Cargo theft is no longer solely a physical crime. Increasingly, criminal operations begin well before a lorry leaves the yard, through the unlawful acquisition of the digital credentials and identities that control logistics flows. This is the most significant transformation affecting the European supply chain: the convergence of cybercrime and cargo fraud, two phenomena that until a few years ago developed in parallel but now overlap structurally, making traditional defences increasingly ineffective.
In Italy, the transport and logistics sector is one of the most vulnerable links in the digital chain. According to the Agenzia per la Cybersicurezza Nazionale (National Cybersecurity Agency, ACN), malicious cyber incidents affecting the country rose by 38% in a single year. This trend prompted the authorities to classify more than 500 Italian transport operators as national critical infrastructure under the new NIS2 Directive. The picture is no less concerning when it comes to physical crime: Germany and Italy record the highest levels of cargo fraud and logistics crime in Europe, with Germany reporting one theft every three days and Italy close behind.
The scale of the problem is also documented at continental level. According to the Threat Landscape Report 2025 published by the European Union Agency for Cybersecurity, ENISA, transport is the second most heavily targeted sector in the EU, with ransomware responsible for more than 80% of recorded incidents. The growing use of artificial intelligence in cyberattacks is adding to the threat: one in six breaches now involves AI technologies, with major implications for the speed and sophistication of attacks.
The mechanism through which the two threats intersect is now well established. Criminal groups no longer target only the goods themselves, but also the credentials controlling their movement. Compromising access to a transport management platform makes it possible to manipulate lists of available loads, redirect shipments or divert payments to fraudulent accounts. By the time the anomaly is detected, the goods have often already crossed the border. This model also encourages the spread of so-called phantom carriers, which clone the identities of legitimate hauliers to secure loads before disappearing.
A structural factor further increases this exposure: the fragmentation of information systems that continues to characterise much of the European logistics ecosystem. Data and operational flows remain distributed across non-integrated platforms, creating information silos that reduce shared visibility and prevent risk signals from being detected promptly. In this environment, reactive approaches to cybersecurity struggle to counter highly organised and increasingly automated criminal groups.
The European regulatory response is focused precisely on this issue. Under the NIS2 Directive, essential and important entities must now integrate supply chain security into their risk management processes, extending assessments to suppliers, service providers and networks of partners. European cybersecurity guidelines establish a principle that changes the scope of responsibility: a supplier does not need to be frequently targeted by attacks to pose a critical risk. If its compromise could have significant downstream consequences, it still represents a strategic vulnerability. In such a scenario, a single compromised operator could disrupt thousands of shipments.
The technical response to this challenge consists of three separate but interdependent elements. The first is the continuous verification of identities and access rights. Hauliers and suppliers must be validated not only when they first enter the network, but also whenever payment or delivery details are changed, preferably through channels separate from those used for routine communications. The human factor remains one of the main sources of vulnerability. Many breaches still result from compromised credentials or operational errors, making staff training a structural rather than optional element of security strategy.
The second element is continuous network monitoring, based on anomaly detection systems capable of operating in real time and faster than human supervision alone. AI-based analytical technologies examine network behaviour to identify unusual routes, suspicious access attempts or unexpected changes in load management, such as a sudden alteration to a carrier’s profile or the last-minute reassignment of a shipment. For these tools to deliver tangible results, however, detected signals must trigger operational action. Anything that appears unusual must be capable of being checked or blocked before the load is moved. From this perspective, security cannot be added later as a separate layer, but must be integrated into operational flows from the system design stage.
The third element is information sharing between participants in the logistics network. An anomaly detected by a single operator can help protect the entire ecosystem if it is shared promptly. This approach requires common digital identity frameworks, standardised verification processes and platforms capable of circulating threat intelligence throughout the supply chain, rather than only within the boundaries of an individual company.
