Valtteri Kinnunen
Back to blog
7 min read

How NIS2 Affects the European Maritime Industry

Table of Contents

A developer buddy of mine at a major European shipping operator laughed when I brought up the EU’s new NIS2 Directive. “Our ships are on the water, not the internet,” he scoffed. Ah, the classic developer hubris of assuming a system is secure because it’s physically wet—usually from the same person whose “production-ready” stack is a house of cards held together by unpatched Docker containers.

I had to ruin his day: NIS2 is now law. If you touch water transport—cargo, passenger shipping, port management, or vessel traffic services—congratulations, you’ve been drafted into the “high-criticality” bucket of government compliance theater.

Here is the direct, no-fluff take on how NIS2 actually hits maritime operations, the messy reality of connected fleets, and what you actually need to do.

The “Vessel Exemption” Myth

Let’s address the favorite coping mechanism of shipping executives: the rumor that vessels are exempt.

Technically, physical hulls are excluded from the direct text of NIS2. The EU kicked that can down the road, leaving it to the International Maritime Organization (via IMO MSC.428(98)).

But that exemption is a total illusion. Look at who NIS2 actually applies to:

  • Shipping companies (the land-based crews running the fleet).
  • Port authorities and operators managing the docks.
  • Vessel Traffic Services (VTS) operators.

If your shipping company has over 50 employees or pulls in more than €10 million in revenue, you are in scope. And since your dry-land office handles dispatch, route planning, and telemetry, you can’t secure the corporate network without securing the ships. They are linked.

The IT/OT Convergence Trap

Here is where the engineering headache starts. Modern ships aren’t air-gapped islands floating in isolation anymore; they are floating data centers.

To keep crews happy with Netflix, save money on fuel optimizations, and justify buying overpriced NVIDIA hardware for whatever “AI” telemetry we pretend to run, we plug fleets into satellite networks like Starlink and VSAT. But this convenient connection merges corporate IT with shipboard Operational Technology (OT) like propulsion, ballast systems, and ECDIS.

Shipboard Systems

Satellite Interconnect (Starlink / VSAT)

Land-Based Operations

Internet Pivot

Data Transfer

Misconfigured VLAN Bridge

Shared Switch Trunk

Corporate IT Office

(ERP, Scheduling, Mail)

Maintenance & Telemetry Servers

(Remote Support Access)

Port Agent Systems

(Cargo Manifests, Customs)

IPSec VPN / Remote Desktop Connection

Crew & Admin Network

(Internet Access)

Bridge Network

(ECDIS Navigation, GPS)

Machinery Space OT

(Engine Control, Ballast)

This connectivity introduces three massive security holes:

  1. The Remote Access Pivot: Onshore offices host remote desktop tools and telemetry servers that vendors use to debug engines. If an attacker breaches the land office, they pivot straight through those VPN tunnels into the vessel’s propulsion or navigation networks. It’s like building a high-availability Kubernetes cluster on a public cloud instance and leaving the admin dashboard wide open without MFA.
  2. Shared Infrastructure: I’ve seen crew Wi-Fi and critical bridge navigation systems sharing the exact same physical satellite terminal hardware. Good luck handling a satellite network drop-out mid-maneuver because someone’s phone started downloading a massive payload. Without strict physical segregation, a malware download on a crew member’s phone can jump the bridge.
  3. Ransomware Paralysis: You don’t need to hijack a ship’s rudder to brick a company. If ransomware locks up your shore-side customs manifests or scheduling databases, your ships are stuck. A container ship that can’t legally unload its cargo is just a very expensive, floating paperweight.

Personal Executive Liability

This is where NIS2 gets teeth. If your company treats cybersecurity as an annoying line-item budget to cut, this will wake them up.

  • The Buck Stops at the Top: Directors and board members must formally approve risk-management plans and supervise their implementation. No more hiding behind “I’m not a technical person.”
  • Personal Liability: Under the new rules, national authorities can hold C-level executives personally liable. They can suspend them from management roles or drop in a temporary monitor to oversee things.
  • Mandatory Training: The suits have to sit down and do cybersecurity training. They need to understand what they are signing off on.
  • Eye-Watering Fines: For “essential” entities, non-compliance can cost up to €10 million or 2% of global annual turnover, whichever is higher. That is a boardroom-clearing number.

Supply Chain Security

Maritime is a massive web of third-party dependencies: port agents, bunkering services, tug operators, and legacy hardware vendors.

NIS2 mandates managing supply chain risk. You can’t just secure your own servers; you have to vet your suppliers’ security practices too. If a third-party port agent’s email gets hacked, attackers can send fake cargo manifests, causing chaos at the terminal. And no, vendor self-attestation forms are not security; they are just compliance theater, much like pretending your production-ready app doesn’t run on a house of cards. We have to start enforcing basic security baselines like MFA and encrypted data sharing on everyone we work with.

The 24-Hour Reporting Window

If (or when) something breaks, you have to run fast. NIS2 sets a ticking clock on reporting incidents to national authorities (CSIRTs):

PhaseTimelineRequirement
1. Early WarningWithin 24 hoursLet them know what’s going on, if you think it’s a cyberattack, and if it affects other borders.
2. Incident NotificationWithin 72 hoursProvide an update with a severity assessment, impact details, and indicators of compromise.
3. Final ReportWithin 1 monthSubmit the post-mortem, detailing the root cause, mitigation steps, and cross-border fallout.

Actionable Compliance Steps

If you are tasked with sorting this out, here are the real-world engineering and operational steps to focus on:

  1. Map Your Shore-to-Ship Data Flows: Document every single satellite uplink, VPN tunnel, and file share between your land offices and the vessels. You can’t secure what you don’t know exists.
  2. Enforce Real Network Segregation: Get serious about VLANs and physical switch setups on the ships. Crew Netflix, office work, and navigation (OT) systems must be kept completely separate. (And thank whatever deity you believe in that nobody has tried running Lustre over satellite links yet—we have enough split-brain metadata crashes on land).
  3. Audit Your Suppliers: Actually check the security postures of your port agents, vendors, and telemetry providers. Implement strict least-privilege access rules for any supplier connection.
  4. Run Board Tabletop Drills: Get the management team into a room and run a mock ransomware drill. Test if you can actually pull together enough info to file that 24-hour warning report when everything is on fire.

Navigating NIS2 compliance isn’t going to be a walk in the park, but getting our networks segregated and supply chains locked down is just good engineering anyway.

How the EU Cyber Resilience Act Affects IoT Manufacturers: A Technical Guide
Why Your 1000-GPU Cluster Might Be Slow: Peak FLOPS vs. Delivered Throughput