09 March 2026

The Office of Rail and Road has made cyber threats a top priority, emphasising that they are “a real and present risk” for rail. ORR underlines that duty holders must now manage cyber risk "in the same way as any other safety risk" by integrating software and IT/OT security into their Safety Management Systems.

The directive comes as the industry accelerates its Digital Railway programme, introducing digital signalling systems such as ETCS, smart asset monitoring and automated control—advances that boost efficiency whilst creating new compliance challenges.

"The combination of legacy technology and new infrastructure has created complex interoperability challenges," said David Muse, Chief Technical Architect at Petards Rail, a leader in intelligent train technology.

"Railway electronics must now meet rigorous standards whilst operators demonstrate system safety under updated UK and EU interoperability rules."

Here, Petards Rail, a leader in intelligent train technology with over 35 years of industry expertise, offer their insights on the rail industry entering a new compliance era.

Regulatory Convergence

The regulatory landscape is expanding beyond traditional safety frameworks. The Railways and Other Guided Transport Systems (Safety) Regulations 2006, known as ROGS, remains the core safety regime, requiring all mainline operators to maintain formal Safety Management Systems. However, ROGS faces a 2026 review as regulators incorporate EU-derived Common Safety Methods for risk evaluation and conformity assessment.

Developments to NIS2 guidance and the UK's Cyber Security and Resilience Bill have introduced further measures to protect systems whilst expanding compliance requirements across the wider supply chain.

Environmental obligations now carry equal weight. The ORR regulates the Department for Transport's 2021 Rail Environment Policy, which commits to net-zero rail emissions by 2050 and removal of all diesel-only trains from the network by 2040.

Standards Complexity

Rail operators must navigate intersecting standards frameworks. The UK has retained or replaced EU Technical Specifications for Interoperability with GB National TSIs to preserve cross-compatibility, whilst the Rail Safety and Standards Board publish Railway Group Standards that operators are contractually bound to follow.

Modern surveillance systems exemplify this complexity. CCTV equipment must comply with EN 50155 for railway electronic equipment, ISO/IEC 62676 for video surveillance performance, and RSSB standards RIS-2712-RST and RIS-2703-RST for on-train camera systems and driver-controlled operation.

Safety-critical systems face even stricter requirements. Standards EN50126, EN50716 and EN50128 govern hardware and software reliability for vital train functions, defining Safety Integrity Levels from 1 to 4 based on failure likelihood and severity.

"Cybersecurity standards such as IEC 62443 have existed since 2009, but adoption within rail has been slow," adds Muse. "Now that Operational Technology and Information Technology have become intertwined, securing digital functions has become crucial to maintaining operations."

Draft standard IEC 63452 aims to provide rail-specific guidance on preventing vulnerabilities, continuous monitoring and patching throughout railway system lifecycles.
Industry Response

In March 2025, the ORR issued 10 recommendations to improve health and safety interventions, aiming to enhance decision-making, consistency and industry collaboration as operators adapt to the evolving compliance environment.

The convergence of cyber, safety and environmental regulations represents a fundamental shift in how rail infrastructure and rolling stock must be specified, procured and maintained across the sector.