Trusq

factual analysis · traceable to primary sources

Explainer

Does NIS2 apply to my transport or logistics company?

Adopted 2026-06-14 ยท updated 2026-06-16 ยท ≈ 1 min read ยท Dirk Baaijen

Transport is an essential sector under NIS2, so the question is mainly your size. Medium and large companies (from ~50 employees) are generally in scope; micro and small usually are not. National transposition sets the details. Here's how to check.

Short answer: probably yes, unless you are micro or small. Air, rail, road and water transport are explicitly listed in NIS2 as an essential sector. So the question is not whether transport is in scope, but whether your company is large enough.

Two categories, based on size

  • Essential entity โ€” large companies (from ~250 employees, or more than

โ‚ฌ50m turnover) in an essential sector like transport. Stricter supervision.

  • Important entity โ€” medium companies (~50โ€“249 employees, or โ‚ฌ10โ€“50m

turnover). Same duties, lighter (mostly after-the-fact) supervision.

  • Micro and small (< 50 employees) โ€” generally out of scope, with

exceptions for critical parties.

Note: national transposition

NIS2 is a directive; the exact scope is set in national law (in the Netherlands the Cyberbeveiligingswet, taking effect 1 July 2026). The transposition deadline was 17 October 2024; implementation differs by Member State. Always check your national law for the exact thresholds and exceptions.

How to determine your position

  1. Sector โ€” do you provide transport/logistics or manage infrastructure?

Then you are in an in-scope sector.

  1. Size โ€” medium or larger? Then you are probably in scope (important or

essential).

  1. National law โ€” check the exact thresholds and any exceptions.

Read the main file: NIS2: cybersecurity as a board responsibility. Or take the Transport &amp; Logistics scan.

Sources

  1. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
    Directive (EU) 2022/2555 (NIS2): transport as an essential sector; essential vs important entities by size.
  2. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
    European Commission โ€” NIS2: scope (18 sectors, including transport) and entity categories.

Share on LinkedIn

Read next

A

Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet

A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.

W

NIS2: the guide to cybersecurity and management duties

NIS2 makes cybersecurity a board-level responsibility for essential and important entities โ€” including transport and logistics. This guide brings together who is in scope, which measures and reporting duties apply, management liability, and supply-chain obligations.

A

DORA or NIS2: which one applies to my (logistics) organisation?

A logistics organisation generally falls under NIS2 (transport is an essential sector), not DORA. DORA applies to financial entities. If you are both, DORA takes precedence as lex specialis.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

Monthly Transport & Logistics alerts

Once a month: the EU developments that affect transport and logistics, briefly interpreted โ€” with sources. No spam, unsubscribe anytime.

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.