WP 06 – Cyber Security & Data

Overall Context

Embedding cyber security and data governance into rolling stock procurement

As digitalization continues to transform the rail sector, cyber security and data governance have become key enablers of safe, reliable, and future-proof rolling stock. Increasing regulatory requirements, combined with growing system complexity, make it essential for all stakeholders to develop a common understanding of their roles, responsibilities, and obligations.

Work Package 06 focuses on creating transparency across the industry in the areas of cyber security and data. In cyber security, it aims to clarify regulatory requirements and make stakeholder responsibilities along the supply chain more transparent. In parallel, the working package addresses evolving data-related topics by creating transparency on key concepts such as terminology, the relevance of different data types, and data ownership across the rolling stock lifecycle.

By bundling cyber security and data topics within a single working package, RTR seeks to identify synergies between both domains and enable participants to better navigate the complexity of digital transformation in the rail sector. As with all RTR deliverables, the outputs of Work Package 06 are developed under the supervision of the Initiative’s Antitrust Council and with the involvement of an external legal competition advisor, ensuring full compliance with European competition law.

Documents about Cyber Security & Data

To download the documents, please log in.

Objectives

A holistic approach to cyber security and data in rolling stock procurement

Work Package 06 pursues a clear ambition: to make cyber security and data requirements
more transparent and easier to navigate at every stage of the rolling stock procurement
lifecycle. The work package is designed to help operators, integrators, and suppliers
complement their internal understanding of the regulatory landscape with a structured and
neutral reference framework.

The work package is structured around two closely connected pillars — Cyber Security
and Data:

Cyber Security: Establishing clarity on the regulatory scope across European and national
frameworks, increasing transparency on stakeholder roles and responsibilities throughout
the lifecycle, and systematizing the documentation legally required to demonstrate
compliance.

Data: Developing a reference overview of key data-related concepts and terminology used
in the rail sector, creating transparency on the relevance of different data types for various
stakeholders, and mapping data ownership and data handling responsibilities across the
rolling stock lifecycle based on existing legal frameworks.

Together, these two pillars provide the industry with a coherent and practical foundation for
integrating cyber security and data considerations into procurement decisions, supporting
regulatory compliance, and long-term resilience.

Progress and Current Deliverables

Regulations Mapping

The first major output of Work Package 06 is the completion of a structured regulations
mapping. The most relevant cyber security regulations for the railway industry have been
identified, clustered into six distinct thematic areas, and systematically mapped against
lifecycle phases and stakeholders. The current mapping covers 41 regulatory requirements
across the prioritized regulations NIS-2 (Network and Information Security Directive), CRA
(Cyber Resilience Act), and CER (Critical Entities Resilience Directive), providing the industry
with a consolidated, transparent overview of who is responsible for what, and when

Further development directions
Building on this foundation, two additional work streams are currently being developed:

Cyber Security Documentation
Building on the regulations mapping, Work Package 06 is currently developing a structured
reference on cyber security documentation. The objective is to provide transparency on the
types of documentation legally required to demonstrate compliance with the prioritized
regulations.

Data Ownership and Definition
In parallel, Work Package 06 is working on a reference framework for data ownership and
key data-related terminology in the rail sector. The aim is to create transparency and a
shared understanding on how different data terminologies are defined in existing laws,
regulations, and established industry sources, and to map their relevance across the rolling
stock lifecycle.

Other work packages

WP 01 – Specification Catalogue

WP 02 – TCO STRUCTURE

WP 03 – PRODUCT DEVELOPMENT & PROCUREMENT PROCESS

WP 04 – MATURITY MODEL

WP 05 – SUSTAINABILITY

Cookie	Duration	Description
__wpdm_client	Until the end of the session	Cookie that synchronizes the Website and CMS - This is used to update the Website.
cookielawinfo-checkbox-necessary	11 months	This Cookie is set by GDPR Cookie Consent plugin. The Cookies is used to store the user consent for the Cookies in the category "Necessary".
simple_wp_membership_sec_*	3 days	If a user is using the "remember me" option at login time, then it will set the Cookie duration to 14 days.
swpm_in_use	3 days	If a user is using the "remember me" option at login time, then it will set the Cookie duration to 14 days
swpm_session	Until the end of the session	Stores the state for our login area, whether logged in or not. Session Cookie.
viewed_cookie_policy	11 months	The Cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of Cookies. It does not store any personal data.
wordpress_logged_in_*	Until the end of the session	Ensures that the user is logged in.
wordpress_sec_*	Ensures that the user is logged in	This Cookie is used to store your authentication details. Its use is limited to the admin console area.