Anhang I Sektor 2

NIS 2 for the transport sector

Annex I sector 2 covers four sub-sectors. Safety regulation does not replace NIS 2.

Simon OrzelSimon Orzel·

Why transport is in NIS 2

The NIS 2 Directive treats transport as a sector of high criticality. Annex I sector 2 lists four sub-sectors: air, rail, water and road. Each names its own entity categories, so a regional airline, a station operator, a port authority and a road traffic management operator all sit in the same sector under different points.

The legal layer that decides who is in is the EU Directive plus the national transposition. In Germany that is the BSIG. Sector regulators such as the Luftfahrt-Bundesamt, the Eisenbahn-Bundesamt and the Bundesamt für Seeschifffahrt und Hydrographie keep their existing safety remits. The BSI is the competent authority for the cyber duties of NIS 2 and works alongside those regulators, not instead of them.

The size test in Article 2(1) decides whether an entity is in scope at all. Once it is in, the obligations in Article 21 (risk measures) and Article 23 (incident reporting) apply regardless of which sub-sector the entity belongs to. The implementing regulation for the digital sub-sectors does not cover transport; transport sits under the general Article 21 framework with sectoral guidance from ENISA.

The legal anchor
Directive first, then the national act. The KRITIS thresholds are an extra layer for the larger entities in Germany.

EU Directive

Sector 2: Transport. (a) Air transport, (b) Rail transport, (c) Water transport, (d) Road transport.

Directive (EU) 2022/2555, Annex I, sector 2. Each letter lists its own entity categories (air carriers and airport managing bodies; infrastructure managers, railway undertakings and station operators; carriers by inland, sea and coastal waters and port managing bodies; road authorities and operators of intelligent transport systems).

EU implementing acts

Commission Implementing Regulation (EU) 2024/2690 applies to specific digital infrastructure entities. Transport is not in scope of that regulation.

Transport obligations come directly from Article 21 of the Directive plus any national implementing rules. ENISA publishes sector guidance, but there is no Commission Implementing Regulation that fixes detailed technical requirements for transport at EU level today.

National transposition (Germany)

Annex 1 of the BSIG mirrors Annex I sector 2 of the Directive. The size test in section 28 BSIG follows Article 2(1).

Germany transposes NIS 2 through the BSIG. The BSI is the competent authority. Sector-specific safety regulation under the Luftverkehrsgesetz, the Allgemeines Eisenbahngesetz and the Seeaufgabengesetz remains in force and runs in parallel.

Three elements that decide if you are in
Sub-sector match, size threshold, optional KRITIS layer.
Annex I sector 2

Match a sub-sector category

Air covers air carriers used for commercial purposes, airport managing bodies and entities operating ancillary installations within airports, plus traffic management control operators providing air traffic control services. Rail covers infrastructure managers and railway undertakings including operators of service facilities. Water covers inland, sea and coastal passenger and freight water transport companies, managing bodies of ports and operators of vessel traffic services. Road covers road authorities responsible for traffic management control and operators of intelligent transport systems.

Article 2(1)

Meet the size test

Medium or large counts: 50 or more staff, or annual turnover and balance sheet above 10 million euro. Smaller entities can still be in scope where Article 2(2) overrides apply, for example sole providers of an essential service in a Member State.

BSI-KritisV (Germany)

KRITIS is an extra layer

BSI-KritisV sets quantitative thresholds per sub-sector for what counts as a critical installation in Germany. Hitting a KRITIS threshold adds duties for KRITIS-specific facilities. Not hitting it does not remove the underlying NIS 2 duty if the entity is medium or large in a sector 2 category.

How transport sits next to safety
Cyber duties are added on top of existing safety oversight; they do not replace it.

Safety and cyber are different lanes

Air, rail, water and road already sit under heavy safety regimes (EASA, ERA, IMO, vehicle and infrastructure rules). NIS 2 adds duties for information and communication systems used to operate the service. The sector safety regulator keeps its lane. The NIS 2 competent authority looks at how the entity governs risk, supplies, incidents and continuity for its IT and OT.

Continuity is the practical test

What matters for NIS 2 is whether the operator can keep the service running and notify the right authority when something goes wrong. Article 21 names the measure families (governance, risk, supply chain, incident handling, business continuity, cryptography, access control, training, asset management). Article 23 sets the notification timeline (24h early warning, 72h incident notification, 1 month final report).

Who you talk to
BSI is the NIS 2 authority in Germany. Sector regulators stay involved. ENISA provides guidance.
Germany

Bundesamt für Sicherheit in der Informationstechnik

BSI is the competent authority for NIS 2 under the BSIG. Registration, risk measures under section 30 and incident notification under section 32 go to the BSI. Sector safety regulators (Luftfahrt-Bundesamt, Eisenbahn-Bundesamt, Bundesamt für Seeschifffahrt und Hydrographie, Bundesanstalt für Straßenwesen) cooperate with the BSI but do not replace it for NIS 2 cyber duties.

Germany

Bundesnetzagentur and sector overlaps

The Bundesnetzagentur is the NIS 2 authority for telecoms. Transport overlaps with telecoms only where the entity also runs public communication networks. For pure transport, the BSI is the single NIS 2 address. For KRITIS facilities, the existing KRITIS reporting channel keeps running in parallel.

EU

ENISA

ENISA publishes sector guidance and the threat landscape for transport. Its work informs national authorities and standards bodies but does not issue binding rules. For specific transport guidance read ENISA reports plus the EASA Part-IS rules for aviation and the IMO Resolution MSC.428(98) for maritime as adjacent regimes.

Three things that go wrong
Common assumptions that fail under scrutiny.

  • Our safety certification covers cyber.

    Safety regimes (EASA, ERA, IMO and national equivalents) cover safety of operations and increasingly include security elements (for example EASA Part-IS). They do not discharge NIS 2 Article 21 and Article 23 duties. The NIS 2 authority is separate, the scope is broader, and the incident notification clock is different.

  • Only airlines and airports are in.

    All four sub-sectors are in. Rail infrastructure managers, railway undertakings and station operators sit in 2(b). Inland, sea and coastal carriers, port managing bodies and vessel traffic service operators sit in 2(c). Road authorities for traffic management control and operators of intelligent transport systems sit in 2(d). A regional bus authority or a port authority is just as much in sector 2 as a flag carrier.

  • We are below the KRITIS threshold so NIS 2 does not apply.

    KRITIS thresholds in BSI-KritisV are a separate national layer for very large installations. The NIS 2 size test is set in Article 2(1) and is generally much lower. A 60-employee station operator with 12 million euro turnover is below most KRITIS thresholds and still squarely in scope of NIS 2.

What practitioners report

The reading we hear most often from transport operators is that NIS 2 lands on top of an organisation already shaped by safety law. The IT and OT teams talk to a different regulator than the safety team, and the two conversations need to stay aligned. The Article 21 measures (governance, risk, supply chain, incident handling, business continuity, cryptography, access control, training, asset management) are not new ideas, but the documentation depth and the registration step are.

Article 21(1) requires measures that are appropriate and proportionate, taking account of state of the art, cost of implementation and the entity's exposure. That gives a small port authority a different floor than a national rail operator. Document the proportionality reasoning so a reviewer can follow it.

What the platform does for transport entities

The platform structures the Article 21 measures as one obligation register and lets transport operators run their NIS 2 file alongside their existing safety documentation. Asset inventory (the foundation of RSK), supplier register, incident workflow, governance sign-offs and training records sit in one place and produce the evidence the BSI looks for.

The free tier includes everything an operator needs to register under NIS 2 in Germany and run the core obligations. No tier locks any required feature.

Primary sources
  • Directive (EU) 2022/2555 (NIS 2), Annex I sector 2 — Transport
  • Directive (EU) 2022/2555, Article 2 (scope and size test), Article 21 (risk measures), Article 23 (incident reporting)
  • BSIG (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik), Annex 1 sector 2; sections 28, 30, 32
  • BSI-Kritisverordnung (BSI-KritisV), sector-specific thresholds for transport
  • ENISA threat landscape for transport (most recent edition)
  • EASA Implementing Regulation (EU) 2023/203 (Part-IS) for aviation security
  • IMO Resolution MSC.428(98) on maritime cyber risk management
Check your applicability
Two minutes, no sign-up.
Run the applicability check