In an increasingly interconnected world, logistics is the nervous system of the global economy. However, with advancing automation, from AI-controlled high-bay warehouses to networked rail freight systems, the surface area vulnerable to cyber-attacks is growing dramatically.
The NIS2 Directive (Directive (EU) 2022/2555)1 marks a turning point in European cybersecurity policy. It transforms IT security from a downstream support function into a central compliance obligation with severe sanctions and personal liability for senior management. This creates entirely new requirements, particularly for companies in the logistics, transport and logistics plant engineering sectors.
Scope: who is affected?
NIS2 aims to achieve a high common level of security for network and information systems. The NIS2 categories are decisive for classification: the Directive distinguishes between ‘important’ and ‘critical’ facilities. The classification is generally based on the activities listed in Annexes I and II of NIS2 and on EU size criteria (medium/large under Directive 2013/34/EU); national implementation provides further details.
Logistics as a strategic sector
The transport sector is generally classified as a critical sector under the NIS2 framework. Whether a company is considered a particularly important or important facility depends on the specific activities (Annex I/II NIS2) and the size criteria, as well as their national implementation, and must be assessed on a case-by-case basis.2
The ‘ripple effect’ on plant engineering
Even if plant manufacturers do not directly meet the thresholds, they may – contractually – be covered by the due diligence obligations in the supply chain (supply chain security). From 2026 at the latest, cyber resilience along supply chains is likely to become a key competitive factor, as clients increasingly pass on NIS2-compliant security, reporting and audit obligations contractually to the supply chain and demand corresponding evidence.
The personal liability of senior management: A new development
A key aspect of the NIS2 Directive is the direct involvement of senior management (directors’ liability).
- Approval and monitoring obligations: Management must not only approve the company’s cybersecurity measures but also actively monitor their implementation.
- Training obligation: Members of the management are legally obliged to attend specific training courses on a regular basis in order to be able to assess cyber risks and their impact on business operations.
- Personal liability: In the event of a culpable breach of duty regarding risk management measures (approval/monitoring, training), management bodies are liable to their own company in accordance with the relevant standards of company law.
Core obligations: Risk management and reporting
NIS2 requires a ‘cross-risk approach’ to ensure the resilience of the entire business model.
Comprehensive risk management
Risk management encompasses clear responsibilities up to senior management, regular risk analyses with a central risk register (including measures, deadlines and responsible parties), as well as defined risk acceptance criteria and escalation procedures. The organisations concerned must implement a set of minimum measures covering the entire lifecycle of a facility, e.g.
- incident handling,
- business continuity and crisis management (including backup/restore tests),
- supply chain and third-party controls,
- secure development and patch/vulnerability management,
- effectiveness measurements (KPIs/KRIs),
- Training and awareness,
- Cryptography and access policies (including MFA) and
- network segmentation and logging.
Effectiveness is regularly assessed (audits, tests, exercises) and continuously improved (PDCA cycle)
The timing of reporting obligations
Security incidents with significant consequences must be reported to the Federal Office for Information Security (BSI) (additional recipients may apply depending on the sector). Significant security incidents must be reported in stages:
- 24 hours: Early warning to the competent authority (e.g. BSI) if an incident has significant (or appears to have significant) impact on the service.
- 72 hours: Interim report with a preliminary assessment of the severity and impact, as well as initial remedial measures.
- 1 month: A detailed final report on the causes and the remedial measures taken.
Strategic contract design: compliance through partnership
To implement the NIS2 requirements in a legally compliant manner, contracts between operators and plant manufacturers must be revised. A cooperative approach should be adopted here:
Patch management and software lifecycle
- Security SLA and audit: Agreement on minimum measures (encryption, patch cycles) as well as audit and testing rights and appropriate evidence (reports, certificates).
- Incident governance: Establishment of an incident playbook with clear communication channels and reporting deadlines.
- Supply chain and responsibilities: Incorporation of security requirements into subcontractor agreements (back-to-back obligations).
- Data and access: Regulation of remote access via hardened systems (jump hosts) with comprehensive logging.
Sanctions: a risk to the balance sheet
The EU has learnt from the GDPR in NIS2: fines are no longer symbolic, but painful:
- Critical infrastructure operators: Up to €10 million or 2% of global annual turnover.
- Important entities: Up to €7 million or 1.4% of global annual turnover.
Conclusion: cyber resilience as a competitive advantage
NIS2 is a challenge, but also an opportunity. In an industry based on punctuality and reliability, cyber resilience is becoming a hallmark of quality. Those who embed these building blocks early on in planning, construction and operations reduce the risk of failure and create a verifiable, scalable compliance architecture for hubs and transport. Those who proactively implement the requirements of the NIS2 Directive today are not only building safer warehouses, but also a more stable future for the entire supply chain.
1 The NIS 2 Directive was published in the Official Journal of the European Union on 27 December 2022 and entered into force on 16 January 2023. In Germany, the NIS 2 Implementation Act (“Draft Act on the Implementation of the NIS 2 Directive and on the Regulation of Key Principles of Information Security Management in the Federal Administration”) entered into force on 6 December 2025.
2 In the EU, size is systematically determined in accordance with the Accounting Directive (Art. 3 of Directive 2013/34/EU): categorisation based on two out of three criteria (balance sheet total, net turnover, number of employees); in Germany, Section 267 of the German Commercial Code (HGB) reflects this system.
