Abstract:

Several key legal instruments underpin the regulatory framework for cybersecurity in the European Union (EU). However, the implementation of the Network and Information Systems Directive (NIS Directive) [1] remains central to the EU’s cybersecurity strategy. In response to the evolving cyber threat landscape and technological advancements, the revised NIS2 Directive [2] introduces several critical amendments and enhancements over its predecessor. The primary objective of NIS2 is to strengthen the overall security and resilience of network and information systems across the EU while fostering enhanced cooperation among the Member States in the field of cybersecurity. The directive covers critical sectors, including energy, transport, banking, financial market infrastructure, healthcare, supply and distribution of drinking water, and digital infrastructure. Key obligations include the implementation of stringent cybersecurity risk management measures, mandatory incident reporting requirements, strengthened cross-border cooperation mechanisms, development of national cybersecurity strategies, and designation of national cybersecurity authorities responsible for oversight, enforcement, and coordination. This publication examines the legal and regulatory requirements for the implementation of NIS2 within the transport sector (with a focus on transport operators and infrastructure managers). Given the increasing digitalization of transport systems, compliance with NIS2 cybersecurity obligations is essential to mitigating cyber risks, ensuring operational continuity, and aligning with the EU-wide cybersecurity governance framework.