01
OT cybersecurity across sub-sectors
Each mode has its own OT stack: signalling, ATC, port community systems, fleet telematics. NIS2 + sector rules layer.
IMPACTInconsistent ISMS implementations across the operator.
SECTOR PRACTICE · TRANSPORT & LOGISTICS
EU compliance for transport & logistics
NIS2 essential entity for air, rail, maritime, and road transport
REGULATIONS.STACK · TRANSPORT● 09
NIS2Transport as essential entity
CERCritical Entities Resilience
AI ACTAutonomous and ADAS systems
GDPRPassenger and driver data
ITSIntelligent Transport Systems
EASA-CYAviation cybersecurity (Part-IS)
IMO/MARENVMaritime cyber and environment
EFTIElectronic Freight Transport Info
TEN-TTrans-European Transport Network
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / WHO WE SERVE
Six transport profiles, one compliance map.
From global airlines to last-mile logistics. NIS2 reaches every sub-sector, but the operating rules diverge sharply by mode.
AVIATION
Airlines and airport operators
EASA Part-IS cybersecurity, passenger data, ADS-B, slot allocation.
NIS2EASA-CYGDPR
MARITIME
Shipping and ports
IMO 2021 cyber, port community systems, SafeSeaNet, MARPOL reporting.
NIS2IMOGDPR
RAIL
Rail operators and infrastructure
ERA TSI, signalling, passenger systems, NIS2 essential entity.
NIS2CERITS
ROAD
Road freight and logistics
eFTI compliance, driver hours, posting of workers, supply-chain due diligence.
EFTIGDPRCSDDD
URBAN MOBILITY
Public transport and ride-hailing
Passenger data, contactless payments, AI dispatch, accessibility.
GDPRPSD2AI ACT
AUTONOMOUS
Autonomous and connected vehicles
AI Act high-risk, type approval, cyber type approval (UNECE R155).
AI ACTR155GDPR
§ 02 / LANDSCAPE
The transport-sector regulatory clock.
Multiple regimes interlock. We sequence them around your operating cadence.
LIVENIS2
IN FORCE
Transport as essential entity
Aviation, rail, water and road transport classified as essential under NIS2 Annex I. Risk management and incident reporting apply.
LIVEEASA-CY
IN FORCE
Aviation cybersecurity Part-IS
Information security management for aviation organisations. Risk assessment, incident reporting to EASA and competent authorities.
LIVECER
IN FORCE
Critical Entities Resilience
Identification of critical transport entities, risk assessments, incident notification, background checks.
LIVEIMO 2021
IN FORCE
Maritime cyber risk management
IMO MSC.428(98) requires cyber risk in the Safety Management System. Port-state control inspects.
NEXTEFTI
AUG 2025
Electronic Freight Transport Info
Authorities must accept electronic freight transport information. Operators get standardised data sharing.
CRITICALAI ACT
AUG 2026
AI in critical transport
AI for traffic management, autonomous driving, ATC and rail signalling listed as high-risk under Annex III.
LIVER155
JUL 2024
UNECE Cyber Type Approval
All new vehicle types must have a Cybersecurity Management System and Software Update Management System certified.
NEXTCSDDD
2027
Corporate Sustainability Due Diligence
Large transport companies must conduct supply-chain due diligence. Phased application from 2027.
§ 03 / WHAT TO SOLVE
Where transport operators get stuck.
02
Passenger data at scale
Booking, biometrics for boarding, frequent-flyer, contactless. High-volume GDPR plus PNR rules for air.
IMPACTSix-figure DPA fines plus operational reputation hit.
03
EASA Part-IS implementation
Aviation cyber moved from voluntary to mandatory. Authorities are now actively assessing implementations.
IMPACTOperating certificate review if Part-IS not in place.
04
UNECE R155 cyber type approval
Vehicle OEMs need CSMS and SUMS certified. Tier 1 and Tier 2 suppliers caught in supply-chain audits.
IMPACTNo type approval means no EU sale from July 2024.
05
AI for autonomous and ATC
Autonomous vehicle systems and ATC AI listed as high-risk under AI Act. Conformity, human oversight, post-market monitoring all apply.
IMPACTPilot programmes paused pending Annex IV documentation.
06
Cross-border incident coordination
Cyber-incidents in transport cross borders by definition. Multiple national CSIRTs and sector authorities to notify in parallel.
IMPACTDelayed notifications and inconsistent reports.
§ 04 / OFFERING
Our services for transport
TR-01
NIS2 readiness for transport
Entity classification, ISMS aligned with ISO 27001 and IEC 62443, supply-chain due diligence, incident reporting playbook.
DClassificationDISMSDIncident SOP
TR-02
EASA Part-IS implementation
Information security management system for aviation, risk assessment, incident reporting to EASA and NCAA.
DISMSDRisk registerDEASA reporting
TR-03
Maritime cyber risk management
Implementation of IMO MSC.428(98), integration with Safety Management System, port-state control readiness.
DSMS cyberDPSC readyDDocumentation
TR-04
UNECE R155 / R156 CSMS and SUMS
Cybersecurity Management System and Software Update Management System for vehicle OEMs and suppliers.
DCSMSDSUMSDApproval prep
TR-05
AI Act for autonomous and ATC
Annex III classification for AI in vehicles, traffic management and signalling. Technical file, human oversight, post-market monitoring.
DClassificationDAnnex IVDPMM
TR-06
GDPR for passenger and driver data
Lawful basis for booking, biometric boarding, frequent-flyer programmes, PNR rules for aviation.
DLB mappingDPNRDRights
TR-07
eFTI and digital freight
Electronic Freight Transport Information adoption, data sharing standards, authority interface design.
DeFTI gapDStandardsDInterface
TR-08
Cross-modal incident response
Multi-CSIRT coordination, sector-authority liaison, post-incident regulatory hygiene across modes.
DRunbookDCSIRTsDAuthorities
TR-09
Outsourced transport compliance
Senior advisor with transport-sector experience, regulator liaison, board reporting, programme stewardship.
DRetainerDBoard memosDRegulator
§ 05 / SELECTED WORK
All case studies →Transport engagements.
CASE 01Regional airline
EASA Part-IS implementation across 3 operating bases. NCAA audit cleared on first attempt.
3
BASES
Cleared
AUDIT
0
FINDINGS
SCOPEPart-IS · NIS2 · ISO 27001 · NCAA liaison
CASE 02Tier-1 automotive
CSMS and SUMS certified ahead of R155 deadline. Type approvals issued for 4 platforms.
4
PLATFORMS
Issued
CERT
Zero
BACKLOG
SCOPER155 · R156 · CSMS · Type approval
CASE 03Port community system
NIS2 readiness and maritime cyber programme rolled across 4 ports.
4
PORTS
Met
SLA
−63%
INCIDENT TIME
SCOPENIS2 · IMO 2021 · OT · Incident response
§ 06 / FREE TOOL
Map your transport stack to the EU rulebook.
Eight questions about your mode, fleet and digital systems. Get an indicative obligations map across NIS2, CER, AI Act, EASA Part-IS and R155.
Run obligations mapper~ 4 MINMAPPER.PREVIEWSTEP 4 / 8
Does your operation involve passenger data or autonomous decision-making?
Yes, passenger booking and biometric boardingA
Yes, autonomous vehicle or ADAS systemsB
Mostly freight, no passenger dataC
Mixed passenger and freightD
INDICATIVE → GDPR ART. 6 + AI ACT ANNEX III
§ 07 / FAQ
Frequently Asked Questions
01Are we NIS2 essential or important?+
Most transport operators fall under essential entities in NIS2 Annex I (air carriers, airport operators, traffic management, rail infrastructure managers, port operators, urban transport authorities). Specific thresholds apply per sub-sector.
02What is EASA Part-IS?+
Information security regulation for aviation organisations under Commission Implementing Regulation 2023/203. Risk management, incident reporting, training and integration with the Safety Management System.
03How does R155 affect us as a Tier-1 supplier?+
Vehicle OEMs require CSMS certification, and they cascade requirements to suppliers. Your software, ECUs and components need to be developed and updated in line with R155 and R156 SUMS. We help build the supplier-side compliance pack.
04What does the AI Act mean for autonomous driving?+
Annex III lists AI for autonomous vehicles and traffic management as high-risk. Conformity assessment, technical documentation (Annex IV), human oversight and post-market monitoring apply on top of type approval and R155.
05How do we handle maritime cyber under IMO 2021?+
Cyber risk must be addressed in the Safety Management System. Port-state control inspections check evidence. We integrate cyber into your SMS without creating a parallel ISMS.
06Are we in scope of CER as well as NIS2?+
Transport sub-sectors are listed in both directives. CER focuses on physical resilience, NIS2 on cybersecurity. We design one integrated risk-assessment to cover both.
07How does GDPR apply to passenger data?+
Booking data, PNR, biometric boarding, contactless payments and frequent-flyer programmes are all in scope. PNR Directive applies separately for air; the framework is layered.
08Can you handle multi-mode operations?+
Yes. Operators with road, rail and maritime arms need a single compliance programme that respects mode-specific rules. We design the integration across CSIRT notification flows, ISMS scopes and authority liaison.
§ 08 / RELATED
Related practices.
NIS2 Compliance
Scoping, ISMS, supply-chain and incident reporting for essential entities.
Open practice →Cybersecurity
ISMS, ISO 27001, IEC 62443 and OT security for transport infrastructure.
Open practice →AI Compliance
AI Act for autonomous, ADAS and traffic-management AI systems.
Open practice →09 / GET STARTED
NIS2 compliance for transport operations
Typical outcomes: essential entity status, NIS2 roadmap, operational resilience plan.