Abstract
This study introduces a sensor-centric cybersecurity framework for railway infrastructure that extends Failure Mode and Effects Analysis (FMEA) from traditional reliability evaluation into the domain of cyber-induced failures affecting data integrity, availability and authenticity. The contribution lies in bridging regulatory obligations of the NIS2 Directive with field-layer monitoring by enabling risk indicators to evolve dynamically rather than remain static documentation artefacts. The approach is demonstrated using a scenario-based dataset collected from approximately 250 trackside, rolling-stock, environmental and power-monitoring sensors deployed over a 25 km operational segment, with representative anomalies generated through controlled spoofing, replay and injection conditions. Risk was evaluated using RPN scores derived from Severity-Occurrence-Detectability scales, while anomaly-detection performance was observed through detection-latency variation, changes in RPN distribution, and qualitative responsiveness of timestamp-based alerts. Instead of presenting a fixed benchmark, the results show how evidence from real sensor streams can recalibrate O and D factors in near-real-time and reduce undetected exposure windows, enabling measurable compliance documentation aligned with NIS2 Article 21. The findings confirm that coupling FMEA with streaming telemetry creates a verifiable risk-evaluation loop and supports a transition toward continuous, evidence-driven cybersecurity governance in railway systems.