This Control Requires

Annex I identifies the transport sector including air transport (air carriers, airport managing bodies, traffic management control operators), rail transport (infrastructure managers, railway undertakings), water transport (inland, sea and coastal passenger and freight transport companies, port managing bodies), and road transport (road authorities responsible for traffic management control, operators of intelligent transport systems).

In Plain Language

A cyber attack on a transport system can ground flights, halt trains, or paralyse a port - and in the worst case, endanger lives. That is why NIS2 classifies transport as highly critical under Annex I, subjecting qualifying entities to the strictest supervisory tier. Modern transport infrastructure is deeply digitalised. Air traffic management, railway signalling, port management platforms, intelligent transport systems (ITS), and fleet management all blend traditional IT with specialised operational technology. Each transport mode brings its own protocols, safety standards, and legacy constraints, making this one of the more complex sectors to secure. The defining tension in transport cybersecurity is that security controls must never compromise operational safety. You cannot deploy a patch that risks a signalling failure or a firewall rule that delays air traffic control data. Transport organisations also need to account for the physical security dimension, since physical access to control rooms, signalling cabinets, or communication infrastructure can enable cyber attacks just as effectively as a phishing email.

How to Implement

Classify every digital system in your transport operations into three tiers: safety-critical (failure could endanger lives), operational (failure disrupts services), and business (administrative and commercial). Apply security controls proportionate to each tier's criticality. Segment safety-critical systems from operational systems and corporate IT. Safety-critical networks should have no direct internet connectivity - use controlled, well-monitored interfaces. Layer your defences so the most critical systems sit behind multiple security boundaries. Build cybersecurity procedures specific to your transport mode. Aviation entities need to align with EASA cybersecurity regulations (including Part-IS). Railway entities should consider EN 50129 and emerging rail cybersecurity standards. Maritime entities need to address IMO maritime cybersecurity guidelines. Road transport entities should account for connected and autonomous vehicle security. Tighten access controls across both cyber and physical boundaries. Many transport systems can be compromised through physical access to control rooms, signalling equipment, or communication infrastructure. Run combined physical-cyber risk assessments rather than treating them as separate domains. Write incident response procedures that explicitly address safety implications. Define safe states for safety-critical systems, establish coordination channels with transport safety authorities, prepare public communication templates for service disruptions, and plan for coordination with interconnected transport operators. Review supply chain risks for transport-specific technology. Equipment manufacturers, system integrators, and maintenance providers often hold privileged access to your most critical systems - treat them as part of your threat surface. Join sector-specific information sharing groups such as A-ISAC (aviation), Rail-ISAC, or maritime cybersecurity forums. Threat intelligence from peers in your transport mode is invaluable.

Evidence Your Auditor Will Request

  • Classification of digital systems by criticality (safety-critical, operational, business)
  • Network architecture showing segmentation of safety-critical systems
  • Sector-specific cybersecurity procedures aligned with relevant transport regulations
  • Combined physical-cyber security risk assessment
  • Incident response procedures addressing safety implications of cyber incidents

Common Mistakes

  • Safety-critical systems connected to corporate networks without adequate segmentation
  • Cybersecurity measures not integrated with transport safety management systems
  • Legacy transport systems with known vulnerabilities and no remediation path
  • Maintenance vendor access to critical systems unmonitored and poorly controlled
  • Incident response does not account for safety implications in transport contexts

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.1 Related
ISO 27001 A.7.1 Related

Frequently Asked Questions

How does NIS2 relate to EASA aviation cybersecurity regulations?
They are complementary, not competing. EASA has its own cybersecurity requirements for aviation (including Part-IS), and you need to comply with both. The good news is that where requirements overlap, meeting the more specific EASA regulation generally covers the corresponding NIS2 obligation as well.
Are all transport companies in scope regardless of size?
Standard NIS2 size thresholds apply, so you generally need to be a medium or large enterprise. That said, some transport entities can be designated as essential or important regardless of size - particularly if they are the sole provider of a service or their disruption would have significant impact. National transpositions may also expand scope for specific transport sub-sectors, so check your local implementation.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment