Transport & logistics · deadlines

NIS2 for transport and logistics: who is in scope and which duties follow

NIS2 probably applies if your organisation passes two tests: it matches an entity type listed in Annex I or II of Directive (EU) 2022/2555 — for transport: commercial air carriers, airport and port managing bodies (including entities operating installations within airports and ports), rail infrastructure managers and railway undertakings, water transport companies, traffic-management road authorities and ITS operators, plus postal and courier providers — and it is at least medium-sized (broadly 50 or more staff, or more than EUR 10 million annual turnover and balance-sheet total). Road haulage, freight forwarding and warehousing are not listed entity types; those parties usually encounter NIS2 indirectly, through security requirements that in-scope customers must impose on direct suppliers and service providers under Article 21(2)(d). Entities that are in scope face three core duties: risk-management measures (Article 21), incident reporting on fixed deadlines of 24 hours, 72 hours and one month (Article 23), and accountability anchored at the management body (Article 20).

Coverage is two tests: listed entity type, then size

Article 2(1) applies the directive to public or private entities of a type referred to in Annex I or II that qualify as medium-sized enterprises under Recommendation 2003/361/EC or exceed the medium-size ceilings, and that provide services or carry out activities in the Union. Under that Recommendation, medium-sized means fewer than 250 staff and an annual turnover not exceeding EUR 50 million and/or a balance-sheet total not exceeding EUR 43 million; the practical entry floor is therefore roughly 50 staff or more than EUR 10 million in annual turnover and balance-sheet total. The size test has exceptions: regardless of size, an Annex I or II entity can be brought in scope if it is, for example, the sole provider in a Member State of a service essential for critical societal or economic activities, if disruption of its service could significantly affect public safety, security or health, or if it is designated as a critical entity under Directive (EU) 2022/2557 (Article 2(2)–(3)). Within scope, Article 3 splits entities into two categories: Annex I entities that exceed the medium-size ceilings are essential entities; most other in-scope entities — including medium-sized transport entities and Annex II types — are important entities, although an entity designated as critical under Directive (EU) 2022/2557 is an essential entity regardless of size, and a Member State can classify an entity it brings in scope under Article 2(2)(b)–(e) as essential (Article 3(1)(e)–(f)). The category determines the supervision regime and the fine ceiling, not the substance of the duties.

What Annex I lists for transport — and what it does not

Annex I point 2 names the transport entity types per subsector. Air: air carriers used for commercial purposes, airport managing bodies and airports including entities operating ancillary installations within airports (a heading that can capture cargo-handling operations on airport grounds), and air traffic control operators. Rail: infrastructure managers and railway undertakings, including operators of service facilities. Water: inland, sea and coastal passenger and freight water transport companies (not the individual vessels), managing bodies of ports including their port facilities and entities operating works and equipment contained within ports — the heading under which cargo and container terminals inside a port area will most plausibly fall — and vessel traffic services. Road is narrower than often assumed: only road authorities responsible for traffic-management control and operators of intelligent transport systems are listed; commercial road hauliers are not. Annex II adds postal service providers including courier services, and — relevant for distribution-heavy shippers — food businesses engaged in wholesale distribution. Freight forwarding and warehousing do not appear as entity types in either annex.

Not listed does not mean untouched: the supply-chain pull-through

Article 21(2)(d) obliges every in-scope entity to address supply-chain security, including the security-related aspects of its relationships with direct suppliers and service providers. Article 21(3) sharpens this: entities must take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of their products and cybersecurity practices, including secure development procedures. A freight forwarder, warehouse operator or logistics IT provider that serves an in-scope carrier, terminal, port or manufacturer is therefore likely to face NIS2-derived requirements — security questionnaires, contractual clauses, audit rights — even though the directive imposes no direct statutory duty on it. The obligation sits with the in-scope customer, but the commercial effect lands with the supplier: demonstrable incident handling, patching discipline and access control increasingly become conditions for keeping contracts with regulated counterparties.

The duties: ten minimum measures and fixed reporting clocks

In-scope entities must take appropriate and proportionate technical, operational and organisational measures, based on an all-hazards approach, covering at least ten areas listed in Article 21(2): policies on risk analysis and information-system security; incident handling; business continuity including backup management, disaster recovery and crisis management; supply-chain security; security in acquisition, development and maintenance of systems including vulnerability handling and disclosure; procedures to assess the effectiveness of the measures; basic cyber hygiene and cybersecurity training; policies on cryptography and, where appropriate, encryption; human-resources security, access control and asset management; and, where appropriate, multi-factor or continuous authentication and secured communications. Proportionality is explicitly scaled to the entity's risk exposure, its size, and the likelihood and severity of incidents (Article 21(1)). Reporting follows fixed clocks under Article 23: an incident is significant if it has caused or can cause severe operational disruption or financial loss, or considerable damage to other parties; a significant incident triggers an early warning within 24 hours of awareness, an incident notification within 72 hours, an intermediate report on request, and a final report no later than one month after the incident notification. Where relevant, recipients of the services may also need to be informed.

Board accountability, supervision, and where implementation stands

Article 20 places compliance at the top: management bodies must approve the cybersecurity risk-management measures, oversee their implementation, and can be held liable for infringements; members of the management body are required to follow training. Supervision differs by category: essential entities face proactive oversight including on-site inspections, regular and targeted security audits and security scans (Article 32), while important entities face ex post supervision triggered by indications of non-compliance (Article 33). Fine ceilings are set at a maximum of at least EUR 10 million or 2% of total worldwide annual turnover for essential entities, and at least EUR 7 million or 1.4% for important entities, whichever is higher (Article 34). The transposition deadline was 17 October 2024, with application from 18 October 2024, and Member States were to list essential and important entities by 17 April 2025 based on information the entities themselves must submit (Articles 41, 3(3)–(4)). National implementation remains uneven: the Commission sent reasoned opinions to 19 Member States on 7 May 2025 and on 8 July 2026 referred Ireland, Spain, France and the Netherlands to the Court of Justice for failing to notify transposition measures. The directive-level duties are settled; what differs per Member State is the timing and detail of national law, so the applicable national regime needs to be checked in each country of operation.

What to do

Map each activity of your organisation against the entity types in Annex I point 2 and Annex II of Directive (EU) 2022/2555, apply the size test from Recommendation 2003/361/EC, and record a written conclusion per activity — essential, important, out of scope, or indirectly exposed via customer contracts. That determination decides registration, supervision and every subsequent NIS2 step, and is the first thing a regulator or customer will ask for.

Sources

Last verified against the primary sources: 2026-07-09

Follow this topic

Get an email whenever something changes here. No account needed; confirm by email (double opt-in).

We use your email address only to send updates about this topic. You can unsubscribe at any time. See our privacy policy.

← All transport & logistics topics