Cookie consent(s)
We use cookies on our website to personalize content and ads, to provide social media features and to analyze traffic to our website. Please click "ACCEPT ALL" to enable us to offer you the best possible experience on our website. By doing so, you consent to the processing and sharing of your information with our social media, advertising and analytics partners. You can revoke your consent at any time on the cookie settings page​.
Privacy statement

NIS2 supply chain guidelines

Audits and certifications in the transport sector

The transport sector has been designated by the European Union as an essential sector under the new NIS2 directive. This designation entails stricter requirements in the areas of cybersecurity and supervision. But what exactly does this mean for your organization? And how can you prepare your organization for NIS2 supply chain guidelines, particularly when it comes to information security?

NIS2 and the supply chain

An important feature of the NIS2 Directive is its emphasis on chain responsibility. Cybersecurity does not stop at your own organization: suppliers, partners, and service providers must also demonstrate that they have their affairs in order.
Even if you are not directly subject to NIS2, a client may require you to provide insight into your security measures. Companies that are themselves subject to NIS2 impose these requirements throughout the entire chain. This makes the NIS2 supply chain directive a crucial point of attention for all players in the transport sector.
Is your organization subject to NIS2?
For medium-sized and large organizations in the transport sector that play an essential role in society and the economy, NIS2 does apply directly. These include airlines, rail network operators, road transport operators, and shipping companies.
Scope criteria
  • Organizations fall under the directive if they:
  • Have at least 50 employees or an annual turnover of more than €10 million.
  • Forming an indispensable link in the transport chain.
  • Influencing public or economic systems in the event of disruptions, such as station management or traffic control.
If your organization falls within this scope, compliance with NIS2 is mandatory.

What does NIS2 require from transport companies?

The NIS2 Directive introduces two key obligations to strengthen digital resilience in sectors such as transport.
1. Duty of care
As an organization, you are responsible for taking technical, organizational, and operational measures to protect against risks. For applications of the NIS2 supply chain guidelines, this includes:
  • Risk analysis and prevention
    Identify vulnerabilities and implement measures to reduce them. For example, conducting periodic audits and incident simulations.
  • Real-time data security
    Protect sensitive data flows on a large scale, such as traffic information and loading and unloading systems in logistics.
  • Supplier management and supply chain security
    Ensure that all third parties to whom you outsource services comply with NIS2 standards.
  • Advanced access management
    Protect critical infrastructure by implementing strict access controls and encryption.
  • Incident response and recovery plans
    Develop and test protocols aimed at limiting damage in the event of cyber attacks.
2. Reporting obligation

NIS2 supply chain: ISO 27001 as a foundation

Whether you are not subject to NIS2 but are part of the supply chain, or whether you fall directly under the directive: ISO 27001 provides a solid foundation for information security.
ISO 27001 does not mean that you are automatically fully compliant with NIS2, but it does provide you with a clear structure and internationally recognized framework from which you can efficiently fulfill the remaining obligations.

DEKRA as your certification partner

At DEKRA, we understand the challenges of NIS2 implementation within the transport sector. As an accredited institution, we conduct independent audits and certifications that contribute to demonstrable compliance.
With ISO 27001 as your foundation, you take a big step toward compliance with NIS2 while strengthening your position in the supply chain.
Cybercrime white paper
To truly make the EU more cyber-resilient, end users of connected devices in the public and private sectors must also do their part. So if your organization purchases and uses products with online connectivity, read this white paper to learn more about your role in the fight against cybercrime.
Read more
NIS2: stay informed
Stay up to date with important recent developments in the field of NIS2. Sign up here and receive automatic updates via email.
Sign up