I'm writing this from Romania.

The Black Sea is not a regional curiosity. It is the laboratory where Russia is testing the hybrid maritime playbook in real time: drift mines, GNSS spoofing, OT-grade ransomware, DDoS synchronised with kinetic strikes, supply-chain compromise of shipbuilders. Whatever runs here in 2025 will run in the Baltic, North Sea, and Mediterranean in 2026.

What follows is what I've picked up during a week on the ground: the documented incidents, the institutional response, the regulatory pressure, and four things every maritime CISO and fleet manager should do this quarter. The continuum that links the North Sea, Baltic, and Black Sea into one operational front is not a slide in a think-tank deck. It is the condition under which European shipping now operates.

The Port of Constanța is no longer a regional logistics asset. Since February 2022 it has been the maritime lifeline for Ukraine, handling roughly 29 million tonnes of Ukrainian grain through the end of 2024, and the future nexus of the Green Energy Corridor and the Neptun Deep gas project. That role made it a target.

Here is the pattern of the last 24 months.

The threat became explicit. In July 2024, after Romania donated a Patriot air-defence battery to Ukraine and refused visas for a Russian and Belarusian delegation to an OSCE meeting in Bucharest, the pro-Russian "Cyber Army of Russia" added Port of Constanța to its named target list, alongside hundreds of direct-path attacks on Romanian government sites. NetScout ASERT tracked the activity; Global Defence Technology reported it. This was not generic hacktivist noise. It was retaliation tied directly to Romania's stance on Ukraine.

The incidents followed. DNSC, Romania's national cybersecurity directorate, published its 2024 activity report in August 2025. Inside the Transport sector summary it lists, by name, the entities DNSC supported with incident response during the year: Compania Națională de Căi Ferate (CFR), CNAIR, Compania Națională Aeroporturi București, Portul Constanța, Astra Trans Carpatica Feroviar, Aeroportul Băneasa, and Metrorex. Year-on-year, malware incidents rose 286.8% and fraud rose 40.2%. The technical detail of what hit Constanța is not in the public report, but the inclusion is the disclosure: the port authority was in the room with DNSC during 2024.

The institutional response has been exercising, not press-releasing. On 21 and 22 February 2024, the Maritime Cybersecurity Centre of Excellence (MARCYSCOE) at Constanța Maritime University ran the first international cyber-incident tabletop on the port, branded "Tomis 01," with 40+ participants from six countries, alongside DNSC. The scenario combined power loss with a port-control system outage caused by cyber compromise. This is the operational-rehearsal pattern that NORMA Cyber's ATA later called for in its closing recommendations. Romanian institutions delivered it first.

The capex came after. In 2025 the Constanța port authority publicly announced cyber security investment of more than one million lei. In March 2026 it published a tender for active network equipment (416 500 RON) where the primary stated objective is "optimising data flows and cyber security in the port." A local commentary in February 2026 was blunt about why: exercises had highlighted that current cyber protection was "inadequate," and a successful attack could paralyse port operations and expose hazardous cargo handling.

The full arc, from explicit threat in 2024 through named-victim status in DNSC reporting, multinational tabletop, and sustained capex, is the threat-response pattern that European port operators outside the Black Sea should expect over the next 24 months. Constanța is on a clock that started running in February 2022. Most other European ports started their clock between September 2024 (the Baltic cable cuts) and December 2025 (the DynoWiper attacks on Polish renewables). The compression is the story.

Why this matters: Ports are now instruments and targets of state-level coercion, not bystanders to it. The political stance of the host country, the cargo profile of the port, and its role in alliance logistics are all variables that move the threat curve directly. Constanța is the early case. The Polish ports of Gdańsk and Gdynia, Bulgarian Burgas, Greek Piraeus, and Italian Trieste are on the same curve at different points along it.

One thing to do: Take the Constanța 24-month arc (explicit threat, then named-victim status, then multinational tabletop, then public capex) and map your own port against it. Where on the arc are you? If your answer is "we haven't been named yet," that is not a position. That is a phase. Move to tabletop before the threat moves to incident.

The GNSS picture in the Black Sea is now more documented than in the Baltic.

In August 2024, Spire Global reported a high-altitude balloon experiment launched from Constanța. The balloon recorded a GNSS spoofing event at about 11 km altitude in which its reported position jumped to Simferopol, in Russian-occupied Crimea, while the balloon itself stayed physically over Romanian territory. Spire calls it the first direct evidence of a spoofing attack inside NATO airspace. By April and May 2025, Spire's analysis of the same theatre concluded that spoofed GNSS signals over the Black Sea were "near-daily," with merchant vessels east of Constanța and south of Snake Island the most consistently affected. AIS tracks captured ships spinning in circles, drifting inland, and routing far off established lanes.

Romania's Chief of Defence, General Gheorghiță Vlad, has said publicly that spoofing of Romanian systems happens "weekly," in the same breath as Russian drift-mine activity. The 2022 NATO Shipping Centre alert on the western Black Sea War Risk Area still stands: GPS jamming, AIS spoofing, comms jamming, electronic interference, and cyber attack risk are all assessed "high," running concurrently with the drift-mine threat, not as substitutes for it.

The bridge-team detail is the technical evolution. Black Sea interference is now multi-emitter, multi-constellation, and combines jamming with spoofing in the same operational area. The standard navigator response, "switch to a backup constellation," does not work when GPS L1, GLONASS, Galileo, and BeiDou are jammed simultaneously. That is the Baltic finding from the NORMA Cyber ATA (Finding 4). The Black Sea data confirms the same is the operational norm here too.

For Constanța-bound traffic specifically, Spire and Bursa have documented spoofing hotspots over the Danube Delta, over Constanța itself, and along corridors near Snake Island. The grounding of the container ship MSC ANTONIA off Jeddah on 10 May 2025, likely caused by GPS/AIS spoofing, is the visible end of the same chain that Constanța-bound vessels are exposed to weekly. The Romanian press has begun calling the Black Sea "an active laboratory of electronic warfare." That phrasing is accurate.

Why this matters: GNSS in the Black Sea is not a tactical nuisance. It is a year-round component of Russia's hybrid maritime posture, with operational consequences that already include groundings, drifts, and AIS displacement. The Baltic ran at 733 incidents in 2025 (NORMA Cyber ATA Finding 4). The Black Sea runs at "weekly," with higher technical sophistication, and the trend has not turned.

One thing to do: Confirm that your navigators have current, documented procedures for GNSS-degraded operations in multi-constellation failure mode. The procedure is not "switch to backup." It is dead-reckoning, radar fix, visual fix, and a bridge-team protocol for when ECDIS reports a position the watch knows is wrong. If your last drill on this was more than 12 months ago, schedule one.

In December 2025, Romania's national water authority "Apele Române" was hit with a BitLocker-based ransomware attack that encrypted roughly 1 000 systems across 10 of 11 basin administrations. GIS, databases, email, and DNS servers all went down.

The OT side stayed up. Manual local control, backed by voice communications, kept water management operational while IT recovered. The pattern is the resilience case study every port should be reading right now: IT crippled, OT preserved through documented manual fallbacks.

The transferable lesson for port operators is not the specific malware (BitLocker abuse, not novel) or the specific sector (water, not maritime). It is the architecture decision that made the difference. The operational layer had documented manual fallbacks. Voice communications channels did not depend on the IT estate. Local control authority had been rehearsed. The IT estate could fail, and the operation could continue.

This is the inverse of how most port digitalisation projects are designed in 2026. The dominant pattern is to converge IT and OT on the assumption that converged systems are easier to monitor and patch. They are. They are also easier to lose simultaneously. Apele Române is the case study for what architectural separation looks like in practice, not on a slide, when an attack lands.

Why this matters: When the next ransomware lands at a port, the question is not whether IT recovers. The question is whether operations continue while IT is gone. Most port digitalisation roadmaps written between 2022 and 2025 traded operational independence for monitoring efficiency. Apele Române shows the trade can be reversed — if you document and rehearse the manual fallbacks before you need them.

One thing to do: For your three most operationally critical port functions (vessel scheduling, container tracking, gate access), document the manual fallback procedure on the assumption that the IT system supporting it is gone for 72 hours. Then run the procedure as a tabletop exercise. The first time you do this, the gap between the documented procedure and the actual capability will be uncomfortable. That is the gap you are closing before the ransomware lands.

Romania transposed NIS2 through Government Emergency Ordinance 155/2024, in force from 31 December 2024. The transposition is far broader in scope than NIS1, expanding the regulated population from approximately 1 000 entities to an estimated 12 000–20 000.

For maritime, the relevant scope is unambiguous. Annex I of NIS2, which OUG 155/2024 transposes, lists managing bodies of ports, entities operating works and equipment within ports, inland sea and coastal passenger and freight water transport companies, and operators of vessel traffic services (VTS) as in-scope essential or important entities. Romanian port operators, terminal operators, VTS providers, and Danube-corridor shipping companies are all designated.

The application norms are now in force. DNSC Orders 1/2025 and 2/2025, effective from 20 August 2025, define the registration process via the NIS2@RO platform, mandatory notification within 30 days, and the criteria and thresholds for assessing service disruption and entity risk levels. Sanctions: up to EUR 10 million or 2% of global annual turnover, with director-level personal accountability.

As of April 2026, no specific Romanian port or shipping company has been publicly fined under OUG 155/2024. The absence of disclosed enforcement is not leniency. It is the gap between legal entry into force and operational enforcement, which closes during 2026.

For non-Romanian readers: the NIS2 transposition pattern is now visible across member states. Romania is on the more rigorous end. Polish, Bulgarian, and Greek transpositions are at varying stages. The directive is the same; national transposition determines how aggressive enforcement will be. If your maritime operations touch any of these jurisdictions, the reasonable assumption is that director-level fines under NIS2 enforcement begin landing publicly in 2026 and 2027.

Why this matters: NIS2 in Romanian maritime is not a future regulation. It is in force, with operational application norms (DNSC Orders 1/2025 and 2/2025), defined sanctions, and director-level personal accountability. Belgium hit the first hard "essential entities" deadline on 18 April 2026 (covered in Issue #8); Romania sits on the same calendar. The window for "we're still preparing" closes during 2026.

One thing to do: If your fleet or terminal operations touch Romania (Constanța, Danube, Sulina), confirm three things this quarter: (1) registration on the NIS2@RO platform is complete; (2) the named director is briefed on personal accountability under OUG 155/2024; (3) the 30-day notification process has a documented runbook with named responders. If any of those is "in progress," that is the next finding.

Test the architecture before the architecture is tested for you.

The Apele Române lesson is that documented manual fallbacks, rehearsed end-to-end, are what kept the operation running. The question for your organisation is whether yours would.