Network and Information Security Directive 2 (NIS2)
Status: In-force — NIS2 obligations are now in effect with fines up to EUR 10 million or 2% of worldwide turnover for essential entities.
What Is It?
The NIS2 Directive (EU 2022/2555) significantly expands the European Union's cybersecurity requirements, and for the first time explicitly classifies maritime transport as an essential service sector. This means shipping companies, port operators, and maritime service providers meeting the directive's size thresholds must implement comprehensive cybersecurity risk management measures, report significant cyber incidents to national authorities, and ensure their supply chains meet minimum security standards — with substantial penalties for non-compliance.
NIS2 builds on and replaces the original NIS Directive (2016), widening the scope from a narrow set of operators of essential services to a broad, sector-based approach that captures medium and large enterprises across 18 sectors including transport. For maritime, this encompasses shipping companies with 50+ employees or annual turnover exceeding EUR 10 million, port management bodies, vessel traffic services, and companies providing maritime-related digital services. Member States were required to transpose NIS2 into national law by October 17, 2024.
The directive mandates a risk-based approach to cybersecurity, requiring entities to implement appropriate and proportionate technical, operational, and organizational measures to manage cyber risks. This includes policies on risk analysis, incident handling, business continuity, supply chain security, network security, access control, encryption, and multi-factor authentication. For the maritime sector — where the convergence of IT and OT systems on increasingly connected vessels creates unique vulnerabilities — NIS2 represents a step-change in cybersecurity governance requirements.
Who It Affects
NIS2 applies to maritime transport entities classified as essential or important entities under the directive. This includes shipping companies (shipowners, managers, and operators) with 50 or more employees or annual turnover/balance sheet exceeding EUR 10 million, port management bodies, vessel traffic services, and providers of maritime-related digital infrastructure and services. The directive applies based on the entity's establishment in an EU Member State, regardless of where its vessels are flagged. Management bodies (boards of directors, senior executives) bear direct responsibility for approving cybersecurity measures and can be held personally liable for non-compliance — a significant departure from previous regulatory approaches.
Key Dates
NIS2 Directive enters into force across the European Union
Deadline for EU Member States to transpose NIS2 into national legislation
NIS2 obligations apply to entities in scope — compliance required from this date
Deadline for Member States to establish the list of essential and important entities
Deadline for Member States to define the list of entities required to register with national authorities
Requirements
- Implement comprehensive cybersecurity risk management measures covering IT and OT systems, including those on vessels
- Establish and maintain an incident response and business continuity plan addressing maritime-specific cyber scenarios
- Report significant cyber incidents to the national CSIRT or competent authority within 24 hours (early warning) and 72 hours (full notification)
- Conduct regular cybersecurity risk assessments of shore-based IT infrastructure, vessel OT systems, and supply chain dependencies
- Implement access control policies, multi-factor authentication, and encryption for critical systems and communications
- Ensure supply chain security by evaluating and monitoring the cybersecurity practices of key suppliers and service providers
- Provide cybersecurity awareness training for management and staff, including vessel-based personnel
- Designate a management body responsible for approving and overseeing cybersecurity risk management measures — with personal liability for management
Penalties & Non-Compliance
NIS2 introduces substantial penalties for non-compliance. Essential entities (which includes maritime transport operators above the thresholds) face administrative fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, maximum fines are EUR 7 million or 1.4% of worldwide annual turnover. Beyond financial penalties, national competent authorities can impose temporary bans on management from exercising managerial functions, order entities to make public their non-compliance, and suspend certifications or authorizations. The directive also enables Member States to impose periodic penalty payments for continued non-compliance. Critically, senior management can be held personally liable for failures to approve and oversee cybersecurity measures.
How CyberSmart Helps
These modules support your maritime cybersecurity compliance under NIS2.
Secure your maritime operations
See how CyberSmart helps you implement NIS2-compliant cybersecurity risk management across IT, OT, and vessel systems.