Cyber and physical resilience: Why railways can’t ignore NIS2 and CER

The threat landscape facing rail networks is evolving rapidly. From cyberattacks to physical sabotage, the risks are not hypothetical. A single disruption can paralyse supply chains, interrupt passenger mobility, and erode public trust.

New EU legislation is designed to address these threats head on:

• NIS2 (Directive (EU) 2022/2555) — Focused on improving cyber resilience across essential and important entities.
• CER (Directive (EU) 2022/2557) — Aimed at strengthening the physical and operational resilience of critical entities.

Embedding resilience is a strategic imperative

For rail operators, these initiatives are strategic imperatives rather than compliance checkboxes.

If your railway organisation is classified as “critical” under CER, you are automatically “essential” under NIS2. That means you must comply with both, covering everything from cyber risk management and incident reporting to physical resilience and supply chain security.

Failure to act can result in fines of up to €10 million, liability for company leadership, and most critically operational shutdowns.

But there is good news: the path to compliance can also be a path to resilience.

From compliance to competitive advantage

At Ramboll, we view NIS2 and CER as tools to help organisations futureproof operations. Our four-phase roadmap is designed to make complex requirements manageable and ensure that the result is improved system readiness as well as compliance.

1. Clarify obligations and set the direction: We start by identifying how your organisation is classified under both directives, clarifying your legal responsibilities. Together, we review sector-specific requirements and identify existing measures you can build on. We also help you engage leadership, define roles, and establish the right governance structure to ensure that ownership is clear from the outset.

2. Assess risks and build resilience: Next, we conduct integrated risk assessments, drawing on what you have already done to identify vulnerabilities in both physical and cyber systems. We help you develop practical resilience plans, including business continuity, physical security, and cybersecurity measures such as incident handling, supply chain security, and staff training.

3. Prepare for incidents and reporting: We help you build smart, responsive action plans tailored to incident types. This includes aligning with EU reporting requirements, improving cross-functional coordination, and integrating with national and European information-sharing platforms.

4. Stay compliant and continuously improve: Finally, we support you in creating systems that are not only compliant but continuously improving. That includes training, audit prep, and performance monitoring ensuring that your organisation is on top of evolving threats. We also provide ongoing training to embed a culture of security and resilience across your organisation.

The result is a structured, manageable approach that ensures compliance but also strengthens your ability to withstand and recover from disruptions, protecting your operations, reputation, and the trust of your customers.

What sets rail apart

CER and NIS2 implementation aren’t generic. For railways, it must account for safety-critical systems, complex interdependencies, and legacy infrastructure.