Transport cyber security regulations: NIS2 and IEC 62443

Table of contents

• NIS2 Directive: what it is and what changes for transport
• IEC 62443: the safety standard for OT systems
• How NIS2 and IEC 62443 integrate in the transportation sector
• Compliance and governance: tools and strategies

The transport sector is of strategic importance for national and European security. Railways, airports, ports, motorways and integrated logistics systems are vital nodes that must be protected from increasingly complex cyber threats.

The increase in cyber attacks on industrial control systems (OT) and management IT systems has pushed institutions to define a series of regulations and standards for cyber security in transportation, in order to ensure operational safety and continuity of services.

Two essential references in this field are the NIS2 Directive (Network and Information Security Directive) and the IEC 62443 standard, an international standard for OT security.

Both frameworks are essential to address cyber risks and build a transportation cyber security compliance system that can withstand malicious and accidental events.

In this article, we will delve into the key elements of these two regulations, their specific applications in the transport sector, and the operational implications for companies, public bodies and logistics operators.

NIS2 Directive: what it is and what changes for transport

The NIS2 Directive entered into force on 16 January 2023 and extends the scope of the previous NIS Directive from 2016. One of the main objectives is to raise the level of security of networks and information systems of all operators of essential services, including those active in critical transport.

NIS2 establishes obligations for risk management, notification of security incidents, and adoption of technical and organizational measures appropriate to the risk. The security requirements include:

• documented and updated cyber security policies;
• vulnerability management and software updates;
• IT and OT network segmentation;
• periodic assessment of suppliers in the supply chain;
• staff training and awareness.

Such measures must be proportionate but mandatory: Member States must define effective sanctions for non-compliant operators. Transport cyber security compliance must therefore be built taking into account the NIS2 Directive, which also actively involves public administrations and management bodies.

IEC 62443: the safety standard for OT systems

IEC 62443 is a family of international standards developed by the ISA (International Society of Automation) and adopted by the IEC (International Electrotechnical Commission) for the safety of industrial control systems. This standard provides a comprehensive framework for protecting OT assets used in the transportation sector.

The IEC 62443 guidelines are structured on four levels:

• General Model (62443-1-x)
  Defines concepts, terminology, and reference models.
• Policy and Procedures (62443-2-x)
  Specifies organizational requirements for security management.
• System Technical Requirements (62443-3-x)
  Establishes security measures for networks, communications, and access.
• Component Requirements (62443-4-x)
  Addresses security features in devices and software.

Applying IEC 62443 to critical transport means ensuring that each component of the system (e.g. SCADA, PLC, sensors) can be integrated into a protected environment, managed according to security policies consistent with OT security standards. The standard encourages the adoption of a “defense-in-depth” approach, in which each level of the infrastructure has its own protection mechanisms.

How NIS2 and IEC 62443 integrate in the transportation sector

Companies in the sector must apply multi-level transport cyber security regulations , where the NIS2 directive defines the legal obligations and IEC 62443 provides the technical framework to implement these obligations.

Example
The integration between the risk management required by NIS2 and the risk assessment models required by IEC 62443-3-2, with data flow mapping, threat vector identification and OT network segmentation.

Compliance with both standards must be verifiable through internal audits and certifications.

Example
A railway operator is required to adopt security policies for its digital infrastructure (NIS2) and demonstrate that its signalling system devices are protected from unauthorised access (IEC 62443).

Another crucial aspect concerns suppliers: the supply chain is often the weak point of cyber security . NIS2 requires to evaluate them carefully, while IEC 62443 allows to define minimum requirements for devices based on the level of risk.

Compliance and governance: tools and strategies

Achieving transport cyber security compliance requires much more than just formal compliance with rules and regulations: it means building an integrated security governance system that brings together legal obligations, operational needs and technological specificities of transport systems.

In this sense, the interaction between the NIS2 directive, the IEC 62443 standard and international best practices such as ISO/IEC 27001 allows for the development of a systemic approach to managing cyber risks in complex and often critical environments.

One of the first steps is to create a Security Management System (SMS), which is a documented management system that describes roles, responsibilities, decision-making processes and technical measures taken to ensure the security of IT and OT systems.

This system must be integrated into ordinary business processes , not relegated to an isolated function, because transport network security is not a one-time goal, but a continuous and dynamic activity.

Key tools to support this model include:

• Threat modeling transport
  Preventive analysis of possible cyber threats specific to mixed IT/OT environments, taking into account the interaction between SCADA subsystems, embedded vehicle devices, communication networks between infrastructures and control centers.
• Real-time monitoring dashboards
  Software solutions that enable dynamic visualization of critical assets, their patching status, known vulnerabilities and behavioral anomalies, helping to raise the level of security.
• Periodic audits and penetration tests
  Control and attack simulation activities, essential to verify that security requirements are not only theoretical, but actually applied and resistant to real threats. OT penetration tests must be performed with extreme caution, to avoid compromising the operation of the systems.
• Awareness programs
  Public administration and private operators in the transportation sector must invest in continuous training for all personnel, from maintenance technicians to system administrators, so that everyone understands the cyber risks related to their role and acts responsibly.
• SIEM and IDS adapted to the OT context
  Security Information and Event Management systems, as well as Intrusion Detection Systems, must be configured taking into account the supply chain, latency in OT networks and compatibility constraints with industrial protocols such as Modbus, DNP3 or OPC-UA.

All these tools must be coordinated within a risk governance strategy that includes cycles of evaluation, action, verification and continuous improvement.

In fact, transport cyber security compliance is not limited to meeting legal requirements: it must be an integral part of a broader process that ensures the operational resilience of the transport system in crisis scenarios, human errors or targeted cyber attacks.

In summary, effective transport security governance requires a constant balance between European infrastructure regulations, OT security standards, and technological innovation.

Only an interdisciplinary approach, which takes into account the specificity of cyber-critical transport, will be able to bring organizations to a mature level of compliance and operational readiness against increasingly sophisticated threats.

To conclude

In the interconnected world of transportation, the security of OT networks and systems is essential to avoid disruptions, incidents and reputational damage. Strict application of the NIS2 directive and IEC 62443 transport is key to building a resilient, reliable and compliant infrastructure.

Every company, public or private, that operates in the mobility sector must invest in IT security management systems and adopt proportionate but effective security measures. Only in this way can the safety of citizens, continuity of service and compliance with European infrastructure regulations be guaranteed.

Questions and answers

1. What are transportation cyber security regulations?
   They are rules and standards aimed at protecting transportation infrastructure from cyber threats.
2. What does the NIS2 directive provide for transport?
   Obligations of risk management, notification of incidents and adoption of technical safety measures.
3. What is the purpose of IEC 62443?
   It defines the technical and organizational requirements for protecting OT systems used in transportation.
4. Who is subject to NIS2?
   Essential service operators, including public and private companies in the transport sector.
5. Are NIS2 and IEC 62443 mandatory?
   NIS2 is binding for Member States; IEC 62443 is a voluntary but globally recognized standard.
6. How is IEC 62443 applied in the railway sector?
   By protecting SCADA systems and signalling networks with specific controls against unauthorised access.
7. How do you comply with NIS2?
   By implementing security management systems, documenting policies, and reporting incidents.
8. What cyber risks threaten transportation?
   Malware, ransomware, OT sabotage, phishing, SCADA exploits, and supply chain attacks.
9. Does NIS2 also cover the supply chain?
   Yes, it requires the evaluation and management of third-party suppliers.
10. Do SMEs in the transport sector have to comply?
    If they are considered essential or important entities according to NIS2, yes. Others should also adopt best practices for their own safety.