<p>The Network information systems (NIS) 2 directive was introduced to strengthen cybersecurity obligations for operators of essential and important services. The critical rail infrastructure falls under essential services; therefore, this study examines how critical rail infrastructure operators are adopting and operationalising NIS 2 directives and identifies the sector-specific challenges that affect their compliance efforts. Using a qualitative document analysis of key European Union Agency for Cybersecurity (ENISA) reports, supported by inductive and deductive coding of NIS 2 directive and Critical Entities Resilience (CER) directive, the research explores four themes: governance fragmentation, uneven cybersecurity maturity, particularly within the Operations Technology (OT) environments, supplier dependency and supply-chain vulnerabilities, and persistent incident reporting and detection gaps. Findings indicate that while the critical rail infrastructure has made progress in adopting NIS 2, its implementation remains partial and inconsistent across Member States and actors. Governance fragmentation hinders knowledge sharing and coordinated response horizontally; variability in IT–OT maturity constrains comprehensive risk management; supply-chain complexity exposes operators to cascading vulnerabilities; and the quality and completeness of incident reporting continues to challenge full compliance with Article 23. When compared with ENISA’s technical implementation guidance, these findings reveal that NIS 2 provides a practical guide for strengthening critical rail infrastructure resilience, but significant operational, organisational, and supply-chain barriers must still be addressed. The study contributes to ongoing critical infrastructure cybersecurity discourse by answering three research questions related to NIS 2 adoption, alignment of publicly available documentation, and sector-specific compliance challenges. It provides a structured evidence base that can support regulators, operators, and suppliers in translating NIS 2 obligations into realistic, sector-appropriate practices that enhance the cybersecurity European critical rail infrastructure.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Cybersecurity in critical rail infrastructure: sector specific adoption of the NIS 2 directive in Europe

  • Mimi Enakome Oka,
  • Martin Hromada,
  • Roman Jasek

摘要

The Network information systems (NIS) 2 directive was introduced to strengthen cybersecurity obligations for operators of essential and important services. The critical rail infrastructure falls under essential services; therefore, this study examines how critical rail infrastructure operators are adopting and operationalising NIS 2 directives and identifies the sector-specific challenges that affect their compliance efforts. Using a qualitative document analysis of key European Union Agency for Cybersecurity (ENISA) reports, supported by inductive and deductive coding of NIS 2 directive and Critical Entities Resilience (CER) directive, the research explores four themes: governance fragmentation, uneven cybersecurity maturity, particularly within the Operations Technology (OT) environments, supplier dependency and supply-chain vulnerabilities, and persistent incident reporting and detection gaps. Findings indicate that while the critical rail infrastructure has made progress in adopting NIS 2, its implementation remains partial and inconsistent across Member States and actors. Governance fragmentation hinders knowledge sharing and coordinated response horizontally; variability in IT–OT maturity constrains comprehensive risk management; supply-chain complexity exposes operators to cascading vulnerabilities; and the quality and completeness of incident reporting continues to challenge full compliance with Article 23. When compared with ENISA’s technical implementation guidance, these findings reveal that NIS 2 provides a practical guide for strengthening critical rail infrastructure resilience, but significant operational, organisational, and supply-chain barriers must still be addressed. The study contributes to ongoing critical infrastructure cybersecurity discourse by answering three research questions related to NIS 2 adoption, alignment of publicly available documentation, and sector-specific compliance challenges. It provides a structured evidence base that can support regulators, operators, and suppliers in translating NIS 2 obligations into realistic, sector-appropriate practices that enhance the cybersecurity European critical rail infrastructure.