Transport and logistics literally move the Spanish economy. Every container that crosses the Strait through Algeciras, every freight train linking Madrid and Zaragoza, every cargo flight that lands at Barajas and every truck that delivers goods to an industrial estate is part of a chain that cannot afford long stoppages without triggering shortages, industrial losses and, in some scenarios, risk to people. The NIS2 directive recognises this criticality by placing the transport sector among the essential entities, with reinforced obligations on risk management, incident notification and continuous supervision.
This article walks through the scope of NIS2 over the rail, maritime, aviation and road subsectors, the public cases that have shaped the sectoral conversation from NotPetya to recent incidents in European ports, the specific technical risks affecting TMS, WMS, EDI, GPS and port OT environments, and the compliance roadmap that a logistics operator must articulate to close 2026 with an auditable defensive posture.
The essentials. The transport and logistics sector operates as an essential entity under NIS2 in its rail, maritime, aviation and road subsectors when size thresholds are exceeded or a critical supply chain role is performed. Real threats include ransomware against shipping lines and port operators, manipulation of container release codes, GPS spoofing, vulnerabilities in OT systems of port cranes and compromises of internet exposed TMS and WMS. The compliance plan must combine IT and OT segmentation, EDR at ports and warehouses, MFA on TMS, governance of vendor remote access and incident runbooks that operate twenty four hours a day.
Logistics and transport as a NIS2 essential sector
NIS2 significantly broadens sectoral coverage compared with the original directive. Transport appears as one of the high criticality sectors, with four explicitly regulated subsectors: rail, aviation, maritime and inland waterways, and road. For each subsector the directive identifies the types of entities included, from infrastructure managers and service operators to port and airport authorities.
In Spain the economic weight of each subsector differs but all of them perform strategic functions. The port of Algeciras is the country's leading port by container traffic and one of the largest in the Mediterranean, with annual volumes that make it an indispensable logistics node for international trade. Madrid concentrates the main aviation hub of southern Europe through Barajas, both in passengers and in cargo. The rail network managed by ADIF and operated for freight by Renfe and private operators connects the main industrial and port centres. Road transport, fragmented across thousands of companies, accounts for most internal freight movement and represents the last mile of practically every chain.
The distinction between essential entity and important entity within NIS2 modulates the intensity of supervision, but the substantive obligations on risk management and incident notification are equivalent. An operator that considers itself outside the NIS2 perimeter may nonetheless enter through the supply chain when providing services to an essential entity.
Transport subsectors and their operational reality
Each transport subsector has its own technical and regulatory particularities.
Rail. ADIF manages the infrastructure, interlockings, signalling and control centres. Train operators, both public and private, run freight and passenger services. Modern ERTMS signalling combines onboard systems, trackside equipment and control centres in a digital architecture that replaces traditional lineside signals. The rail attack surface includes traffic control centres, passenger information systems, depots and workshops with connected systems, and the GSM-R communications network that links train and track.
Maritime. Port authorities report to Puertos del Estado and manage the port infrastructure, while terminals are operated by private companies, frequently integrated within global groups such as APM Terminals, DP World or Hutchison Ports. Shipping lines run the routes with container ships, bulk carriers, gas carriers and other vessel types. A port is an ecosystem where corporate IT systems coexist with port community systems for documentary management, terminal operating systems for container planning and OT environments controlling cranes, automated vehicles and loading equipment.
Aviation. AENA operates the Spanish airport network, including Madrid Barajas as the main hub. Airlines manage fleet, operations and sales systems. Air cargo logistics relies on integrators and on handling companies. Critical systems include control towers managed by ENAIRE, baggage handling, ticketing platforms, boarding systems and OT environments linked to runways, lighting and fuel.
Road. This subsector is the most fragmented. A core of large operators coexists with thousands of small and medium transport companies. Digitalisation has introduced TMS for fleet management, freight matching platforms, onboard telemetry, tachograph management systems and mobile apps for drivers. The attack surface includes operations centres, connected onboard systems and cloud platforms of specialised technology providers.
NIS2 scope over transport and thresholds
Membership of NIS2 within transport is determined by crossing the type of activity with the size thresholds that the directive and the national transposition apply. As a general criterion, medium and large entities in the cited subsectors fall in as essential or important entities. The essential entity status applies to actors that the directive deems most critical, which in transport typically includes infrastructure managers, larger service operators, relevant port and airport authorities and rail operators performing structural functions in the network.
Important entities are also subject to NIS2 material obligations, although their supervision regime is somewhat less intensive in terms of proactive inspections. Below the general thresholds an entity can still be included when it performs a critical role for the supply chain or when the national authority designates it specifically.
The practical rule for any sector operator is to perform a documented applicability analysis considering size, subsector, logistics role and dependencies with other essential entities. That documentation is the first piece of evidence a regulator will request if it opens proceedings.
Public cases in the logistics and port sector
The available historical evidence is enough to sustain ongoing defensive investment, without resorting to speculation.
Maersk and NotPetya in 2017. The Danish shipping line Maersk was affected by the NotPetya attack, which exploited lateral propagation from an initial vector linked to a Ukrainian accounting software. The operational impact on Maersk was massive, with terminal stoppages in ports around the world and large scale rebuilding of Active Directory infrastructure. The company itself publicly disclosed a financial impact estimate in the range of three hundred million dollars in the accounts of the affected fiscal year, a figure repeatedly cited in sectoral literature.
Hapag-Lloyd. The German shipping line has publicly communicated incidents and phishing campaigns targeting its corporate environment, in line with the exposure the maritime sector has to social engineering operations leveraged for fraud and initial access.
IMO in 2020. The International Maritime Organization confirmed a cybersecurity incident in July 2020 that affected its public facing web systems. The episode made clear that no organisation in the maritime ecosystem, not even the global regulator, is beyond the reach of hostile actors.
European ports in recent years. Several European ports have communicated security incidents with varying degrees of impact, from phishing campaigns and limited compromises to incidents with operational impact on documentary management. Public conversation around the security of northern European ports, including episodes documented in the media about Antwerp and other facilities, reflects a real exposure surface not confined to a single operator.
These cases share a pattern. Initial impact tends to occur in IT, frequently via phishing or credential compromise, and the operational dependency between IT and the physical operation translates into logistics paralysis when support systems go down.
Specific risks in the transport sector
The attack vectors most concerning to the sector in 2026 combine traditional threats with realities derived from logistics digitalisation.
Exposed TMS and WMS. Transport and warehouse management systems concentrate sensitive information on routes, customers, inventories and operations. When these systems are published on the internet without an adequate protection layer, or accessed from personal devices without controls, they become a favourite vector for initial access.
EDI and legacy integrations. Electronic data interchange remains the backbone of communication between shippers, shipping lines, port operators, customs and consignees. Many EDI links run on aged infrastructure, with weak authentication, no modern encryption and dependencies on third parties acting as translators. These integrations accumulate technical debt that translates into risk if they are not progressively modernised.
GPS spoofing and jamming. Interference and spoofing of GPS signals affects fleet traceability and, in more sophisticated scenarios, can induce positioning errors. Although operational criticality varies by transport mode, logistics dependency on precise positioning grows with every year of digitalisation.
Container release codes. The container pickup process at ports relies on codes that authorise delivery to the carrier. These codes have become a target for criminal networks seeking to collect unauthorised cargo, frequently with purposes linked to drug trafficking or fraud. Compromise of customer accounts and of terminal or customs broker employees is the usual path.
Port OT. Quay cranes, RTG cranes, automated yard vehicles and loading systems rely on industrial controllers and automation platforms from manufacturers such as Siemens, ABB or Kalmar. Modernisation has connected these environments to corporate networks to optimise maintenance and telemetry, widening the attack surface on assets that traditionally lived isolated.
Vendor remote access. The sector works with an extensive ecosystem of technology vendors that require remote access to critical systems for maintenance. Governance of this access, frequently overlooked, is one of the priority focus areas of any mature NIS2 programme.
Applicable regulatory framework
The Spanish logistics company operates in a multi layered framework that NIS2 does not replace but articulates with pre existing instruments.
NIS2. Sets the European baseline for cybersecurity risk management, incident notification and supervision. The Spanish transposition defines the competent authority and the sanctioning procedures.
IMO ISPS Code. The International Ship and Port Facility Security Code obliges ships and port facilities to have protection plans, designated security officers and periodic assessments. Historically focused on physical security, its crossover with cybersecurity is increasingly explicit in IMO's own recommendations.
IATA and European aviation regulation. The aviation sector applies a specific regulatory body that includes IATA recommendations on cybersecurity in operations, as well as European regulations linked to the European Union Aviation Safety Agency. AENA and ENAIRE apply these frameworks in the Spanish network.
Puertos del Estado. The national authority coordinates the network of port authorities and issues guidance integrating cybersecurity obligations in line with NIS2 and the ISPS Code.
Other instruments. The National Security Framework when services are provided to the public sector, the Critical Infrastructure Protection Law for designated operators and European regulations on combined transport complete the framework that an operator must address.
Priority controls for logistics operators
A logistics company that wants to close 2026 with a solid defensive posture concentrates investment in a set of controls that operational experience and the NIS2 framework flag as priorities.
IT and OT segmentation at ports. Clear separation between corporate systems and port industrial environments reduces the lateral movement surface. Industrial firewalls, whitelists of communication between zones and data diodes where criticality justifies them are the basis of a defensible architecture.
EDR at ports and warehouses. Endpoint detection and response remains the most effective tool to contain early compromises. Deployment must reach port operator workstations, warehouse equipment and office devices at operations centres.
MFA on TMS and critical platforms. Multi factor authentication on transport management systems, on warehouse management platforms and on administration environments closes one of the most frequent intrusion paths.
Vendor remote access governance. Remote connections from manufacturers and suppliers must be channelled through auditable jump hosts, strong authentication and full session logging. Periodic review of active accounts and immediate revocation upon contract termination are basic practices that audits regularly find missing.
Incident runbooks operating twenty four hours. Logistics operations do not stop at night or on weekends. The response team must have clear runbooks, mobilisation capacity outside office hours and documented escalation channels to the competent authority and to INCIBE-CERT or CCN-CERT as appropriate.
EDI and integration hardening. Progressive modernisation of EDI integrations towards secure protocols, certificate based authentication and complete transaction traceability is an investment that reduces fraud and manipulation risk.
Specific monitoring of port OT. Passive visibility solutions over industrial traffic allow inventorying assets and detecting anomalous behaviour in cranes, yard systems and connected machinery, without introducing risk to the operation.
Operational continuity when systems go down
Logistics lives on time. One hour of stoppage at a port terminal generates chain delays that reach the final shipper. The operational continuity plan for a logistics operator under NIS2 must include at least three blocks.
Cold backup of TMS and WMS. The capability to recover the transport management system and the warehouse management system in an alternative environment, validated periodically, is the central piece of continuity. Recovery must be executable independently from the state of the main environment, avoiding dependencies that get invalidated in a real incident.
Manual procedures for degraded operation. When systems are unavailable, the physical operation must be able to continue with documented manual procedures. Control of entries and exits at a terminal, cargo management in a warehouse and coordination with drivers must have a clear protocol that the team can activate without improvisation.
Communication with the supply chain. A logistics incident affects customers, suppliers and chain partners. The existence of communication templates, alternative channels and designated spokespersons accelerates external incident management and reduces reputational damage. Coordination with the competent authority and with national CSIRTs must be part of the same flow.
Frequently asked questions
Does a small shipping company fall within NIS2 scope?
It depends on size and logistics role. Micro and small companies fall outside the general NIS2 perimeter, but they can enter when they perform a critical role for the supply chain or when the national authority designates them specifically. A small shipping company with strategic routes or with relevant dependencies on essential entities must perform a documented applicability analysis, without assuming that its size automatically exempts it.
What is the difference between a port authority and a terminal operator under NIS2?
The port authority manages the common infrastructure of the port and is typically considered an essential entity. The terminal operator runs a specific concession within the port and, depending on its size and operating volume, can be an essential or an important entity. Both are subject to equivalent material obligations on risk management and incident notification, although the regulated functions differ.
Is GPS spoofing detectable?
There are detection techniques based on signal quality analysis, on discrepancies with other onboard sensors and on the temporal coherence of received positions. Effective detection requires specific instrumentation and, in many cases, integration with fleet management platforms that correlate information from several sources. Mere reliance on the GPS receiver without contrast against other data leaves the fleet exposed.
Should a logistics operator pay the ransom in a ransomware attack?
The recommendation from European authorities and national CSIRTs is not to pay. Payment does not guarantee recovery, fuels the criminal economy and can generate additional liabilities depending on the destination of the funds. The final decision rests with company management, but it must be documented with legal advice and with coordination with the competent authority and with the CSIRTs.
How do you secure a legacy EDI without replacing it?
Full modernisation is not always feasible in the short term. In the meantime mitigation measures can be applied, such as encapsulating EDI traffic over encrypted channels, strengthening end to end authentication, specific monitoring of flows and network separation for the segment hosting the integrators. The roadmap must contemplate progressive replacement, not its perpetuation.
How much does NIS2 compliance cost in logistics?
Cost depends on the starting point, on the size of the organisation and on the subsector. A medium sized operator with some degree of maturity can address a NIS2 programme with investments distributed across eighteen to twenty four months, combining consultancy, tools and managed services. A large operator with complex port environments requires higher investments, justified by the criticality of the operation. The initial gap analysis is the basis for building a realistic budget.
Related resources
- NIS2 Spain: compliance 2026
- NIS2 audit step by step
- Ransomware Spain 2026
- Industry 4.0 and OT cybersecurity under NIS2
- IoT and OT cybersecurity: critical threats 2026
Logistics audit with Secra
Secra supports logistics operators, port authorities, shipping lines and transport companies in NIS2 compliance with an approach that combines sectoral gap analysis, technical audit on TMS, WMS and port OT environments, red team exercises tailored to the operational reality of the sector and continuous support in incident notification. Our team connects offensive knowledge with logistics experience, avoiding textbook recommendations that do not fit the reality of a terminal or an operations centre.
If your organisation is building or reviewing its NIS2 programme for the logistics sector, let us talk and design together the most efficient path to a solid and auditable defensive posture.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.