Maritime transport is classified as an “essential entity” under NIS2. Member state transposition deadlines passed in October 2024.
The NIS2 Directive (EU 2022/2555) is the most significant overhaul of European cybersecurity legislation in a decade. It directly targets maritime transport operators, port authorities, and inland waterway services — requiring comprehensive risk management, incident reporting within 24 hours, and board-level accountability for cybersecurity failures. NCoDE Command maps every NIS2 obligation to concrete, auditable controls.
NIS2 replaces the original NIS Directive with a significantly broader scope and stricter enforcement. Maritime transport, port managing bodies, and operators of vessel traffic services are explicitly named in Annex I as essential entities. There is no opt-out. There is no grace period.
The directive covers maritime transport companies as defined in Regulation (EC) No 725/2004 — including shipowners, ship operators, and companies responsible for safety management. Port managing bodies under Directive 2005/65/EC are also in scope, as are operators of vessel traffic services (VTS) under Directive 2002/59/EC. If your organisation operates vessels in EU waters, manages EU port infrastructure, or provides VTS coverage, NIS2 applies to you. The penalties for non-compliance are not theoretical — supervisory authorities have been given binding enforcement powers under Article 32, including the ability to suspend certifications and prohibit individuals from exercising management functions.
Article 21 of the NIS2 Directive requires essential entities to implement at least ten specific cybersecurity risk management measures. Each measure must be proportionate, technically current, and demonstrable to supervisory authorities. NCoDE Command provides the tooling and audit evidence for every one.
NCoDE’s Risk Register provides a dynamic 5×5 risk matrix with likelihood/impact scoring, mitigation tracking, and risk ownership. The Document Vault stores your information security policies with version control, review dates, and access logging. Risk entries link directly to the controls that mitigate them, creating a complete audit chain from policy to implementation.
The Incident Response module provides a guided decision tree for incident classification, auto-generated descriptions based on selected criteria, and multi-framework reporting that simultaneously satisfies NIS2 Article 23, USCG NRC, and IMO SMS chain requirements. Every incident gets timestamped entries, assigned handlers, and tracked resolution.
NCoDE tracks backup schedules with RPO/RTO targets, monitors restore testing records, and alerts at 1.5× and 2× frequency thresholds when backups are overdue. The Change Control Board manages crisis-driven changes through a structured request → review → approve → implement workflow that maintains audit trails even during emergency operations.
The Vendor Management module maintains a database of all third-party service providers with contract tracking, remote access logging, and Data Processing Agreement (DPA) status. Every vendor session is logged with timestamps, and the system tracks which vendors have accessed which shipboard systems — critical evidence for demonstrating supply chain oversight.
Automated Wazuh vulnerability scanning runs across all shipboard PCs, identifying CVEs with severity ratings and remediation guidance. The Patch Lifecycle module tracks each vulnerability from discovery through scheduled → applied → verified stages, with auto-created change requests ensuring that every patch follows your change management process.
NCoDE’s Compliance Tracker maps every control to the framework requirement it addresses, showing coverage percentage across NIS2, USCG, IMO, and other frameworks simultaneously. The Audit Log captures every action taken in the system, providing the evidence trail that supervisory authorities need to assess whether your measures are genuinely effective.
The Training & Certification module integrates with LDAP to maintain a crew × certification matrix showing every crew member’s training status, expiry dates, and compliance percentage by role. Automated warnings trigger at 30, 60, and 90 days before certification expiry, ensuring continuous compliance with Article 21’s training requirements.
NCoDE enforces LDAP-based authentication across all shipboard systems, providing centralised credential management with configurable password policies. The Document Vault stores your cryptography policies and tracks their review cycles. Software allowlisting ensures that only authorised applications run on shipboard workstations, preventing unauthorised encryption tools.
Role-based access control through LDAP integration ensures crew members only access the systems their role requires. Group permissions map to vessel roles (Master, Chief Engineer, DPA, etc.) with full audit trails of who accessed what and when. Asset management tracks which devices are assigned to which personnel, supporting HR-security integration.
NCoDE supports MFA configuration through its LDAP infrastructure, enabling two-factor authentication for access to critical shipboard systems. The access control module tracks authentication events, failed login attempts, and session management — providing the evidence that MFA policies are enforced in practice, not just documented on paper.
Article 23 imposes a strict three-stage reporting obligation on essential entities. When a significant incident occurs, you must notify your national CSIRT or competent authority within defined timeframes. Missing any deadline exposes the organisation to supervisory action. NCoDE auto-creates all three deadlines the moment an incident is logged.
When you create an incident in NCoDE and classify it as NIS2-reportable, the system automatically creates three deadline entries with countdown timers: 24 hours for the early warning, 72 hours for the detailed notification, and 30 days for the final report. Each stage has its own status tracker (pending → submitted → acknowledged), and the system generates overdue alerts if a deadline is approaching without a submission. The incident timeline captures every action, note, and evidence attachment with timestamps — so when it comes time to compile the final report, the data is already structured and ready.
This three-stage approach runs in parallel with USCG NRC reporting (for vessels operating in US waters) and IMO SMS chain reporting (for ISM-audited vessels). A single incident in NCoDE can trigger all three reporting frameworks simultaneously, each with their own deadlines and notification chains, without duplicating effort.
NIS2 compliance is not a one-time checkbox. It requires ongoing risk management, continuous monitoring, rapid incident response, and auditable evidence of all three. Here is how NCoDE structures this into a manageable workflow.
The Risk Register maintains a living record of all identified cybersecurity risks, scored on a 5×5 likelihood/impact matrix. Each risk links to the NIS2 Article 21 measure it falls under, the controls that mitigate it, and the residual risk level after mitigation. Risk reviews are tracked with dates and outcomes, giving supervisory authorities evidence that risk management is ongoing — not a static document filed and forgotten.
Wazuh integration provides real-time endpoint monitoring across all shipboard workstations, detecting vulnerabilities, unauthorised software, and security events. The PC Security Overview dashboard shows the security status of every managed device at a glance. Automated vulnerability scanning identifies new CVEs as they are published, creating patch lifecycle entries that track remediation from discovery through verification.
When an incident occurs, the guided decision tree walks the responder through classification: type, severity, affected systems, regulatory reporting obligations. Based on the classification, NCoDE auto-generates an incident description, creates the appropriate reporting deadlines (NIS2 Article 23, USCG NRC, IMO SMS chain), and opens a timestamped incident log. Every action taken during response is captured as evidence for the final report.
Every action in NCoDE generates an audit log entry with timestamp, user identity, and action detail. The Compliance Tracker shows your coverage across all NIS2 Article 21 measures at a glance, with drill-down into the specific controls, evidence, and modules that support each requirement. When supervisory authorities request evidence of compliance, the data is already structured, timestamped, and exportable — not scattered across spreadsheets and email threads.
Common questions about the NIS2 Directive and how it applies to maritime operators.
NIS2 is an EU-wide cybersecurity directive replacing NIS1, transposed into national law by October 2024. Maritime transport is classified as an essential entity. Non-compliance penalties reach up to 10 million EUR or 2% of global annual turnover.
Yes. Maritime transport, port operators, and inland waterway operators are classified as essential entities. All must implement Article 21 risk management measures and Article 23 incident reporting obligations.
Three mandatory stages: 24-hour early warning to the national CSIRT, 72-hour detailed incident notification, and 30-day final report. NCoDE Command auto-creates all three deadlines when an incident is logged.
Article 21(2) requires: (a) risk analysis and IS policies, (b) incident handling, (c) business continuity and disaster recovery, (d) supply chain security, (e) vulnerability handling and disclosure, (f) effectiveness assessment, (g) cybersecurity training and hygiene, (h) cryptography and encryption, (i) HR security and access control, (j) multi-factor authentication and secure communications.
NIS2 is broader in scope (covers governance, supply chain, training) while USCG 33 CFR 101 is more prescriptive about specific technical controls. NCoDE Command manages both frameworks simultaneously from a single platform.
NCoDE Command maps every NIS2 Article 21 measure to concrete modules and controls. See how all nine regulatory frameworks — including NIS2, USCG, IMO, SOLAS, and ISM — are covered in a single platform.