NIS2: the guide to cybersecurity and management duties
Adopted 2026-06-20 · ≈ 1 min read · 
edited by Dirk Baaijen
NIS2 makes cybersecurity a board-level responsibility for essential and important entities — including transport and logistics. This guide brings together who is in scope, which measures and reporting duties apply, management liability, and supply-chain obligations.
Short answer: NIS2 (Directive (EU) 2022/2555) raises cybersecurity to board level for "essential" and "important" entities in designated sectors — transport and logistics are expressly included. You face risk-management measures, a staged reporting duty, a registration duty, supply-chain obligations and personal management liability. This guide brings the separate files together.
What it comes down to
NIS2 replaces the old NIS Directive and broadens its scope considerably. The core: organisations above certain thresholds in designated sectors must demonstrably have their digital resilience in order — and the board is responsible, with personal liability for serious negligence. The precise scope and dates follow from the national implementing law.
The files at a glance
- Does my transport or logistics company fall under NIS2? — the scope question: sector, size, essential versus important.
- NIS2 and the transport sector — why transport is an essential sector and what that means.
- Which measures must I take at minimum? — the minimum risk-management measures, as a checklist.
- The reporting duty (24/72 hours) — the staged deadlines for a significant incident.
- Registration duty — whether and how to register your organisation.
- Management liability — what the board must do and when it is personally liable.
- My customer asks me for measures — the supply-chain obligations that reach you via your customers.
- DORA or NIS2? — which applies to you if you sit in the financial sphere.
Where to start
First determine whether you fall under NIS2 (sector + size), and if so: essential or important. Then map your current measures against the checklist, arrange the reporting chain and assign responsibility to the board. The free Transport & Logistics scan covers NIS2 alongside the other regimes that affect you — every result traceable to its source.
Sources
- https://eur-lex.europa.eu/eli/dir/2022/2555/oj
Directive (EU) 2022/2555 (NIS2): risk management, reporting duty, management responsibility and supervision for essential and important entities.
Read next
NIS2: cybersecurity becomes a board responsibility in transport
Transport is an essential sector under NIS2 (Directive (EU) 2022/2555). Medium and large entities must take risk-management measures, report incidents quickly and place cybersecurity at board level. NL: the Cyberbeveiligingswet (NIS2) takes effect 1 July 2026.
Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet
A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.
Cybersecurity in seaports: NIS2 and the Cyber Resilience Act
Seaports fall under NIS2 (Directive (EU) 2022/2555): risk-management measures, management accountability and incident reporting. The Cyber Resilience Act (Regulation (EU) 2024/2847) sets security requirements for digital products in port chains.