In June 2017, the NotPetya malware spread through Maersk’s systems in a matter of hours. The world’s largest shipping company lost access to its operating systems for ten days, had to reinstall 45,000 computers and 4,000 servers, and the total cost came to between $250 and $300 million.

It was not a targeted attack on Maersk: it was a lateral propagation effect through the supply chain that entered through a Ukrainian supplier and traveled the entire corporate network without finding segmentation to stop it.

Since then, TNT/FedEx, CMA CGM and dozens of logistics operators have suffered similar incidents. The logic is always the same: logistics is critical infrastructure because stopping the flow of goods has immediate and visible economic and social consequences, making these operators high-value targets for ransomware groups.

NIS2 recognizes this reality and classifies transport and logistics among the essential sectors of the directive, with cybersecurity obligations already in force that explicitly include digital supply chain security as one of their fundamental pillars.

Which logistics companies fall within NIS2 scope

NIS2 covers the transport sector as an essential sector, with specific subsectors: road transport, rail, aviation and maritime shipping. Within that umbrella fall port and airport infrastructure operators, railway network managers, medium and large freight road transport operators, and integrated logistics companies combining warehousing, distribution and transport.

Understanding what the directive means for your specific context requires knowing the size thresholds and classification criteria applicable in your Member State. For operators working with the Spanish market, the article on NIS2 transposition in Spain covers the national implementation criteria in detail.

Operators below the essential entity thresholds may be classified as important entities, a category that also carries cybersecurity obligations, though with reactive rather than proactive supervision. The analysis of where each company falls requires verifying headcount, turnover and the criticality of the service provided to the economy or society.

The logistics supply chain as an attack surface

What makes cybersecurity in logistics particularly complex is not just each operator’s internal technology, but the density of interconnections with third parties. A typical mid-sized logistics operator simultaneously depends on:

Critical software vendors. Warehouse management systems (WMS) and transport management systems (TMS) concentrate information about loads, routes, clients and suppliers. They are direct targets because compromising one gives access to data across the entire chain and can halt physical operations.

EDI integrations and APIs with customers and suppliers. Electronic data interchange is the connective tissue of modern logistics. Each integration is a potential lateral entry channel from third-party systems with weaker security controls.

OT systems in automated warehouses. Conveyor belts, automated sorting systems, AGVs (automatically guided vehicles) and RFID readers connected to the corporate network create an IT/OT convergence where an incident in the data network can have direct physical consequences on operations.

Subcontracted carriers and freight agents. Shipment data, manifests and customs documentation circulate among multiple parties in the chain, frequently through platforms with heterogeneous access controls.

The most exploited attack vector in logistics is not an internal technical vulnerability: it is the implicit trust placed in integrated third-party systems. An EDI connection or an API without strong authentication from a compromised supplier is the most common initial entry point.

NIS2-specific obligations for the logistics sector

Article 21 of NIS2 establishes the minimum measures that essential and important entities must implement. For the logistics sector, the most relevant are:

Supply chain security. NIS2 explicitly requires entities to manage the security risks introduced by their suppliers and service providers. This means mapping critical technology dependencies, assessing the security posture of higher-risk suppliers and establishing minimum cybersecurity contractual requirements in agreements with third parties.

Incident management. Documented processes for detecting, containing, notifying and recovering from incidents. For essential entities, notification to the national CSIRT within 24 hours for early warning and 72 hours for formal notification is mandatory.

Business continuity and crisis management. Contingency plans specifically covering scenarios of critical system unavailability, with defined and tested recovery times. In logistics, the operational pressure from clients and contracts makes disaster recovery as critical as prevention.

Access controls and authentication. Multi-factor authentication for remote access and critical systems, lifecycle management for employee and especially third-party identities (carriers, suppliers, maintenance technicians) who access internal systems.

Staff training. NIS2 includes cybersecurity awareness and training as a mandatory minimum measure. For practical guidance on designing training that is demonstrable in an audit, the article on employee training for NIS2 covers the key criteria.

The 4 most critical risks in connected logistics operations

1. Ransomware with physical impact

Unlike other sectors, in logistics a ransomware attack does not only encrypt data: it stops physical operations. If the WMS becomes inaccessible, the warehouse cannot receive or dispatch goods.

If the TMS goes down, fleets lose assignments and routes. The economic impact per hour of downtime for a large logistics operator can be measured in tens of thousands of euros, creating extreme pressure toward paying the ransom.

2. Software supply chain attacks

The attack model through compromised software updates, such as the SolarWinds case or NotPetya itself, is especially relevant in logistics because operators depend on WMS, TMS and freight visibility platforms from external suppliers that update their systems frequently. A compromised software vendor can become the entry vector into dozens of client operators simultaneously.

3. Cargo data and manifest manipulation

Beyond ransomware, there are threats aimed at silent data manipulation: modifying cargo manifests to facilitate smuggling, altering temperature data in cold chains, tampering with traceability records. This type of attack generates no immediate alerts and can go undetected for months.

4. Attacks on port and airport infrastructure

Port terminal management systems (TOS), truck parking slot management platforms and customs clearance systems are critical infrastructure whose unavailability blocks the flow of goods with cascading consequences.

The port of Antwerp suffered in 2011 a coordinated attack to manipulate container data for drug trafficking, and since then attacks on port infrastructure have become significantly more sophisticated.

Third-party and supplier management under NIS2

The NIS2 supply chain security obligation has direct contractual implications that many logistics operators have not yet translated into their commercial relationships.

For critical technology vendors (WMS, TMS, visibility platforms, EDI), the operator must be able to require evidence of their security posture: certifications such as ISO 27001, recent penetration test results, vulnerability management and patching deadline policies, and incident notification procedures toward the customer.

For subcontracted carriers with access to internal systems or data sharing platforms, the contract must include minimum security requirements: authentication on shared platforms, secure credential management and an obligation to notify breaches that may affect the operator’s data.

For OT system maintenance vendors, the same third-party access management principles that apply in other critical sectors apply here: pre-authorized access, individual credentials with MFA, and logging of all sessions.

A structured ISO 27001 risk assessment that includes the third-party dependency map is the starting point for identifying which suppliers carry the most risk and prioritizing where to contractually strengthen security requirements.

How to build a NIS2 compliance program for logistics

The starting point is determining the company’s exact classification (essential or important entity) and the scope of in-scope systems, which in logistics includes not only corporate IT but all systems with direct impact on operations: WMS, TMS, weighing and temperature and traceability systems, and integration platforms with third parties.

On that inventory, the risk assessment is built, identifying critical dependencies, the highest-impact scenarios and the controls that already exist versus those that are missing. For entities that need to prepare for active NIS2 supervision, the article on preparing for a NIS2 audit provides a guide to what national supervisors evaluate in most detail.

The program must also address the operational dimension of incident response: in logistics, the first hours of an attack are the most critical because the cost of downtime grows by the hour. Having a documented playbook, with clear roles and alternative communication systems that do not depend on compromised infrastructure, can make the difference between a 48-hour recovery and a two-week one.

How PrivaLex helps

PrivaLex works with logistics operators, transport companies and technology providers for the sector on implementing NIS2 requirements with a focus on the digital supply chain. The starting point is a gap analysis against Article 21 of NIS2, with particular attention to third-party dependencies and connected OT systems that generate the most attack surface.

The work covers the technology supply chain risk assessment, review of contracts with critical vendors to incorporate enforceable security requirements, design of the incident notification protocol with NIS2 deadlines, and support in preparing for active supervision when the company is classified as an essential entity.

Conclusion

NIS2 turns digital supply chain security into a legal obligation for the logistics sector, not an optional best practice. The sector’s real exposure, documented in incidents like NotPetya, the complexity of technology integrations between operators and the IT/OT convergence in automated warehouses make this one of the sectors with the greatest urgency to act. Companies that have not yet started their gap analysis are running a regulatory and operational risk that grows with every month of inaction.

If you want to know where your organization stands on NIS2 obligations, request your free risk assessment or book a session with our team.

Frequently Asked Questions

Road transport is included in the transport sector that NIS2 classifies as essential. However, not all companies in the sector are obligated: NIS2 applies from certain size thresholds (generally medium and large companies) and may exclude micro and small enterprises. The exact classification depends on headcount, turnover and, in some cases, the criticality of the service provided to the national transport system. Verifying the specific classification with up-to-date legal advice is the first step before starting any compliance program.

Article 21 of NIS2 explicitly includes supply chain security among the mandatory minimum measures. In practice, this means assessing the cybersecurity risks introduced by critical technology suppliers and service providers, establishing contractual security requirements for those suppliers, and actively managing those relationships including incident notification. Having robust internal controls is not sufficient: the directive also requires that risks coming from outside be identified and managed.

Yes, when those OT systems have a direct impact on the delivery of the essential service. NIS2 does not distinguish between information technology (IT) and operational technology (OT): the scope of the directive covers all network and information systems supporting in-scope services. In an automated warehouse with sorting systems, AGVs and temperature controls connected to the corporate network, those systems are part of the NIS2 scope and must be included in the risk assessment and security controls.

Under NIS2, the essential or important entity remains responsible for the continuity and security of its service even if the incident originates in an external supplier. If the supplier’s incident causes a significant incident in your operations, the notification obligation to the national CSIRT still applies to you, not the supplier. That is why NIS2 requires that contracts with critical suppliers include the supplier’s obligation to notify you of any incident that may affect your services with enough time for you to meet your own notification deadlines.

The documentary elements that NIS2 supervisors evaluate in most detail are: the information security policy approved by management, the updated risk assessment with the asset inventory and treatment measures, the map of critical supplier dependencies with contractually established security requirements, the incident register and notification procedure with deadlines, the business continuity plan with cyberincident scenarios, and staff cybersecurity training records. Without that documentary foundation, the entity cannot demonstrate due diligence before the supervisor even if it has technical controls implemented.

They are not the same, though they complement each other. ISO 27001 is an information security management standard with voluntary certification. NIS2 is a mandatory European directive. Being ISO 27001 certified does not automatically guarantee NIS2 compliance, though it significantly facilitates the work because many NIS2 controls have their equivalent in ISO 27001 Annex A. For logistics entities already holding ISO 27001, the gap analysis against NIS2 is typically faster because the documentary foundation and many technical controls already exist and only need adapting to the directive’s specific requirements.

Free · No commitment
Your regulatory risk report, built by privacy specialists.
A 30-minute call with our team. We assess your current position against GDPR, NIS2 or the EU AI Act and deliver a personalised risk report at no cost.
Book My Free Assessment