Transport Organizations as Key Entities in Cybersecurity Management: Legal and Regulatory Framework for the Implementation of the NIS2 Directive

The increasing digitalization of transport systems has made cybersecurity a strategic priority for the European Union. However, previous research has not sufficiently examined how the revised Network and Information Systems Directive (NIS2) affects transport operators and infrastructure managers. This study addresses this gap by analyzing the legal and regulatory requirements introduced by NIS2, with particular focus on their implications for the transport sector. A qualitative document analysis methodology was used, reviewing EU legislation, national implementation frameworks, and relevant standards (e.g., ISO/IEC 27001, 22301, and 27005). The findings reveal that NIS2 significantly expands the scope of regulated entities, strengthens risk management and reporting obligations, and introduces stricter penalties for non-compliance. Transport organizations are classified as essential entities, subject to advanced cybersecurity, incident response, and auditing mechanisms. The paper highlights that compliance with NIS2 requires not only technical adjustments but also organizational transformation, particularly in governance and supply chain management. These findings contribute to the understanding of regulatory adaptation processes and provide practical insights for policymakers and transport operators seeking to enhance cyber resilience in line with EU cybersecurity objectives.