The NIS2 directive highlights the importance of bolstering cybersecurity in the transport sector to protect critical infrastructure across aviation, maritime, rail, and road transport.
Transport operators, manufacturers, suppliers, and the broader transport ecosystem are recognised as highly critical due to their significance in the EU’s economy and stability. By addressing the evolving cyber threat landscape, NIS2 aims to ensure the resilience and safety of vital transport services within the EU.
ENISA published the first report on the cybersecurity threat landscape of the transport sector in 2023. The ENISA Transport Threat Landscape report brought new insights into the reality of the transport sector by mapping and studying cyber incidents from January 2021 to October 2022. The 2024 ENISA threat landscape highlights the increasing number of incidents targeting EU transport, which was the 2nd most targeted sector.
The transport sector plays a key role in the EU economy and society, accounting for a large segment of Europe’s overall freight and passenger transport. The sector has been going through a steady digital transformation with the introduction of innovative solutions based on ICT, the convergence between IT and OT, and the increasing number of interconnections with external and multimodal systems. The cyber risk profile of the sector has evolved, as shown by the increase in cyberattacks against European transport infrastructure such as airports, ports, railways, shipping companies, and more. This change highlights the need for cybersecurity of this sector to be addressed more specifically. ENISA works closely with the European Commission, ERA, EMSA, EASA and National competent authorities towards this direction.
Railways
The railway ecosystem consists of the railway undertakings (RU) and of infrastructure managers (IM). It is the responsibility of RU to provide the services needed to ensure the transport of goods and/or passengers by rail. IM’s role is to establish, manage and maintain railway infrastructures and fixed installations, including traffic management, control-command and signaling as well as station operation and train power supply. Both are recognized as essential by the NIS2 Directive.
ENISA signed a Memorandum of understanding with the EU agency for Railways in 2023 to strengthen cooperation and information exchange. ENISA supports cybersecurity capabilities in the railway sector through guidance and recommendations, actively participating in the railway community by:
- Issuing guidance and recommendations;
- Participating in discussions with the railway community on regulatory matters;
- Providing situational awareness information to national competent authorities;
- Contributing to the standardisation of activities;
- Organising physical and virtual events; and
- Raising awareness for the sector (#CyberOnTrack).
Maritime
Port authorities, terminal operators, other entities operating within ports, shipping companies, classification societies, shipbuilding companies, and more, are all part of the EU maritime ecosystem. Their individual cybersecurity posture is integral to the overall security and reliability of the maritime sector. As part of the transport sector, maritime entities are recognised as essential by the NIS2 Directive.
The EU Agency for Cybersecurity plays its role in the continuous process of strengthening the cybersecurity of the EU maritime sector by:
- Addressing key issues and recommendations;
- Supporting the development and implementation of the relevant policy and regulatory framework;
- Facilitating information sharing and the exchange of good practices between maritime stakeholders;
- Providing situational awareness information to national competent authorities; and
- Participating in physical and virtual events.
Aviation
ENISA has been working on aviation cybersecurity since 2010, aiming at enhancing the security and resilience of air transport in Europe together with all relevant key stakeholders and sectorial agencies (e.g. EASA, Eurocontrol). Within the scope of the NIS Directive are included: air carriers, airport managing bodies, core airports and entities operating ancillary installations contained within airports and traffic management control operators providing air traffic control (ATC) services, all of which are recognised as essential by the NIS2 Directive.
ENISA actively works towards increasing the cybersecurity capabilities and the overall cyber resilience of the aviation sector by:
- Engaging in structured collaboration with EASA and other sectorial stakeholders;
- Participating in the European Strategic Cooperation Platform;
- Contributing with technical advice on regulatory matters, e.g. Commission Implementing Regulation (EU) 2023/203; and
- Providing situational awareness information to national competent authorities.
Related content
Low Earth Orbit (LEO) SATCOM Cybersecurity Assessment
Undersea cables
This report aims to follow up with detailed technical guidelines for national authorities and to support them with the technical aspects of the supervision of undersea cables and their associated infrastructure, including landing stations and cable net
Health Threat Landscape
Good Practices for Supply Chain Cybersecurity
The report provides an overview of the current supply chain cybersecurity practices followed by essential and important entities in the EU, based on the results of a 2022 ENISA study which focused on investments of cybersecurity budgets among organisat