Cybersecurity at ports and terminals: Regulation in the EU and US

"In our industry, the only universally binding government-level regulation that addresses cybersecurity is specific to the European Union," says Jouni Auer, Chief Information Security Officer, Kalmar. "The EU's new Cyber Resilience Act mandates a fairly wide range of responsibilities to manufacturers over the entire lifetime of their products. By contrast, in the US, binding government regulation on cybersecurity is generally only applicable to companies whose customers include organisations in the federal government or under the United States Department of Defense."

CRA: Cybersecurity requirements for products in the EU

The European Union's Cyber Resilience Act (CRA) enhances the cybersecurity standards of products that contain digital elements, requiring manufacturers and retailers to ensure cybersecurity throughout the lifecycle of their products. The CRA introduces mandatory cybersecurity requirements governing the planning, design, development, and maintenance of such products.

"The CRA is an interesting example of how government regulation is a direct result of real-world failures in various products," says Henri Kettunen, Cybersecurity Lead, Kalmar. "Historically, we have seen a huge number of insecure products on the market, with fundamental vulnerabilities such as hardcoded administrator passwords. Manufacturers have clearly failed to fix these problems over the long term, so regulators have had to step in to address the issue."

The CRA is an interesting example of how government regulation is a direct result of real-world failures in various products

The Cyber Resilience Act entered into force in December 2024, and the main obligations introduced by it will apply from December 2027. The regulation applies to most products connected directly or indirectly to another device or network, except for specified exclusions such as certain open-source software or products that are already covered by existing rules. Products will bear the CE marking to indicate that they comply with CRA requirements.

"Basically, the CRA mandates that manufacturers are responsible for their product over its entire lifetime," says Jouni Auer. "The regulation applies to new products, but manufacturers will need to be ready to support these products even after their manufacturing ends. The support period can be defined by the manufacturer, but this still means quite a lot of new responsibility, especially for a company such as Kalmar whose products can have a long lifetime."

Basically, the CRA mandates that manufacturers are responsible for their product over its entire lifetime

Cybersecurity in the Marine Transportation System: Rules for US Vessels and Ports

In January 2025, the United States Coast Guard published a final rule, Cybersecurity in the Marine Transportation System (MTS). This final rule has been effective from July 2025 and is applicable to all US-flagged vessels as well as many of the country's ports and marine terminals. Requirements in the final rule include developing and maintaining a cybersecurity plan, designating a cybersecurity officer and taking various steps to maintain cybersecurity.

"The Coast Guard rule includes numerous specific cybersecurity measures for vessels and ports, as well as some that are also applicable to manufacturers," says Jani Mäntytörmä, Chief Cyber Security Engineer, Kalmar. "The rule will be implemented in phases, but an example of a new requirement that is already in force is that all reportable cybersecurity incidents must now be reported to the Coast Guard's National Response Center."

NIST CSF: Voluntary framework for best practices

Finally, while it is not a government regulation as such, a key cybersecurity guideline that is widely followed in the US is the Cybersecurity Framework (CSF) published by the National Institute of Standards and Technology (NIST).

The CSF provides guidance to industry, government agencies, and other organisations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used to understand, assess, prioritize, and communicate cybersecurity efforts within the organisation. The CSF does not prescribe how outcomes should be achieved but only describes what desirable cybersecurity outcomes an organization can aspire to achieve.

"The CSF is a key tool for many of our customers in the US," says Jouni Auer. "Unlike ISO 27001, it's not a standard to which you can be certified. Instead, it's a voluntary guideline on how to manage cybersecurity properly. However, the CSF and ISO 27001 do share some similarities in addressing governance, risk management and control structures, so they complement each other very well."

It's a voluntary guideline on how to manage cybersecurity properly

Taking responsibility

With governments placing additional demands on port and vessel operators as well as manufacturers and system providers, many companies are finding it challenging to adapt to each new regulation. However, the result will be a more secure operating environment for all players in the industry.  

"These regulations have been introduced because we all know how much damage can be caused by cybersecurity incidents," says Henri Kettunen. "Especially for our customer base, which is part of the critical infrastructure of society, government cybersecurity regulations are there for good reason."

"It's easy to feel overwhelmed by the complexity of all the new regulations," adds Jouni Auer. "In our industry, many products will have complex supply chains with connected and smart components from multiple vendors, each of whom has to be responsible for the continued cybersecurity of their own products. However, the primary responsibility towards the customer always rests with the final manufacturer – in our case, us here at Kalmar."

Read more:

Cyber Resiliency Act (CRA)

USCG final rule on Cybersecurity in the Marine Transportation System

NIST Cybersecurity Framework (CSF) 2.0