Why Maritime Operators Are in Scope

The NIS2 Directive (Directive (EU) 2022/2555) replaced the original NIS Directive with a significantly expanded scope and stronger enforcement mechanisms. Maritime transport operators - including shipping companies, port operators, and vessel traffic services - are explicitly classified as "essential entities" under Annex I of the Directive.

This classification carries the highest tier of obligations and penalties. Essential entities face fines of up to 10 million EUR or 2% of their total worldwide annual turnover, whichever is higher. For major shipping companies, the 2% calculation can result in penalties far exceeding the 10 million EUR threshold.

The Directive required EU member states to transpose it into national law by October 17, 2024. While some member states were late in their transposition, most now have implementing legislation in force. The first compliance assessments and audits for essential entities are expected by June 30, 2026 in the majority of EU jurisdictions.

The critical point for maritime operators is that NIS2 applies based on where you operate, not where you are registered. A shipping company headquartered outside the EU but operating vessels that call at EU ports, or providing services within the EU maritime transport chain, may still fall within scope. The Directive's extraterritorial reach is broader than many operators realise.

What NIS2 Requires That IMO and USCG Do Not

Many maritime operators assume that compliance with IMO MSC-FAL.1/Circ.3 or USCG 33 CFR 101 will automatically satisfy NIS2 requirements. This is incorrect. While there is overlap in the general principles of cybersecurity risk management, NIS2 introduces several requirements that go well beyond what the maritime-specific frameworks demand.

Supply Chain Security

NIS2 requires essential entities to assess and manage cybersecurity risks throughout their supply chain. This means evaluating the security practices of suppliers, service providers, and partners - and incorporating supply chain risk into your overall cybersecurity strategy. For maritime operators, this extends to classification societies, equipment manufacturers, software vendors, port service providers, and any third party with access to your systems or data. Neither the IMO guidelines nor the USCG regulations require this level of supply chain scrutiny.

Board-Level Accountability

Under NIS2, the management body of an essential entity bears direct responsibility for cybersecurity risk management. Board members and senior management must approve cybersecurity risk management measures and can be held personally liable for non-compliance. They are also required to undergo cybersecurity training. This is fundamentally different from the IMO and USCG approaches, which focus accountability on the designated person ashore (DPA) or the Cybersecurity Officer (CySO) rather than the board of directors.

24-Hour Incident Notification

NIS2 imposes strict incident notification timelines. An early warning must be submitted to the relevant CSIRT (Computer Security Incident Response Team) within 24 hours of becoming aware of a significant incident. A full incident notification must follow within 72 hours, and a final report within one month. The 24-hour early warning requirement is significantly faster than either the IMO's guidance or the USCG's NRC reporting obligation, which requires reporting "without unnecessary delay" but does not specify a precise timeline for initial notification.

Business Continuity Planning

NIS2 explicitly requires business continuity management, including backup management, disaster recovery, and crisis management procedures. While the USCG regulations touch on backup procedures and recovery planning, NIS2 demands a comprehensive business continuity framework that covers the entire organisation - not just individual vessels. This includes supply chain continuity, alternative communication channels, and the ability to maintain essential services during and after a cyber incident.

Vulnerability Handling and Disclosure

Essential entities must have policies and procedures for vulnerability handling and disclosure. This includes a structured approach to identifying, tracking, and remediating vulnerabilities across all systems, as well as coordinated vulnerability disclosure processes. The USCG's patch management requirements are narrower in scope, and the IMO guidelines do not address vulnerability disclosure at all.

The Compliance Gap in Maritime

Despite the approaching deadline, a significant proportion of maritime operators remain unprepared for NIS2 compliance. The reasons are consistent across the industry: many operators have focused their cybersecurity efforts on IMO and USCG requirements - which they perceive as more immediately relevant to vessel operations - while treating NIS2 as a corporate compliance issue that can be addressed later.

The supply chain security requirement alone presents a major challenge. Most maritime operators have never conducted formal cybersecurity assessments of their suppliers. Equipment manufacturers, classification societies, and port service providers have traditionally operated outside the scope of a shipping company's cybersecurity programme. Building the assessment frameworks, conducting the evaluations, and implementing contractual security requirements takes months.

Board-level training is another area where most operators have gaps. Cybersecurity has historically been treated as an IT function, delegated to technical staff. NIS2 requires board members to have sufficient understanding of cybersecurity risk to approve measures and be held accountable. Organising and documenting this training across the management body takes time and planning.

The 24-hour incident notification requirement demands capabilities that many maritime operators simply do not have. Detecting a significant incident, assessing its scope, and preparing an early warning notification within 24 hours requires continuous monitoring, established incident classification criteria, and pre-drafted notification templates. Without these, the 24-hour window becomes almost impossible to meet.

Multi-Framework Compliance with NCoDE Command

NCoDE Command was built from the ground up to handle simultaneous compliance across multiple regulatory frameworks. Rather than treating USCG, IMO, and NIS2 as separate compliance workstreams - each with their own documentation, tracking, and reporting systems - NCoDE Command unifies them into a single operational platform.

The most powerful example of this approach is incident management. When a cyber incident is logged in NCoDE Command, the system automatically identifies which regulatory frameworks apply and generates the corresponding reporting requirements. A single incident simultaneously triggers a 24-hour early warning for the relevant NIS2 CSIRT, a notification to the USCG National Response Center (NRC), and an entry in the IMO SMS incident chain. Each notification is formatted according to the specific requirements of its framework, with the correct timelines, contact information, and required data fields.

This eliminates the risk of missing a reporting deadline because the crew was focused on a different framework's requirements. It also prevents inconsistencies between notifications - a common audit finding when organisations manage multiple frameworks separately.

For supply chain security, NCoDE Command provides a vendor management module that tracks supplier cybersecurity assessments, monitors compliance status, and alerts when assessments need to be renewed. This directly addresses the NIS2 supply chain requirement while also supporting the USCG's vendor management expectations.

The training matrix handles board-level training tracking alongside CySO qualifications and crew awareness training, ensuring that all NIS2 management accountability requirements are documented and current. Vulnerability tracking integrates with the Wazuh SIEM module to provide the structured vulnerability handling and disclosure processes that NIS2 demands.

For operators who must comply with all three frameworks - as any company operating vessels that call at both US and EU ports must - NCoDE Command transforms what would otherwise be a triple compliance burden into a single, integrated workflow. One set of operational data serves all three frameworks, with framework-specific outputs generated automatically.