The no-bullshit guide to NIS2

The legislation recognizes that service disruptions can have a deeply destabilizing impact on the economy and society. For many logistics organizations (3PL/4PL, retailers' and manufacturers' own distribution centers, logistics IT providers) it’s a real possibility. If you fall under the Cbw, you'll be subject to three core obligations: a duty of care, an incident reporting obligation, and a registration requirement. In this post, I'm focusing on the duty of care, because that's where the real work of protecting your operation lives.

Duty of care: more than a checklist  

The duty of care is the backbone of the Cbw. Essential and important entities must take measures to protect their network and information systems against incidents, as well as the physical environments in which those systems operate. Crucially, those measures need to be appropriate and proportionate, meaning they should reflect your specific risks, the size of your organization, your threat level, and your potential impact on society and the economy. Leadership is ultimately accountable. They must approve measures, oversee implementation, and receive training to actually understand what they're signing off on. In other words: you need to be structurally in control of your digital resilience.

The Cbw breaks the duty of care down into ten measures. Below, I'll translate each one into the reality of a warehouse and logistics chain.

1. Risk analysis: know your weakest links 

Don't start with tools, start with questions. What's the impact if your WMS is unreachable for three days? What happens if the PLC controls on your sorting line get tampered with? What damage occurs if data from your TMS or customer portal ends up in the wrong hands? Which chain partners are critical ( WMS/TMS vendors, cloud providers, carriers, 3PL/4PL partners)? Your risk analysis is the foundation for everything that follows. 

2. Security of personnel, access, and assets: the human factor 

Most incidents start with cybercriminals exploiting human behavior: an employee clicks a phishing link, or a former colleague's admin account is still active. In a logistics context, this means implementing a strict role and permissions structure in your WMS and TMS with unique accounts and no generic logins without logging. It also means having a tight process for on- and offboarding, as well as role changes of staff and temp workers. This is your first line of defense. 

3. Business continuity (BCP): your Plan B 

For most logistics operations, (extended) downtime is simply not an option. A Business Continuity Plan prepares you for unexpected events such as power outages and cyber incidents and attacks. However: a BCP you've never actually rehearsed is worth very little when things go sideways. Your BCP needs to answer questions like: 

• How do you keep operating if the WMS goes offline? Is there a paper-based or "light" mode?

• Can you generate labels manually if the carrier integration goes down?

• Do you have SLAs with vendors around recovery times and incident priority? 

4. Incident response: ready for a crisis

The fallout from disruptions, outages, data breaches, or cyberattacks can be severe. An Incident Response Plan gives you a clear playbook, for example about who does what when an incident hits (IT, CISO, operations, management), and how decisions get made around isolating systems, halting processes, and communicating with customers and regulators. Without it, you'll be improvising during the worst possible moment and you won't be able to meet your reporting obligations either. 

5. Cyber hygiene: getting the basics right 

Good cyber hygiene means the entire organization consistently applies the fundamentals of cybersecurity. That includes patching servers, WMS environments, TMS platforms, scanners, and industrial control systems on time. It also means maintaining secure, tested backups of core systems (WMS databases, PLC configurations, interfaces). Another example is avoiding default passwords. Cyber hygiene can be genuinely difficult to enforce consistently across a large organization, but it's what stops a minor issue from becoming a full-blown disaster. 

6. System policies: clear frameworks 

You need policies (and sufficient budget) for securing your network and information systems. In logistics, that spans warehouse and office networks (segmentation, scanner Wi-Fi, remote access), OT systems like PLCs, SCADA, sorting lines, and conveyors, and cloud services such as cloud-WMS, TMS, and carrier and customer portals. A good policy doesn't just articulate what you care about, it defines responsibilities, standards, logging policies, and data retention periods. 

7. Secure your supply chain 

Organizations are heavily dependent on the products and services of their suppliers, and digital interconnectivity only deepens that dependency. This means that it’s important to embed security requirements into contracts with WMS/TMS vendors and cloud providers and that you include agreements on backups, incident response, and recovery times. An attack on a supplier is often your problem too. The duty of care explicitly requires measures that extend to the chain. And even if your own organization doesn't fall under the Cbw, these measures often matter anyway as a supply chain partner.  

8. Cryptography and encryption policies 

Cryptography and encryption are the foundation of confidentiality and data integrity. At a minimum, that means encrypting customer, order, and inventory data in databases and backups. It also means using encrypted connections (VPN, TLS) between your warehouse, cloud environment, carriers, and customers. This way, you’ll limit the damage in the case an attacker does manage to get inside a system. 

9. Use MFA or other strong authentication 

For secure business operations, it's essential that users, devices, and other assets authenticate with multiple factors before accessing networks and systems. Not just for admin accounts on servers, databases, and OT management systems, but also MFA across all external access points (VPN, remote desktop, cloud WMS/TMS, management portals). A single password should never be the only barrier standing between an attacker and your crown jewels. 

10. Assess whether your measures actually work 

You need processes in place to evaluate the effectiveness of what you've implemented. That means periodic technical tests (pentests, assessments, vulnerability scans) and running exercises (both tabletop and practical) on your incident response and continuity plans. This allows you to course-correct, and it demonstrates that you're genuinely in control. 

Reporting obligation: act fast and structured 

Significant incidents, those that could cause serious service disruption, financial losses, or substantial harm, must be reported to a CSIRT and the relevant supervisory authority. The reporting timeline is phased: 

• Within 24 hours: an early warning. 

   

• Within 72 hours: a more detailed report. 

   

• Within 1 month: a final report, or a progress update if the incident is still ongoing

Without solid incident management, logging, and security monitoring, meeting these obligations properly just isn't realistic. 

So, what do you actually need to do? 

✔️ Determine whether you fall under the Cbw. Use the available self-assessment tools (such as those from the NCSC) and supporting guidance to establish whether you qualify as an essential or important entity. 

✔️ Anchor accountability at board level. Leadership is ultimately responsible for the duty of care and can be held personally liable. Make sure this is a standing agenda item. 

✔️ Run a targeted risk analysis across your logistics chain. Focus on WMS, TMS, sorting lines, OT, cloud, carriers, and critical integrations. 

✔️ Build a concrete improvement program. Use the ten duty-of-care measures as your framework and demonstrate that you're acting in a way that is "appropriate and proportionate." 

✔️ Talk to your chain partners. Ask your IT vendors, logistics partners, and cloud providers to explain how they contribute to your NIS2 resilience — and get it in writing. 

The threat landscape for the logistics sector shows that financially motivated attackers consistently exploit deferred maintenance in IT and OT environments, such as unpatched systems, outdated integrations, overly broad access rights, and limited monitoring. This pattern is also front and center in our 2026 Trend Report, where ransomware and BEC attacks dominate and attackers increasingly exploit exactly these kinds of basic weaknesses. NIS2/Cbw is specifically designed to address these structural vulnerabilities. At the same time, it places a clear responsibility on organizations to be incident-ready, and to properly analyze and determine the root cause of incidents within the tight timelines the reporting obligation demands. Those deadlines are tight, and thus only achievable if your logging, detection, and monitoring are properly set up. That's precisely why NIS2/Cbw isn't a compliance exercise, but a mechanism for becoming structurally more resilient. 

NIS2/Cbw isn't an excuse to add another layer of bureaucracy. It's a push to do what any modern logistics operation genuinely needs: organize digital resilience at the same level as fire safety and physical security. Use this as an opportunity to strengthen your foundations, before that Tuesday morning nightmare becomes your reality. 

Want to dive deeper? Register for our Members Portal to access the full threat landscape for the logistics sector, complete with detailed insights and recommendations.