I'm writing this from Romania. What I've picked up during a week here is the brief for Thursday's Special Edition #SE02. The short version you should hold in your head between now and then: for vessels approaching Constanța, the operational norm is multi-emitter, multi-constellation GNSS interference, weekly.

Two pieces of public evidence anchor that.

In August 2024, Spire Global launched a high-altitude balloon from Constanța. At about 11 km altitude, the balloon's reported GNSS position jumped to Simferopol, in Russian-occupied Crimea, while the balloon itself stayed physically over Romanian territory. Spire calls it the first direct evidence of a GNSS spoofing attack inside NATO airspace. By April and May 2025, Spire's analysis of the same theatre concluded that spoofed signals over the Black Sea were "near-daily," with merchant vessels east of Constanța and south of Snake Island the most consistently affected. AIS tracks captured ships spinning in circles, drifting inland, and routing far off established lanes.

Romanian institutions describe the same picture. The Chief of Defence, General Gheorghiță Vlad, has said publicly that GNSS spoofing of Romanian systems happens "weekly," in the same breath as Russian drift-mine activity. The 2022 NATO Shipping Centre alert on the western Black Sea War Risk Area put GPS jamming, AIS spoofing, comms jamming, and cyber attack risk all at "high," all running concurrently with the drift-mine threat, not as substitutes for it. None of that has been downgraded since.

The bridge-team detail is the technical evolution. Black Sea interference is now multi-emitter and multi-constellation. The standard navigator response, "switch to a backup constellation," does not work when GPS L1, GLONASS, Galileo, and BeiDou are jammed simultaneously. That is what the NORMA Cyber ATA documented for the Baltic (Finding 4, covered in Special Edition #SE01). The Black Sea data confirms the same pattern is now the operational norm here too.

Why this matters: The strategic continuum from the North Sea through the Baltic to the Black Sea is one operational front. What runs in the Black Sea in 2025 will run in your theatre in 2026. The technical pattern is consistent: multi-emitter, multi-constellation, near-daily. Traditional GNSS-degraded procedures are not enough for it.

One thing to do: Confirm that your navigators have current, documented procedures for GNSS-degraded operations in multi-constellation failure mode. The procedure is dead-reckoning, radar fix, visual fix, and a bridge-team protocol for when ECDIS reports a position the watch knows is wrong. If your last drill on this scenario was more than 12 months ago, schedule one.

Thursday's Special Edition #SE02 covers this in depth alongside the Constanța port targeting, the Apele Române ransomware case, and where NIS2 enforcement now stands in Romania.

On 21 April 2026, Forescout's Vedere Labs published BRIDGE:BREAK, disclosing 22 new vulnerabilities in serial-to-IP converters from Lantronix and Silex Technology. Researchers presented the findings at Black Hat Asia 2026 on 23 April. Eight of the flaws hit Lantronix EDS3000PS and EDS5000 device servers; fourteen hit the Silex SD-330AC wireless bridge and the companion AMC Manager administration software. The weakness classes are the full menu for network-edge appliances: unauthenticated remote code execution, authentication bypass, hard-coded cryptographic keys that permit firmware tampering, default-null administrative passwords, heap and stack buffer overflows, reflected cross-site scripting, arbitrary file upload, and plaintext information disclosure. Forescout's internet scan found roughly 20 000 affected devices exposed online globally at disclosure time.

The maritime relevance is direct. Serial-to-IP converters are the small, often-forgotten boxes that bridge legacy serial protocols (RS-232, RS-485, Modbus RTU) onto IP networks. They sit in shipboard automation retrofits where a 20-year-old engine room sensor talks to a modern monitoring layer, in terminal crane control rooms, and on offshore platforms and small port systems where the original kit was never designed to be on a network. They are exactly the class of device most maritime asset inventories miss.

Forescout's report includes a real-world case from Poland. Attackers reached the converters by first compromising internet-facing VPN concentrators, then pivoting through the IT estate to the OT segment where the converters lived. The same pattern shows up in the December 2025 CERT Polska report on Polish renewables (covered in Issue #7) and in NORMA Cyber's Annual Threat Assessment 2026 Finding 5 on boundary-device exposure. The TTP is consistent across sectors and across incidents: edge device compromised, lateral movement to OT, OT device with weak or no authentication, persistent access established.

The product detail matters. Lantronix and Silex converters are deployed in port environments by name in the Forescout dataset. The hard-coded signing key issue means an attacker who reaches one device can sign and push firmware to other devices in the same family, turning a single foothold into the whole estate. Memory corruption and OS command injection mean that exploitation does not require credentials. It requires network reachability. For most maritime estates, network reachability is the default that someone set ten years ago for OT devices on a flat network, and nobody has revisited since.

Why this matters: This is the second consecutive quarter where boundary devices and protocol converters are the attack surface of record. The threat actor playbook is mature: compromise the edge, pivot to the OT, exploit the device that was never designed for the current threat environment. Maritime asset inventories that stop at "named systems" miss the converters entirely. The converters are where the attacker spends most of the dwell time.

One thing to do: Run an asset discovery sweep on your shipboard, terminal, and port networks specifically for serial-to-IP converters. Lantronix and Silex first, then Moxa NPort, Digi PortServer, Advantech EKI, and Comtrol DeviceMaster. For each device found, confirm three things: firmware patched in the last 12 months, admin access restricted to a defined VLAN, and credentials changed from default. The Forescout report is the technical reference (link in Resource of the week).

Belgium is the first EU member state to hit a hard NIS2 enforcement milestone. On 18 April 2026, the binding deadline for "essential entities" to demonstrate compliance to the Centre for Cybersecurity Belgium (CCB) passed. The CCB accepts three compliance pathways: a CyberFundamentals (CyFun) Basic or Important verification, an ISO/IEC 27001 certification with Statement of Applicability, or a CCB direct inspection following self-assessment. Missing the deadline now exposes the entity to administrative measures, financial penalties of up to EUR 10 million or 2% of global turnover, and operational bans. Maritime is in scope through NIS2 Annex I's Transport / water transport classification, which Belgium's transposition adopts directly.

The readiness numbers tell the rest. CyberSmart's April 2026 NIS2 research, conducted with OnePoll across 670 in-scope business leaders in nine jurisdictions including Belgium, France, Germany, Italy, the Netherlands, Poland, and Denmark, found that just 16% of NIS2-scoped businesses are confident they are fully compliant. Meaning 84% are not. The same survey identified the consistent barriers: budget constraints, lack of implementation guidance, and insufficient internal expertise. The survey is cross-sector, not maritime-specific, but maritime operators sit on the same NIS2 calendar and face the same three barriers. For maritime, the supply chain conversation runs through bunker suppliers, agency networks, classification societies, port community systems, and crewing platforms. None of those were designed with NIS2 reporting flows in mind.

Belgium is also the leading edge of a wider pattern. By mid-April 2026, 22 of 27 EU member states had completed NIS2 transposition, with early enforcement under way in Germany, France, and the Netherlands. Polish, Romanian, and Bulgarian transpositions are at varying stages. Romania's OUG 155/2024 is in force with director-level accountability and the same EUR 10m / 2% turnover ceiling (covered in Thursday's Special Edition #SE02).

Three other regulatory tracks moved this week, and they should be read together:

The maritime cyber regulatory perimeter is closing from four directions at once: NIS2 (now), USCG MTS (training passed, plan submission 2027), IACS E26/E27 (sea trials now), and IMO FAL (MSW cyber 2027 onwards). This week was the first time all four landed on the same calendar.

Why this matters: Cybersecurity has shifted from a topic the board hears about every quarter to a precondition for the right to operate. Port operators, shipowners, and equipment vendors are now in regulatory environments where non-compliance is not a finding. It is a denial. Treat the 84% number as your honest baseline for how prepared maritime operators across Europe actually are.

One thing to do: Identify which of the four tracks (NIS2, USCG MTS, IACS E26/E27, IMO FAL) applies to your operations and where your next hard deadline falls. Map evidence to deadline. If you cannot name the deadline this week, that is the first finding. Belgium's enforcement window is open. The next member state to hit theirs is a question of months, not years.

Full conference calendar: mc3.maritime-ogmios.tech