Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

Cybersecurity in seaports: NIS2 and the Cyber Resilience Act

Adopted 2026-06-16 ยท ≈ 2 min read ยท Dirk Baaijen

Seaports fall under NIS2 (Directive (EU) 2022/2555): risk-management measures, management accountability and incident reporting. The Cyber Resilience Act (Regulation (EU) 2024/2847) sets security requirements for digital products in port chains.

Short answer: Seaports and port operators fall under NIS2 (Directive (EU) 2022/2555), which covers the transport sector and imposes risk-management measures, management accountability and an incident-reporting duty. The Cyber Resilience Act (Regulation (EU) 2024/2847) addresses the products: it sets cybersecurity requirements for hardware and software with digital elements, including many systems used across port chains.

NIS2: the port as an entity

NIS2 (Directive (EU) 2022/2555) replaced the original NIS Directive and widened the scope to a large number of sectors, including transport. That covers water transport and the associated infrastructure, such as seaports and port facilities. Entities are classified as essential or important, with different supervision and enforcement regimes.

For a port falling under NIS2, the obligations include risk-management measures (Art. 21) โ€” such as risk analysis, incident handling, supply-chain security and continuity management โ€” and explicit management accountability (Art. 20): the management body must approve the measures and oversee their implementation. A phased reporting duty for significant incidents also applies. Member States had to transpose NIS2 into national law by 17 October 2024; the precise implementation and the designation of the competent authority differ per Member State.

The Cyber Resilience Act: the products in the chain

Where NIS2 targets organisations, the Cyber Resilience Act (Regulation (EU) 2024/2847) targets products with digital elements โ€” hardware and software that can be connected to a network or another device. The regulation places security requirements on manufacturers, importers and distributors across the product lifecycle, including vulnerability handling.

In a port environment these include, for example, sensors, lock and quay measurement systems, terminal-operating software and industrial control systems used in operational technology. The CRA applies in a phased manner; full application is set for 11 December 2027, with earlier dates for certain obligations. For ports this means that the selection and procurement of digital equipment will increasingly be shaped by the CRA conformity of suppliers.

How NIS2 and the CRA come together

NIS2 and the CRA complement each other: NIS2 obliges the port as an organisation to secure itself โ€” including supply-chain security โ€” while the CRA governs the security of procured products at the source. A port that falls under NIS2 can use suppliers' CRA conformity as a building block for its own risk-management measures. Both frameworks are now adopted; the exact obligations depend on the entity's classification, the national transposition of NIS2 and the phased timeline of the CRA.

Read more: Transport & Logistics. Take the scan.

Sources

  1. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
    Directive (EU) 2022/2555 (NIS2): cybersecurity duties for essential and important entities; transposition by 17 October 2024.
  2. https://eur-lex.europa.eu/eli/reg/2024/2847/oj
    Regulation (EU) 2024/2847 (Cyber Resilience Act): security requirements for products with digital elements; full application 11 December 2027.

Share on LinkedIn

Read next

A

Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet

A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.

W

NIS2: the guide to cybersecurity and management duties

NIS2 makes cybersecurity a board-level responsibility for essential and important entities โ€” including transport and logistics. This guide brings together who is in scope, which measures and reporting duties apply, management liability, and supply-chain obligations.

U

AI in telecom: network management, fraud detection and NIS2

Telecom operators use AI for network optimisation and fraud detection. The AI Act mainly affects fraud detection that assesses customers, while NIS2 imposes strict requirements on the cybersecurity and incident reporting of this essential infrastructure.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

Monthly Transport & Logistics alerts

Once a month: the EU developments that affect transport and logistics, briefly interpreted โ€” with sources. No spam, unsubscribe anytime.

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.