NIS2 for Logistics and Transport Companies
Transport is classified under Annex I of NIS2, covering road, rail, water, and air transport. If your logistics company has 50+ employees, here is what the BSIG requires and where to start.
Why Does NIS2 Apply to Logistics Companies?
Logistics is the backbone of the physical economy. A cyberattack that stops a major logistics provider does not just affect one company – it disrupts supply chains for dozens or hundreds of clients. The 2017 NotPetya attack cost Maersk alone over 300 million euros and disrupted global shipping for weeks. The EU classified transport under Annex I (sectors of high criticality) because logistics disruptions cascade through the entire economy.
NIS2 covers all transport modes: road freight, rail transport, inland waterways, maritime shipping, and air cargo. Companies meeting the size threshold (50+ employees or over 10 million euros in revenue) are in scope. Large companies (250+ employees) in Annex I sectors are classified as essential entities (besonders wichtige Einrichtungen). Medium companies (50-249 employees) are important entities (wichtige Einrichtungen). Both face the full set of NIS2 obligations.
Modern logistics companies run on interconnected IT systems. Transport Management Systems (TMS) orchestrate shipments. Fleet management tracks vehicles in real time. Warehouse Management Systems (WMS) control inventory and picking. Telematics units in trucks transmit position, speed, temperature, and driver data. If any of these systems fail, operations stop or become dangerously inefficient. NIS2 requires you to identify these dependencies and manage the cybersecurity risks systematically.
Transport Management System (TMS)
The central system for shipment planning, carrier management, route optimization, and freight billing. Common systems include SAP TM, Oracle Transportation Management, Transporeon, or CargoWise. If the TMS goes down, you cannot plan or dispatch shipments. One asset entry.
Fleet management and telematics
GPS tracking, vehicle diagnostics, driver hours logging (digital tachograph integration), fuel management, and route tracking. Telematics units in each vehicle transmit data continuously. Systems like Webfleet, Trimble, Samsara, or fleet-specific solutions. Compromise could mean loss of vehicle visibility, manipulation of driver records, or unauthorized tracking. Group as one asset.
Warehouse Management System (WMS)
Inventory management, picking optimization, goods receipt and dispatch, and integration with TMS and ERP. May include barcode/RFID scanners, automated storage and retrieval systems, and conveyor controls. Systems like SAP EWM, Manhattan Associates, or Korber. If WMS fails, warehouse operations revert to manual processes at a fraction of normal throughput.
ERP and finance system
Customer management, contract administration, invoicing, procurement, and financial reporting. Commonly SAP, Microsoft Dynamics, or Sage. In logistics, ERP often integrates tightly with TMS for billing and customer portals. Compromise affects revenue, customer relationships, and financial reporting. One asset entry.
Network infrastructure
The network connecting offices, warehouses, and vehicle telematics. Includes WAN links between locations, VPN connections for mobile workers and drivers, Wi-Fi in warehouses, and cellular connections for fleet telematics. Logistics companies often have distributed networks across many locations – each site's infrastructure should be documented. Group by site type.
Endpoints and mobile devices
Office PCs, warehouse terminals, handheld scanners, driver tablets, and smartphones. Logistics has a higher proportion of mobile and ruggedized devices than most sectors. Include mobile device management (MDM) if used. Grundschutz allows grouping: '60 warehouse handheld scanners' is one entry. Also include driver tablets as a separate grouped entry.
1. Register with the BSI
Complete your Section 33 BSIG registration. Transport is an Annex I sector, so large companies face proactive BSI supervision. Registration takes 30 to 60 minutes via muk.bsi.bund.de. If the deadline has passed, register immediately – the penalty for non-registration is up to 500,000 euros.
2. Build your asset inventory
Map your TMS, fleet management, WMS, ERP, and supporting infrastructure. For each system, document what it does, where it runs, who manages it, and what happens if it is unavailable for 4 hours (logistics is time-sensitive). Pay special attention to telematics – dozens or hundreds of connected devices in the field represent a unique attack surface.
3. Set up incident reporting
Logistics operates on tight schedules. A cyberattack that delays shipments by even a few hours can have contractual and financial consequences. Define what counts as a significant incident, establish the BSI reporting chain (24h/72h/1 month), and create internal escalation procedures that account for the 24/7 nature of logistics operations. Include weekend and night-shift scenarios.
4. Document supplier relationships
Logistics companies rely heavily on third-party IT: cloud-hosted TMS, telematics SaaS providers, EDI partners, and carrier platforms. Document every IT supplier, what data they access, and what security measures they commit to. Your TMS provider likely has more access to your operational data than any single employee. Include them in your supply chain security assessment under Section 30(2)(4) BSIG.
5. Review access controls
Logistics has a distributed workforce: office staff, warehouse workers, drivers, and dispatchers – each needing different system access. Implement role-based access controls, enforce MFA for remote and administrative access, and ensure that driver and temporary worker accounts are deactivated promptly when employment ends. Shared accounts on warehouse terminals are common but should be replaced with individual logins where feasible.
Logistics companies operate one of the most distributed IT environments of any sector. Assets are not in one building – they are spread across offices, warehouses, distribution centers, and hundreds of vehicles on the road. Every truck with a telematics unit is a connected endpoint. Every warehouse scanner is a device on your network. This distributed footprint makes traditional perimeter security less effective and increases the importance of device management, network segmentation, and identity-based access controls.
The time sensitivity of logistics creates a unique incident response challenge. In a manufacturing company, you might be able to tolerate a 24-hour system outage. In logistics, 4 hours of TMS downtime means missed delivery windows, contract penalties, and cascading delays. Your incident response plan needs to account for this: what manual fallback procedures exist? Can dispatchers route shipments by phone? Can warehouse operations continue with paper-based picking? These business continuity questions are as important as the technical recovery plan.
Logistics companies are also deeply integrated with their customers' and carriers' systems via EDI (Electronic Data Interchange), API connections, and shared platforms. A security breach at your company can propagate to customers through these connections, and vice versa. Your supply chain security assessment should cover not just your IT suppliers but also the electronic connections with your business partners. Securing these interfaces – proper authentication, encrypted transmission, input validation – is both a NIS2 requirement and a business protection measure.
Frequently Asked Questions
We are a road freight company with 80 trucks. Are we essential or important?
Road transport falls under Annex I (sectors of high criticality). If your company has 250 or more employees, you are an essential entity (besonders wichtige Einrichtung) with proactive BSI supervision. With 50 to 249 employees, you are an important entity (wichtige Einrichtung) with reactive supervision. With 80 trucks, you likely have 100 to 150 employees (drivers, dispatchers, warehouse, office). Check your total headcount against the threshold – the full range of NIS2 obligations applies either way.
Are our truck telematics units considered 'assets' under NIS2?
Yes. Any system that supports your critical transport services is an asset. Telematics units transmit real-time location, speed, temperature (for refrigerated transport), and driver hours data. They are connected devices on your network. Group them as one asset entry – for example, '80 Webfleet telematics units' rather than 80 separate entries. The key risks are: unauthorized access to vehicle tracking data, manipulation of tachograph records, and potential use as a network entry point.
We use a cloud-based TMS. Is that our problem or the provider's?
Both, but the legal obligation is yours. Under Section 30 BSIG, you can outsource operations but not accountability. Your cloud TMS provider is a critical supplier under Section 30(2)(4). You must: document the provider in your supply chain security assessment, include cybersecurity requirements in the contract, verify the provider has adequate security measures (certifications, audit reports, incident notification commitments), and have a contingency plan if the provider suffers a breach or outage.
How does NIS2 relate to the EU Mobility Data Act and digital tachograph regulations?
NIS2, the Mobility Data Act, and tachograph regulations (EU 165/2014) are separate legal frameworks that overlap on data security. Tachograph regulations require tamper-proof recording of driver data. The Mobility Data Act addresses data sharing obligations. NIS2 adds the cybersecurity management layer: securing the IT systems that process and transmit this data. Compliance with NIS2 strengthens your position on all three because a well-secured IT environment protects the integrity of regulated data.