Transafe logo wit
Asset 2warning
Emergency Response

+31 (0) 78 682 43 00 

MEMO: Duty of Care in Cybersecurity for Ports and Inland Navigation (NIS2)

6 March 2026

The European NIS2 Directive and the upcoming Dutch Cybersecurity Act (Cbw) have implications for organisations in the port and inland navigation sector.

Following questions from the sector, we would like to inform you about the implications of the European NIS2 Directive and the upcoming Dutch Cybersecurity Act (Cbw) for organisations in the port and inland navigation sector and related activities. The Cbw has not yet entered into force in the Netherlands, but the NCSC (National Cyber Security Centre) expects it to take effect in Q2 2026.

In collaboration with BOEM Cybersecurity, Transafe has investigated to what extent inland waterway transport and shipping services, petrochemicals, waste processing, and port storage/terminals fall within the scope of the NIS2 Directive and the upcoming Dutch Cybersecurity Act (Cbw).

Scope of the legislation

The Cybersecurity Act applies to medium-sized and large organisations. This concerns enterprises with:

  • more than 50 employees, or
  • an annual turnover exceeding € 10 million.

Within the port and water-related sectors, the Act may apply to:

  • water transport companies (inland navigation, coastal and sea transport of passengers and goods);
  • managers of ports and port facilities;
  • operators of terminals, quays and port equipment;
  • organisations responsible for vessel traffic management on inland waterways;
  • petrochemical and chemical companies;
  • oil production, refining and storage companies;
  • companies whose core activity is waste processing;
  • storage and tank terminal companies in port areas.

Indirect implications for suppliers

Organisations that do not fall directly within the scope of the Act may still be indirectly affected by NIS2. Companies that do fall within scope are required to manage risks within their supply chain. This may result in:

  • additional contractual requirements;
  • audits or assurance requests;
  • requirements regarding security measures;
  • obligations relating to incident reporting and business continuity.

In short: organisations that keep ports operational (facilities, terminals, critical port assets, transport vessels) are more likely to fall within scope than a purely vessel-related service provider. Much of the petrochemical activity in port clusters either falls directly within scope (port/terminal, oil, chemicals) or is captured via multiple categories simultaneously. Further detail can be found in NIS2 Annex I and II.

Getting started with the Cbw (NIS2) Control Framework

With the introduction of the Cybersecurity Act (Cbw, NIS2), responsibility for cyber resilience is placed explicitly with organisations and their management. To create oversight and enable targeted action, the Cbw (NIS2) Control Framework has been developed. The framework is intended for organisations that qualify as essential or important entities under the Cybersecurity Act, as well as for IT auditors and internal administrators involved in assessing cyber resilience and regulatory compliance. The Framework provides an overview of the statutory requirements and a practical tool for identifying areas for improvement and implementing control measures.

The framework is designed to be applicable to all sectors and entities within the target group of the legislation. It serves as a supporting instrument, not as a normative framework. Entities remain responsible for determining which security measures are appropriate and proportionate within their specific context and risk profile. The framework is available in Excel and can be downloaded via the button below.

Download Control Framework

Four pitfalls surrounding NIS2

The NIS2 Directive appears straightforward on paper: ten measures, clear requirements and a risk-based approach. However, between reading the directive, particularly Article 21, and actual implementation, misinterpretations can arise:

  1. "We have ISO 27001, so we're covered, aren't we?" 
    ISO 27001 is an excellent foundation, but organisations must carry out an explicit gap analysis to verify that all elements are addressed, particularly regarding supply chain security and the enhanced duty of care for management.

  2. The checklist pitfall
    The directive explicitly requires organisations to assess the effectiveness of their cybersecurity risk management measures. This is not a box-ticking exercise, but an ongoing obligation to demonstrate that measures are actually functioning and that business continuity is secured.

  3. Proportionality as an excuse for delay
    "We are a small organisation, so we are entitled to be proportionate" has become the rallying cry of insufficiently prepared organisations. Proportionality takes into account scale, risk exposure, as well as the likelihood and impact of incidents, including societal and economic consequences. Proportionality is about aligning security to risk, not about aligning effort to budget comfort.

  4. Waiting for complete clarity
    “We will wait until the Act enters into force. The details are not yet clear." Although the Dutch Cybersecurity Act is expected to take effect in Q2 2026, the directive has been in force since January 2023. The ten minimum measures have already been established. Waiting for someone to prescribe exactly how to secure your organisation is like waiting for the fire brigade to confirm that water is wet: by that time, the sprinklers should already have been installed.

Conclusion

The introduction of the Cybersecurity Act presents organisations with choices regarding information security. Successful implementation is not defined by the volume of documentation, but by demonstrable control over specific risks. The terms "appropriate and proportionate" in the directive should not be interpreted as a framework for minimal effort, but as a call for targeted alignment with your actual risk profile. In the near future, supervisory authorities will not only ask for documented policy, but will explicitly require evidence of the actual effectiveness of the measures taken.

We therefore advise organisations to begin with a thorough, objective risk analysis. By implementing measures that genuinely address vulnerabilities and structurally securing their effectiveness, organisations fulfil the duty of care prescribed by law. The flexibility offered by the directive should be regarded as scope for necessary customisation.

For questions about this subject, please contact us.

For support with implementing the Cbw Framework or an NIS2 Board Training, we recommend contacting BOEM Cybersecurity.




Contact BOEM Cybersecurity:
Clayton Inge (Field CISO & BD Manager)
clayton.inge@boemcybersecurity.nl
+31(0)6 81 45 95 54