New regulations are changing the railway landscape. Those who don’t keep up risk falling off track.

In recent years, data security in railway transport has shifted from an administrative concern to a strategic priority. With the development of digital planning tools and automation of traction crew operations, new challenges have arisen — related not only to efficiency but also to system resilience, information protection, and compliance with regulations such as GDPR and NIS2.

Increasing regulatory requirements now affect not only infrastructure managers and carriers but also companies supporting operational processes — for example, in crew transport. One operator that has adapted to these realities is Cargo Speed International (CSI), which provides traction crew transport services for clients including ORLEN Kolej, PKP Cargo, and Laude Smart Intermodal.

Railways in the Shadow of Data – Why IT Security Is Becoming Crucial

In the past, railway transport was mainly associated with train movements, drivers, and rolling stock. Today, data is just as important: information about crew locations, work schedules, transport orders, personal data of drivers and passengers, as well as access to sensitive railway infrastructure. The processing, transmission, and storage of this data must comply with applicable regulations.

The EU's NIS2 Directive, adopted in 2023, introduced an obligation to ensure digital resilience among critical infrastructure operators and their key subcontractors. Railway transport — as a sensitive sector — is directly within the scope of these regulations. Companies must implement business continuity procedures (BCP), incident management, access controls, and regularly report any breaches.

Additionally, the GDPR, effective since 2018, still provides the legal framework for processing personal data — including data on traction crews, their locations, routes, and contact details.

Traction Crew Transport: A Simple Service, Complex Challenges

Transport Traction crew transport may seem like a straightforward logistical process. In reality, it involves many variables:

• It operates 24/7, often under conditions of variable road and weather accessibility.

• It concerns locations within railway infrastructure — sidings, unloading stations, terminals.

• It relies on sensitive data — including work schedules, personal data of drivers and passengers, and locomotive handover points.

• It requires integration with train driver work planning and resource location systems.

• In the event of failures, delays, or security breaches, not only data but also railway traffic continuity is at risk.

Cargo Speed International: How a System Compliant with GDPR and NIS2 Works

Cargo Speed International, in collaboration with SP Tech Solutions, has implemented an enterprise-class solution — the RAILY Taxi system and the RAILY Driver mobile application. The entire setup operates on the Google Cloud Platform infrastructure and is designed following industry best practices.

Technical aspect

RAILY Taxi complies with ISO/IEC 27001 standards and includes:

• full data encryption in transit and at rest (TLS, AES-256),

• environment segmentation (production, testing, disaster recovery),

• identity and access management (MFA, RBAC),

• no remote terminal access (e.g., SSH),

• activity logging in the system (logs, monitoring, audit).
  

Data is stored exclusively in European data centers, and backups are performed regularly. System changes undergo testing and approval procedures, and every new release is accompanied by technical and functional documentation.

Operating system level

The system is supported by a team of people — drivers, dispatchers, and operators — who work according to internal security procedures. Each trip:

• is assigned based on vehicle location and availability,

• has a status log (assignment, passenger pickup, route, completion),

• can be modified or taken over in emergency mode (backup vehicle, new driver),

• includes reports available to the client and billing information for accounting.

Additionally, each dispatch center operates continuously (24/7), and trip data is archived and accessible via a web interface.

What ensures GDPR compliance?

Cargo Speed International processes data solely for purposes related to contract execution, in accordance with Article 6(1)(b) of the GDPR. Every passenger and driver is fully informed about the scope, purpose, and duration of data storage. The system enables:

• limiting data processing to the operational minimum (privacy by design),

• full control over access (who accessed data and when),

• data export for audit purposes or customer requests.
  

The system and processes comply with the requirements of the Polish Data Protection Authority (UODO) and are ready for inspection.

NIS2: From Requirement to Practice

In implementing NIS2, CSI developed:

• an IT and operational risk management policy,

• internal procedures for incident reporting and analysis,

• system resilience tests (including disaster recovery procedures),

• business continuity plans (BCP) covering systems, personnel, and processes.
  

In 2024, CSI recorded zero data protection incidents despite completing over 107,000 orders. The company maintains its own risk register, including responses to changes in carriers’ operational plans.

The Client’s Role – Shared Responsibility

CSI clients — including ORLEN Kolej — receive:

• compliance and incident reports,

• an interface providing access to trip history, operational data, and KPI metrics,

• technical and operational support for schedule or route changes,

• audit preparation (e.g., UTK, internal audits, UODO inspections).
  

This enables them to meet their own NIS2 and GDPR requirements without the need to expand their IT resources.

The Future of Railway Security: Automation, AI, and the Integrated RAILY Ecosystem

Cargo Speed International is currently working on further developing services within the integrated RAILY ecosystem, which connects not only traction crew transport (RAILY Taxi) but also digital freight management (RAILY Cargo) and the planning and sharing of rolling stock resources through a carrier information exchange platform (RAILY Marketplace).

This makes it possible to cover with a single platform:

• automatic planning of crew and vehicle trips,

• optimization of resource availability (drivers, locomotives, wagons),

• synchronization with railway transport schedules,

• management of operational incidents and client communication,

• real-time route monitoring and KPI analysis.

AI solutions developed within the RAILY ecosystem include:

• implementation of predictive systems for risk analysis and disruption forecasting,

• analysis of historical data regarding compliance, threat patterns, and seasonality,

• integration with client systems, including SRP, TMS, and ERP,

• intelligent combining of crew trips with railway logistics, reducing empty runs and improving operational efficiency.

  
  

As a result, CSI not only reacts to incidents but also builds the capability to anticipate them — which, given the nature of railway transport involving hundreds of locations and variable weather conditions, can provide a decisive advantage in the overall quality of the process.

Conclusions: Security Does Not End with a Firewall

Railways are increasingly data-driven — and it’s not just about passenger or freight information. Every element of the process — from train composition planning to driver transport — can be a critical point. GDPR and NIS2 are no longer solely the domain of IT administrators. They have become matters of operational strategy, reputation, and in extreme cases, legal liability.

Cargo Speed International demonstrates that it is possible to combine system resilience with operational effectiveness. Instead of viewing regulations as obstacles, the company has embedded them into its processes — today leveraging them as a value proposition for its clients.