Cybersecurity for rail encompasses the technical and organisational measures required to protect digital systems in railway operations — including signalling, control, communication, and operational IT — from unauthorised access, manipulation, and disruption.

Rail is classified as critical infrastructure under EU law. A successful cyberattack on safety-critical railway systems — train control, interlockings, traffic management — carries consequences beyond service disruption, including the potential for physical harm.

The attack surface in modern rail is broad. Operational Technology (OT) systems — signalling equipment, SCADA systems, onboard control units — are increasingly networked and interconnected with IT systems. This convergence creates pathways between administrative networks and safety-critical systems that did not exist in older, isolated architectures.

Regulatory framework

Under the NIS2 Directive (Directive (EU) 2022/2555, in force from January 2023), both railway undertakings and infrastructure managers are classified as essential entities.

Member States were required to transpose NIS2 into national law by October 2024; as NIS2 is a directive rather than a regulation, obligations become enforceable only through national transposition, and as of mid-2026 several major Member States including Germany and France are still completing their legislative process.

NIS2 obligations for essential entities include: documented cybersecurity risk management measures, an early warning to national authorities within 24 hours of a significant incident followed by a full incident notification within 72 hours, supply chain security assessments, and board-level accountability for cybersecurity governance.

Rail operators identified as critical entities under the companion CER Directive — Critical Entities Resilience Directive (EU) 2022/2557 — are classified as essential under NIS2, making dual compliance mandatory where national transposition is in effect. Non-compliance carries administrative fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher.

ERA and ENISA formalised cooperation on railway cybersecurity through a Memorandum of Understanding in 2023. The 2024 ERA-ENISA conference on railway cybersecurity identified OT environment vulnerabilities, supply chain risk, and legacy system constraints as the three most significant structural challenges to NIS2 compliance across the sector.

Technical context

IEC 62443 is the reference standard series for cybersecurity in industrial automation and control systems, applied to rail OT environments. It defines a framework of security levels and zones that maps onto the layered architecture of signalling and control systems.

FRMCS (Future Railway Mobile Communication System), the 5G-based successor to GSM-R, is being designed with cybersecurity as a native requirement. The migration from GSM-R — which was not designed with contemporary threat models in mind — is itself a significant cybersecurity transition.

Rail operators running ERTMS must also address the cybersecurity of ETCS interfaces: communication between onboard equipment and trackside RBCs (Radio Block Centres) is a defined attack surface that ERA’s CCS TSI revisions have begun to address.

Challenges and constraints

The most significant structural challenge is the OT/IT divide: rail OT systems are often legacy architectures with long service lives, limited patching capability, and design assumptions that predate networked environments.

Achieving NIS2 compliance across a heterogeneous OT estate — spanning multiple generations of signalling equipment, different vendors, and varying national implementations — requires sector-wide coordination.

Supply chain risk is a related concern: cybersecurity posture across the railway sector depends not only on operators and infrastructure managers but on the suppliers of hardware and software components throughout the system.