Table of Contents

EIM Key Activities in 2024

Cooperation

Internal Affairs

Train

Security

Rail Cybersecurity

Objective

Cybersecurity in the rail sector is regulated by a comprehensive EU legal framework aimed at enhancing infrastructure resilience against cyber threats. The legislative landscape includes:

  • Directive 2022/2557 on the Resilience of Critical Entities (RCE)
  • Directive 2022/2555 (NIS2) on measures for a high common level of cybersecurity across the Union
  • Cyber Solidarity Act, published as a proposal in April 2023, which aims to strengthen EU-wide cooperation on cybersecurity
  • Cyber Resilience Act, approved by the EU Parliament in March 2024, which sets security obligations for manufacturers of digital products

Infrastructure Managers (IMs) are classified as operators of essential services under NIS2, requiring them to implement cybersecurity contingency plans, incident reporting mechanisms, and risk assessments to enhance resilience.

To address cybersecurity challenges in rail transport, the EC established RailSec and LandSec, two expert groups facilitating dialogue on security threats and risk mitigation strategies. These platforms bring together EU institutions, national authorities, and industry stakeholders.

@SNCF Réseau

EIM actions in 2024

  • EIM participated in RailSec and LandSec meetings throughout 2024 to engage in discussions on rail cybersecurity. 
  • EIM WG SEC/CYBER met in March to define its priorities and its programme of work. 
  • EIM contributed to ERA discussions on integrating cybersecurity requirements into TSI updates. 
  • EIM analysed the implementation of NIS2, RCE, and the Cyber Resilience Act for its members. 
  • EIM conducted a benchmarking survey on “Safety Procedures for Terrorist Incidents on High-Speed Trains” at the request of Infrabel. 
  • EIM, CER, and UNIFE established a joint Cybersecurity Group in mid-2024 to coordinate sector responses to cybersecurity legislation. The joint Cybersecurity Group identified key cybersecurity challenges affecting IMs. 
  • EIM participated in the ERA and ENISA Cybersecurity Conference to exchange expertise on cyber threats in rail.

Outlook 2025

  • Member States must complete the transposition of NIS2 and RCE directives by 17th October 2024. 
  • EIM will continue to monitor and support the implementation of cybersecurity obligations for IMs. 
  • EIM will liaise with EIM WG Resilience to address cybersecurity as part of broader infrastructure resilience planning. 
  • EIM will contribute to discussions on ERA cybersecurity guidelines and new EU cybersecurity funding mechanisms.

Directive (EU) 2022/2557 on the Resilience of Critical Entities (RCE)

EU LEGISLATION INFRASTRUCTURE MANAGERS

Directive 2022/2555 (NIS2) on measures for a high common level of cybersecurity across the Union

EU LEGISLATION INFRASTRUCTURE MANAGERS

Proposal for a regulation laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents

EU LEGISLATION INFRASTRUCTURE MANAGERS

Proposal for a regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020

EU LEGISLATION INFRASTRUCTURE MANAGERS

Rail Security

Facts & context

Rail security encompasses various aspects, including terrorist threats, vandalism, suicides, and metal theft. Effective risk mitigation and the exchange of best practices are crucial for infrastructure managers (IMs) to ensure the safety and resilience of rail operations. 

Additionally, the increasing digitalisation of rail systems introduces new cybersecurity risks for both IMs and railway undertakings (RUs). Security measures in the rail sector remain primarily a national responsibility. However, the Directive on the Resilience of Critical Entities (RCE) introduces a more structured framework for “critical entities” across ten sectors, including rail. Under this Directive, IMs are classified as critical entities and are required to conduct risk assessments and implement proportionate security measures to safeguard essential rail services against natural and human-made threats. 

At the European level, the RailSec (Rail Passengers Security Platform) and LandSec (Land Transport Security Platform) expert groups, coordinated by the European Commission (EC), serve as platforms for collaboration on security-related challenges, including the resilience of rail networks.

EIM in action

  • EIM actively participates in the RailSec and LandSec platforms, contributing to discussions on rail security and exchanging best practices. 
  • EIM engages in regular dialogue with the sector to align positions on security-related issues. 
  • EIM collaborates with the European Commission’s security experts to ensure that EU security initiatives support IM operations. 
  • EIM maintains exchanges with RAILPOL, the European rail police network, to address shared security challenges such as terrorism and infrastructure protection.

EIM actions in 2024

  • EIM attended RailSec and LandSec meetings in February, April and October 2024 to engage in discussions on rail security measures. 
  • EIM’s WG SEC/CYBER met in March 2024 to define priorities and ensure alignment with broader EU security objectives. 
  • EIM continued to exchange best practices and coordinate responses to emerging security threats with other stakeholders.

Outlook 2025

  • EIM will continue monitoring the implementation of the RCE Directive and its impact on IMs. 
  • EIM will follow the EC’s future security-related initiatives to ensure that IMs’ interests are represented in EU security policies. 
  • EIM will strengthen cooperation with RAILPOL and relevant EU agencies to address rail security challenges effectively. 
  • EIM will actively participate in RailSec and LandSec meetings to contribute to security-related discussions.

Directive (EU) 2022/2557 on the Resilience of Critical Entities (RCE)

EU LEGISLATION INFRASTRUCTURE MANAGERS