preloader

· security europe enisa nis2 critical-infrastructure transport compliance incident-response

ENISA’s Cyber Europe 2026 Exercise Tests EU’s Ability to Defend Rail and Maritime Infrastructure

Source: ENISA

ENISA ran the 8th edition of the Cyber Europe exercise on 10 and 11 June 2026, bringing together cybersecurity specialists from the public and private sectors, policymakers, EU institutions, and partner countries including the United Kingdom, Norway, Switzerland, and Ukraine. The exercise simulates large-scale cyberattacks that escalate into full-scale cyber crises, and the scenario for this edition targeted the EU’s transport networks, with a specific focus on the rail and maritime subsectors designated as high-criticality under the NIS2 Directive.

What the exercise tested

The simulation was designed around realistic attack scenarios that start as targeted incidents against individual operators and escalate to affect interconnected systems across borders. Rail and maritime infrastructure is an attractive target for adversaries because disruption radiates across supply chains, passenger services, and energy logistics, particularly in the interconnected networks of the European single market.

This year’s exercise introduced a significant new element: for the first time, the EU Cybersecurity Reserve was activated as part of the scenario. The Reserve is a pool of pre-contracted cybersecurity capabilities that EU member states can draw on when a cyber incident exceeds the response capacity of the affected country. Member states were expected to follow ENISA’s Standard Operating Procedure for activating the Reserve, putting the procedural and coordination layer to a practical test alongside the technical scenarios.

The inclusion of partner countries, notably Ukraine, the UK, Norway, and Switzerland, reflects the reality that EU transport networks do not stop at EU external borders, and that an effective European response to a major transport sector cyberattack requires coordination with neighbouring states and transit countries.

Why this matters for transport sector operators

Transport operators covered by NIS2 are already subject to security obligations that include risk management measures, incident reporting to national authorities within 24 hours, and the maintenance of business continuity capabilities. The Cyber Europe exercise is partly a test of whether the governance structures and coordination mechanisms that sit above individual operators actually function under pressure.

The after-action reports from this edition are still being prepared, and detailed findings will be published in the coming months. But the structure of the exercise is itself instructive. It signals where ENISA and the European Commission see the gaps: cross-border coordination under time pressure, the activation of shared response capabilities, and the ability to maintain essential services in the rail and maritime sectors during a sustained incident.

For transport sector operators, the exercise outcome will shape guidance and recommendations that feed into national supervisory authority expectations. Operators who are ahead of the curve on incident response planning, tabletop exercises, and cross-border coordination will be better prepared when those expectations become requirements.

The broader picture: EU cyber readiness in 2026

Cyber Europe 2026 comes at a point when the EU’s cybersecurity regulatory framework is entering its implementation phase. NIS2 transposition deadlines have passed across most member states. The EU Cyber Resilience Act’s reporting obligations for product manufacturers begin on 11 September 2026. DORA is in full effect for financial sector entities. The Cyber Solidarity Act, which formally establishes the EU Cybersecurity Reserve on a permanent legal basis, has passed.

The move from regulatory framework to operational readiness is where many organisations currently sit. Having the policies on paper and having tested the response capability under simulated pressure are different states of preparedness, and the Cyber Europe exercise is designed to close that gap at the collective level. Individual operators in the transport sector, and in other NIS2-covered sectors that will follow, need to close the same gap at the organisational level.

That means incident response plans that have been tested, not just written. It means knowing which national authority to notify and within what timeline when a significant incident occurs. It means having clear escalation paths and documented communication protocols for the people who will be managing an incident at two in the morning when key staff are unavailable.

If you operate infrastructure covered by NIS2, DORA, or the EU Cyber Resilience Act, and want to assess whether your incident response capability would hold up under realistic pressure, contact Excello Digital. We help organisations in regulated sectors build and test the response capabilities that regulators are increasingly expecting to see demonstrated, not just described.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!