The Transport Cybersecurity Toolkit

What is the Transport Cybersecurity Toolkit?

The Transport Cybersecurity Toolkit is a repository of tips and recommended practices to enhance cybersecurity and cyber-resilience in the transport sector. The European Commission published it on 16 December 2020.

According to the European Commission, cybersecurity is becoming a growing concern for the transport industry. Yet, many employees remain insufficiently aware of the risks, and their actions may sometimes inadvertently open the door to attackers.

Against this background, the transport cybersecurity toolkit aims at contributing to greater levels of cyber-awareness and cyber-hygiene, with a specific focus on the transport sector. It addresses transport organisations, regardless of their size and domain of activity.

Concretely, the toolkit contains basic information on four threats that may affect transport organisations: malware diffusion, denial of service, unauthorised access and theft, and software manipulation.

For each of those threats, the toolkit lists good mitigating practices, which are relevant for all transport staff, regardless of their occupation.

The toolkit also contains a more advanced level, which provides information that is particularly relevant for security and cybersecurity professionals in transport organisations. This advanced level is organised by transport mode: air, maritime and land. For each transport mode, the toolkit provides guidance on identifying, protecting, detecting, and responding to cyber-threats.

The toolkit provides awareness paths targeting:

- All transport staff. It targets all staff of transport organisations, from staff in transport service operations to administrative staff. It provides guidance towards an increased understanding and awareness of the most common cyber threats targeting transport services and systems. Additionally, it provides insights on how to deal with potential cyber threats, including identifying, reporting, and mitigating them by cybersecurity good practices.

- Transport decision-makers in cybersecurity across the different transport modes. It targets staff who have decision-making responsibilities for cybersecurity in transport organisations. This path highlights good practices tailored to the different transport modes for enhancing cybersecurity posture of transport organisations. In particular, it provides good practices in order to identify, protect, detect, and respond to emerging cyber threats targeting transport organisations.

The NIS 2 Directive of the European Union entered into force the 16th of January 2023.

In Article 1 (subject matter of the NIS 2 Directive), we learn that NIS 2 lays down cybersecurity risk management measures and reporting obligations for entities of a type referred to in Annex I or II.

In Annex I (Sectors of High Criticality), we find that the transport sector is in the scope of the NIS 2 Directive.

NIS 2 sets out the baseline for cybersecurity risk-management measures and reporting obligations across the sectors that fall within its scope. In order to avoid the fragmentation of cybersecurity provisions of Union legal acts, where further sector-specific Union legal acts pertaining to cybersecurity risk-management measures and reporting obligations are considered to be necessary to ensure a high level of cybersecurity across the European Union, the Commission should assess whether such further provisions could be stipulated in an implementing act under this Directive.

The growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in sectors such as energy, transport, digital infrastructure, drinking water and waste water, health, certain aspects of public administration, as well as space in so far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programme.

Those interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The intensified cyberattacks during the COVID-19 pandemic have shown the vulnerability of increasingly interdependent societies in the face of low-probability risks.

Cyber Risk GmbH believes that the Transport Cybersecurity Toolkit must become a part of the NIS 2 implementation in the transport sector.

Our training programs

Cyber Risk GmbH is offering training programs in some difficult areas, like the new NIS 2 Directive of the European Union that changes the compliance requirements of many entities in the transport sector (air, rail, water and road subsectors), and programs that assist the Board of Directors and the CEO in understanding cybersecurity challenges.

Transport Cybersecurity Toolkit Training

Transport Cybersecurity Toolkit Training for the Board

Our training programs for the commercial and private aviation industry.

Cybersecurity training for the commercial and private aviation

Cybersecurity training for the Board of Directors and the CEO in the commercial and private aviation

NIS 2 Directive Training for the commercial and private aviation

Our training programs for the railway industry.

Cybersecurity Training for the Railway Sector.

The NIS 2 Directive as it applies in the Railway Sector.

Cybersecurity Training for the Board of Directors in the Railway Sector.

Our training programs for the maritime industry.

Maritime Cybersecurity Training.

The NIS 2 Directive as it applies in the maritime industry.

Cybersecurity Training for the Board of Directors in the maritime industry.

Contact us

Cyber Risk GmbH
Dammstrasse 16
8810 Horgen
Tel: +41 79 505 89 60


We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.