Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Explainer

NIS2: which measures must I take as a minimum?

Adopted 2026-06-14 · ≈ 1 min read · Dirk Baaijen

NIS2 requires appropriate risk-management measures — from risk analysis, backups and supply-chain security to access control, training and encryption — plus board accountability. A practical checklist for transport and logistics.

NIS2 does not prescribe exact technology, but requires appropriate technical and organisational measures based on your risk. The directive names a base set; below, translated into a checklist.

The minimum measures (Art. 21)

  • Risk analysis and security policy — documented and current.
  • Incident handling — detection, response, and the reporting duty (24/72h).
  • Business continuity — backups, recovery, crisis management.
  • Supply-chain security — requirements for suppliers and service providers.
  • Security in acquisition, development and maintenance — incl.

vulnerability handling.

  • Policy to measure the effectiveness of your measures.
  • Basic cyber hygiene and training — for staff and management.
  • Encryption where appropriate.
  • Access control — incl. multi-factor authentication and account

management.

Management accountability (Art. 20)

NIS2 places responsibility explicitly with the management body: they approve the measures, oversee compliance and must undergo training. Cybersecurity is a boardroom matter, not an IT detail — with management liability for negligence.

What to do

  1. Run a risk analysis and document your policy.
  2. Walk through the checklist above and close the gaps.
  3. Assign responsibility to the board and plan training.

Read the main file: NIS2: cybersecurity as a board responsibility. Or take the Transport & Logistics scan.

Sources

  1. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
    Directive (EU) 2022/2555 (NIS2): risk-management measures (Art. 21) and management accountability (Art. 20).
  2. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
    European Commission — NIS2: management measures and governance.

Share on LinkedIn

Read next

A

Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet

A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.

W

NIS2: the guide to cybersecurity and management duties

NIS2 makes cybersecurity a board-level responsibility for essential and important entities — including transport and logistics. This guide brings together who is in scope, which measures and reporting duties apply, management liability, and supply-chain obligations.

U

Does my ISO 27001 certification cover the NIS2 duty of care?

ISO 27001 covers much of the NIS2 risk-management measures, but is not automatic compliance. Incident reporting, management accountability, supply-chain risk and registration must be addressed separately.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

Monthly Transport & Logistics alerts

Once a month: the EU developments that affect transport and logistics, briefly interpreted — with sources. No spam, unsubscribe anytime.

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.