Train

Rail Cybersecurity

Objective

Cybersecurity in the rail sector is regulated by a comprehensive EU legal framework aimed at enhancing infrastructure resilience against cyber threats. The legislative landscape includes:

  • Directive 2022/2557 on the Critical Entities Resilience Directive (CER)
  • Directive 2022/2555 (NIS2) on measures for a high common level of cybersecurity across the Union
  • Cyber Solidarity Act, published as a proposal in April 2023, which aims to strengthen EU-wide cooperation on cybersecurity
  • Cyber Resilience Act from November 2024, which sets security obligations for manufacturers of digital products

Infrastructure Managers (IMs) are classified as operators of essential services under NIS2, requiring them to implement cybersecurity contingency plans, incident reporting mechanisms, and risk assessments to enhance resilience.

Cyberattacks on transport infrastructure has increased significantly, with evidence that hostile actors are engaging in ever more violent forms of hybrid warfare, which includes cyber-physical attacks, in addition to cyber sabotage.

To address cybersecurity challenges in rail transport, the EC established RailSec and LandSec, two expert groups facilitating dialogue on security threats and risk mitigation strategies. These platforms bring together EU institutions, national authorities, and industry stakeholders.

EIM in action

  • EIM monitors EU cybersecurity regulations and their impact on IMs. 
  • EIM participates in EC RailSec and LandSec expert groups, ensuring rail sector concerns are represented. 
  • EIM collaborates with ERA to integrate cybersecurity aspects into the next TSI revision. 
  • EIM, with the sector, established a joint Sector Group on Cybersecurity in July 2024 to coordinate sector responses to cybersecurity legislation.
@SNCF Réseau

EIM actions in 2025

  • EIM participated in RailSec and LandSec meetings throughout 2025 to engage in discussions on rail cybersecurity. 
  • EIM WG SEC/CYBER met in March to define its priorities and its programme of work. 
  • EIM contributed to ERA discussions on integrating cybersecurity requirements into TSI updates. 
  • EIM analysed the implementation of NIS2, RCE, and the Cyber Resilience Act for its members. 
  • EIM conducted a benchmarking survey on “Safety Procedures for Terrorist Incidents on High-Speed Trains” at the request of a member.
  • EIM, CER, and UNIFE cooperate in a joint Cybersecurity Group to coordinate sector responses to cybersecurity legislation. The joint Cybersecurity Group identified key cybersecurity challenges affecting IMs.
  • EIM participated in the ERA and ENISA Cybersecurity Conference to exchange expertise on cyber threats in rail.

Outlook 2026

  • EIM will continue to monitor and support the implementation of cybersecurity obligations for IMs. 
  • EIM will liaise with EIM WG Resilience to address cybersecurity as part of broader infrastructure resilience planning. 
  • EIM will contribute to discussions with ERA on introducing cybersecurity requirements in the TSIs.

Directive (EU) 2022/2557 on the Resilience of Critical Entities (CER)

EU LEGISLATION INFRASTRUCTURE MANAGERS

Directive 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2)

EU LEGISLATION INFRASTRUCTURE MANAGERS

Regulation (EU) 2025/38 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents

EU LEGISLATION INFRASTRUCTURE MANAGERS

Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (CRA)

EU LEGISLATION INFRASTRUCTURE MANAGERS

Rail Security

Facts & context

Rail security encompasses various aspects, including terrorist threats, vandalism, suicides, and metal theft. Effective risk mitigation and the exchange of best practices are crucial for infrastructure managers (IMs) to ensure the safety and resilience of rail operations. 

Additionally, the increasing digitalisation of rail systems introduces new cybersecurity risks for both IMs and railway undertakings (RUs). Security measures in the rail sector remain primarily a national responsibility. However, the Directive on the Resilience of Critical Entities (RCE) introduces a more structured framework for “critical entities” across ten sectors, including rail. Under this Directive, IMs are classified as critical entities and are required to conduct risk assessments and implement proportionate security measures to safeguard essential rail services against natural and human-made threats. 

At the European level, the RailSec (Rail Passengers Security Platform) and LandSec (Land Transport Security Platform) expert groups, coordinated by the European Commission (EC), serve as platforms for collaboration on security-related challenges, including the resilience of rail networks.

EIM in action

  • EIM actively participates in the RailSec and LandSec platforms, contributing to discussions on rail security and exchanging best practices. 
  • EIM engages in regular dialogue with the sector to align positions on security-related issues. 
  • EIM collaborates with the European Commission’s security experts to ensure that EU security initiatives support IM operations. 
  • EIM maintains exchanges with RAILPOL, the European rail police network, to address shared security challenges such as terrorism and infrastructure protection.

EIM actions in 2025

  • EIM attended RailSec and LandSec meetings throughout 2025 to engage in discussions on rail security measures.
  • EIM’s WG SEC/CYBER continued work on priorities to ensure alignment with broader EU security objectives.
  • EIM continued to exchange best practices and coordinate responses to emerging security threats with other stakeholders.

Outlook 2026

  • EIM will continue monitoring the implementation of the RCE Directive and its impact on IMs. 
  • EIM will follow the EC’s future security-related initiatives to ensure that IMs’ interests are represented in EU security policies. 
  • EIM will strengthen cooperation with RAILPOL and relevant EU agencies to address rail security challenges effectively. 
  • EIM will actively participate in RailSec and LandSec meetings to contribute to security-related discussions.

Directive (EU) 2022/2557 on the Resilience of Critical Entities (RCE)

EU LEGISLATION INFRASTRUCTURE MANAGERS