Poland published its updated National Cybersecurity System Act on 2 March, transposing NIS2 into national law. It joins Belgium, Croatia, Hungary, Latvia, Lithuania, and others. Germany's BSI enforcement is expected in Q2 2026.

Why this matters for maritime: Ports and shipping companies are classified as essential entities. Article 21 requires ten security measures — from incident handling to supply chain security to encryption policies. Article 23 mandates incident notification within 24 hours.

Most port operators I speak with know NIS2 exists. Fewer have mapped which of those ten measures they actually meet, and what their national regulator expects as evidence.

One thing to do: Download your national transposition text and map it against the ten measures in Article 21. If you can't answer "yes, documented, tested" for each one — you have a gap.

In January, 14 European coastal states plus Iceland issued an open letter attributing growing GNSS interference in the Baltic Sea to Russia. The Royal Institute of Navigation followed with a report based on 100+ experts and 300 vessel captains: at least two collisions and groundings in 2025 were linked to GNSS interference. Hundreds of vessels are affected daily.

The RIN report exposed a critical design flaw: GNSS receivers are "baked in" to systems that don't need them — radar, radios, ship clocks, satcoms — creating avoidable cascade failures when signals are compromised.

Why this matters: This is no longer a navigation issue. It's a cybersecurity vulnerability embedded in safety-critical systems. SOLAS-mandated equipment fails when positioning signals are corrupted.

One thing to do: Ask your bridge team: if GPS disappears right now, which other systems fail with it? The answer is usually worse than expected.

CYTUR's February 2026 white paper reports a 103% increase in maritime cyber incidents. The report flags GPS spoofing, ransomware targeting port terminal operating systems, and a new pattern: AI agents performing up to 90% of the attack lifecycle without human intervention.

The report also highlights that IACS UR E26/E27 compliance is becoming an operational risk factor — vessels that fail certification may face loss of sailing credentials or denial of port entry.

Why this matters: The threat landscape is accelerating faster than most organisations' security programmes. The gap between "we have a policy" and "we can respond under pressure" is where incidents become crises.

One thing to do: Run a tabletop exercise with your incident response team. Not a checklist review — a scenario where your TOS goes down and you have 24 hours to notify your national CSIRT under NIS2. See what breaks.