Cyber security weaknesses, dependency on technologies from third countries, and patchwork regulation leave parts of the EU’s transport system exposed, stakeholders from cyber security, port, airport, and rail sectors told the European Parliament’s Transport Committee (TRAN) in a discussion on infrastructure sovereignty.
In this week’s TRAN committee session‚ MEP Jens Gieseke (EPP/DEU) led the debate. He stressed that‚ given the current geopolitical threats‚ it was necessary to examine “our critical infrastructure in order to secure our transport system and strategic facilities”․ The discussion covered short-term supply chain risks and the longer-term question of how much Europe should rely on non-EU suppliers for its critical transport systems․
According to Juhan Lepassaar, executive director of the EU Agency for Cybersecurity, transport is one of the sectors which the NIS2 directive covers, and is also a target for cyber attacks. It is, however, highly heterogeneous; cyber maturity and criticality of individual sub-sectors vary considerably.
Rail and maritime transport
Mr Lepassaar said that rail and maritime are currently in a “risk zone”, where the level of importance is higher than the level of maturity. Maritime suffers from shortcomings in the areas of governance, cyber expertise, and vulnerability management. Rail only rarely performs cyber assessments, incident response planning and recovery testing, or does so inconsistently.
He cited vulnerability management as a sector-wide problem: “It is very difficult for entities in the transport sector to patch vulnerabilities.” He noted that many operators take over three months to patch known vulnerabilities‚ while attackers would exploit them in a matter of days․ Transport was the fifth highest sector in share of observed incidents; aviation has the highest share․
You might be interested
Chinese role in ports
According to Frans-Paul van der Putten‚ a senior research associate at the Clingendael Institute‚ Chinese investments in European seaports take place in three interrelated dimensions. The Chinese are port users‚ port owners/investors‚ and suppliers of port equipment․
Mr van der Putten stated that since 2016‚ the EU and member states have approached foreign investments and ownership with more caution. He stressed how economic security risks can be divided into three categories. These are loss of sensitive information or technology‚ coercion through dependency (such as the threat of being cut off from supply channels), and deliberate disruption․
The researcher said that Europe had begun to develop some tools in response, such as screening and improved preparedness measures. The discourse has become more complex since European policymakers had to take into account how China’s ports-related activities impacted their relationship with the US․
He warned against calls simply to remove all Chinese activities‚ which he viewed as impossible given China’s role in manufacturing‚ technology, and international trade. Europe cannot isolate itself from China either economically or geopolitically․ The key‚ in his view‚ is reducing vulnerabilities while preserving the benefits of Chinese investment and trade․
What about the ‘Air’ perspective?
Sébastien Colmant‚ the director of aviation cyber security at ACI Europe‚ says that when assessing an airport’s resilience‚ one should not view airports as a single entity. Instead, it is as an ecosystem involving airlines‚ handlers‚ border officials‚ air navigation service providers‚ cargo operators, and other service providers․
Perfection in compliance is not perfection against threat. — Sébastien Colmant‚ ACI Europe
He warned that a new threat picture was emerging. Airports faced risks of cyber attacks, disruption from organised protests, and drone incidents. Mr Colmant stressed that the regulation had to focus less on process and compliance, and more on outcomes. “Perfection in compliance is not perfection against threat,” he said.
Patrick Steinerbach is a board representative for digitalisation and chief technology officer at Deutsche Bahn’s infrastructure division. He says that rail operators face particularly difficult decisions as they transition from specialist systems to more general IP-based and 5G-enabled technology․
Digitalisation‚ procurement dilemmas
Mr Steinerbach said Deutsche Bahn alone is preparing to implement a multi-billion-euro communications transformation in the next five to 15 years․ For infrastructure managers‚ he said‚ the key issue is whether Europe will clarify in advance whether suppliers from ‘countries of concern’ or ‘high-risk suppliers’ could later be excluded from the market․
The discussion will feed into upcoming work on EU transport and infrastructure resilience. The work includes cyber security‚ supply chain screening, and protection for technologies that are critical for resilience․ Policymakers will face the challenge of taking these issues further‚ whether through simplifying‚ coordinating, or clarifying procurement and investment frameworks‚ as the EU attempts to increase the security of transport systems.
