The NIS2 Directive:
what should your transport business do?

NIS2 is the EU's updated cybersecurity requirements. For most hauliers, it is not a direct legal requirement — but you will feel it anyway. Here is what you need to know.

What is the NIS2 Directive?

NIS2 — Network and Information Security Directive 2 — came into force in Denmark on 1 November 2024. It introduces stricter requirements for IT security, risk assessment and handling of security incidents in companies within critical sectors — including transport.

The three most important changes from the previous directive:

• Broader scope: Far more companies and sectors are now directly covered, including road freight transport.
• Stricter requirements: Requirements for risk management, incident response and supplier security.
• Heavier fines: Up to EUR 10 million or 2% of global turnover for directly covered entities.

Who is directly covered by NIS2?

Probably not your company — if you are a typical Danish haulier. NIS2 directly applies to:

• Essential entities: Over 250 employees OR over EUR 50 million in revenue.
• Important entities: Over 50 employees OR over EUR 10 million in revenue.

Most hauliers with under 50 employees and under DKK 75 million in revenue do not fall directly under NIS2.

But — and this is important: NIS2 requires the large directly-covered companies to impose security requirements on their suppliers. If you transport for large manufacturers, retail chains or logistics companies, they will likely impose IT security requirements on you. It is indirect, but it is real.

What does NIS2 specifically require?

For directly covered companies, the requirements are clear:

• Documented security policies and risk assessments — management is personally responsible.
• Incident reporting within 24 hours (early warning) and 72 hours (full report).
• Access control and encryption of data and systems.
• Supplier security: You must assess your IT suppliers' security — it is this requirement that trickles down to hauliers as subcontractors.
• Backup and contingency plans for security incidents.

What should you as a haulier do now?

1. Check if you are directly covered. Over 50 employees or EUR 10 million in revenue? Yes → you are an important entity. No → you are probably not directly subject, but may feel it indirectly.
2. Expect demands from your customers. Proactively ask if your large customers will impose IT security requirements on you.
3. Check your systems. Are they updated? Do you use strong passwords and two-factor authentication? Is data backed up?
4. Choose secure suppliers. Your TMS must meet modern security standards. DORA runs on modern cloud infrastructure with encryption and access control.
5. Talk to your employees. A brief introduction to phishing and secure passwords is the easiest and most effective thing you can do.

Sanctions for non-compliance

For directly covered companies, fines are steep: up to EUR 10 million or 2% of global turnover. Management can in extreme cases be temporarily prohibited from exercising their functions.

For most hauliers, the real risk is not fines from authorities — but loss of contracts with customers who cannot use suppliers that do not meet their security requirements.

Frequently asked questions about NIS2 and transport

Is my haulage business directly subject to NIS2?

Probably not, if you have under 50 employees and under EUR 10 million (approx. DKK 75 million) in revenue. But you may feel it indirectly if your customers are directly covered and impose requirements down through the supply chain.

What is the deadline for incident reporting?

For directly covered entities: early warning within 24 hours, full report within 72 hours. Reporting is done to the Centre for Cyber Security (CFCS) in Denmark.

What happens if I don't comply with NIS2?

For directly covered companies: fines up to EUR 10 million or 2% of global turnover, orders to rectify — and potentially temporary prohibition of management from exercising their functions. For most hauliers, the greater risk is loss of customer contracts.