Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	Process We use a multi-layered defensive cybersecurity strategy based on the cyber security framework drafted by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST). The NIST Cybersecurity Framework (NIST CSF) is a voluntary framework of best practices to identify, protect, detect, respond to, and recover from cybersecurity matters. Based on the NIST CSF, our processes to identify, assess, manage, and govern material risks from cybersecurity threats includes the following: Identify We identify risks from cybersecurity threats by first developing and maintaining an understanding of those assets essential to our operation and reputation, as well as assets that could provide value to threat actors. Any cyber act is considered a potential risk if a threat actor can use it to reduce the value of an asset, reduce our ability to utilize or otherwise access the value of an asset, or surreptitiously gain or increase their access to an asset or its value. Assess We assess risks from cybersecurity threats by evaluating exposure of our assets to identified cyber risks, as well as potential impacts to our operations or reputation from our inability to access or utilize an asset or realize its value, or a threat actor’s ability to gain access to an asset or its value. We further evaluate the potential materiality of these risks based on the potential impact to our operations or reputation. Manage We mitigate risks from cybersecurity threats by applying multiple layers of defense to ensure we have the continued ability to access or utilize an asset or its value, and deny threat actors the ability to gain or increase their access to an asset or its value. We prioritize defensive mechanisms, including administrative, procedural, and technical controls, according to their relative cost and reduction in risk based on the NIST CSF. Govern We govern cybersecurity risk by establishing and maintaining the policies, processes, and oversight mechanisms that define how risk is identified, assessed, and managed across the enterprise. Governance ensures that roles, responsibilities, and decision-making authority are clearly articulated and aligned with organizational objectives, regulatory requirements, and risk appetite. Through governance, we embed accountability and transparency into our cybersecurity program, enabling informed prioritization of resources and consistent execution of risk management practices. We further monitor, test, assess, and update these processes, including working with government agencies and peers to implement practices to guard against an evolving threat environment and to ensure we remain compliant with relevant regulatory requirements. Integration into our Risk Management Framework Our processes to assess, identify, and manage cybersecurity risks are expressly incorporated into our enterprise risk management (ERM) framework. Technology is one of the five primary risk categories addressed by the ERM framework, and cybersecurity is identified as a subcategory of the technology risk. Our ERM leadership team works with the Chief Information and Digital Officer (CIDO), the Chief Information Security Officer (CISO), and other technology leaders to identify, define, and assess top areas of technology and cybersecurity risks, which are included in our ERM risk framework and mapped to the NIST CSF. Our internal ERM leadership meets regularly with our technology leadership team to review developments in our technology risk profile and works with the cybersecurity team to monitor key risk indicators linked to our cybersecurity risks. Any changes to the threat landscape are discussed and considered as adjustments to our risk profile. Third-Party Engagement We employ multiple service providers from time to time to perform periodic reviews and evaluations of our cybersecurity framework, the results of which are provided to and reviewed with management, with appropriate reporting to the Board. These reviews encompass a broad range of areas, including information technology system resilience, cybersecurity risk assessments, information security program assessments, external threat environment reviews, internal cybersecurity policy compliance, and near-term incident response to identify or disconfirm potential involvement of a threat actor. Oversight of Third-Party Providers Within our purchasing and third-party vendor management programs, we require all vendors who handle our data as well as vendors who provide technology and data services – including hardware, software, staffing, and support – to maintain certain security protections including, but not limited to, compliance with applicable data protection laws and implementation of administrative, physical, and technical safeguards to protect our data, including how our data is stored, accessed, and transmitted. In addition, all providers within these service categories must execute a data security addendum that articulates specific security standards, cybersecurity insurance, and mandatory incident reporting protocols applicable to the underlying provision of services. Risks Please see Item 1A. Risk Factors – Technology Risks – “A significant cybersecurity incident or other disruption to our technology infrastructure resulting from internal and external threats could disrupt our business operations” for our disclosures regarding the most pertinent risks we may experience from cybersecurity threats. As noted therein, regardless of the cause, a significant disruption or failure of one or more information or operational technology systems operated by us or under control of third parties can result in service disruptions, unauthorized access to our systems, viruses, ransomware, and/or compromise, acquisition, or destruction of our data. Such a direct or indirect cybersecurity incident could interrupt our service, cause safety failures or operational difficulties, decrease revenues, increase operating costs, impact our efficiency, damage our corporate reputation, and/or expose us to litigation, government action, increased regulation, penalties, fines or judgments, any or all which may ultimately have a materially adverse effect on our results of operations, financial condition, reputation, and business (including our strategy of operating a resilient freight railroad). While we have previously experienced technology outages and cybersecurity events that have impacted our systems and service, future events may result in more significant impacts to our operations, reputation, or financial results. As a result of these prior events, and given the potential risks that a technology outage or cybersecurity event would result in a materially adverse effect on our results of operations, financial condition, reputation, or business, we have conducted and will continue conducting, internal and third-party assessments of information technology and cybersecurity vulnerabilities, information technology resiliency, and our related processes and procedures, so that we can continue to identify and address key cybersecurity risks.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	Our processes to assess, identify, and manage cybersecurity risks are expressly incorporated into our enterprise risk management (ERM) framework. Technology is one of the five primary risk categories addressed by the ERM framework, and cybersecurity is identified as a subcategory of the technology risk. Our ERM leadership team works with the Chief Information and Digital Officer (CIDO), the Chief Information Security Officer (CISO), and other technology leaders to identify, define, and assess top areas of technology and cybersecurity risks, which are included in our ERM risk framework and mapped to the NIST CSF. Our internal ERM leadership meets regularly with our technology leadership team to review developments in our technology risk profile and works with the cybersecurity team to monitor key risk indicators linked to our cybersecurity risks. Any changes to the threat landscape are discussed and considered as adjustments to our risk profile.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Board of Directors Oversight [Text Block]	The Norfolk Southern Board has direct oversight of cybersecurity risks. The Board receives periodic reports from the CIDO and CISO regarding the primary technology risks impacting the company, including risks impacting our information and operational systems, service resiliency, cybersecurity risks, and the related threat environment. Agendas for these periodic updates may be further adjusted to address any emerging risks or key topics in greater detail, including emerging regulations, best practices, cyber readiness, and third-party assessment results. Regular updates are also provided to the Board regarding all material or potentially material cybersecurity incidents, including root causes, and identification of and progress towards, remediation activities through completion. The Board receives an annual report from the CIDO and CISO highlighting the emerging threat landscape, our progress executing on our defensive cybersecurity strategy, and a review of our cybersecurity incident investigation and response processes.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	The Norfolk Southern Board has direct oversight of cybersecurity risks. The Board receives periodic reports from the CIDO and CISO regarding the primary technology risks impacting the company, including risks impacting our information and operational systems, service resiliency, cybersecurity risks, and the related threat environment.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	Our CISO, reporting to the CIDO, is directly responsible for the assessment, oversight, and management of our enterprise-wide cybersecurity strategy and governance. Such individual has over 20 years of experience in critical infrastructure security, including significant experience working with government agencies such as the Federal Bureau of Investigation, the Transportation Security Agency, and the Department of Homeland Security. As noted above, our technology risk working group, comprised of leaders across the information technology, information security, and law departments, including our CIDO, CISO, and Data Privacy Officer (DPO), among others, further monitor developments in the threat landscape so that key cybersecurity threats impacting the Company continue to be identified and prioritized. Management and Board Reporting Cybersecurity incidents are reported directly to the CISO in accordance with the applicable incident response plan. The CISO, together with the DPO, determine incident severity and response, and in turn report material or potentially material incidents to our internal 8-K subcommittee (comprised of senior leaders from the law, accounting, finance, investor relations, and communications departments), our Chief Executive Officer (CEO), and our Chief Legal Officer, who in turn notify the Chair of the Board. The Board is promptly notified prior to filing any 8-K disclosing any material or potentially material cybersecurity incidents, with the CIDO and CISO providing the Board with further updates regarding root causes and remediation efforts. We also have a cybersecurity incident response plan including specific responsive protocols administered by a predesignated incident response team, led by the CISO and DPO and comprised of other members of management. This incident response team also conducts periodic table-top exercises with management to ensure adherence to our cybersecurity incident response plan.
Cybersecurity Risk Role of Management [Text Block]	Our CISO, reporting to the CIDO, is directly responsible for the assessment, oversight, and management of our enterprise-wide cybersecurity strategy and governance. Such individual has over 20 years of experience in critical infrastructure security, including significant experience working with government agencies such as the Federal Bureau of Investigation, the Transportation Security Agency, and the Department of Homeland Security. As noted above, our technology risk working group, comprised of leaders across the information technology, information security, and law departments, including our CIDO, CISO, and Data Privacy Officer (DPO), among others, further monitor developments in the threat landscape so that key cybersecurity threats impacting the Company continue to be identified and prioritized. Management and Board Reporting Cybersecurity incidents are reported directly to the CISO in accordance with the applicable incident response plan. The CISO, together with the DPO, determine incident severity and response, and in turn report material or potentially material incidents to our internal 8-K subcommittee (comprised of senior leaders from the law, accounting, finance, investor relations, and communications departments), our Chief Executive Officer (CEO), and our Chief Legal Officer, who in turn notify the Chair of the Board. The Board is promptly notified prior to filing any 8-K disclosing any material or potentially material cybersecurity incidents, with the CIDO and CISO providing the Board with further updates regarding root causes and remediation efforts. We also have a cybersecurity incident response plan including specific responsive protocols administered by a predesignated incident response team, led by the CISO and DPO and comprised of other members of management. This incident response team also conducts periodic table-top exercises with management to ensure adherence to our cybersecurity incident response plan. In an effort to deter and detect cyber threats, we also periodically provide all employees with a data protection and cybersecurity awareness training program, which covers timely and relevant topics, including phishing, password protection, confidential data protection, asset use, and mobile security and further educates employees on the importance of and process for reporting all potential incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster employee-based cybersecurity programs.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	CISO, reporting to the CIDO, is directly responsible for the assessment, oversight, and management of our enterprise-wide cybersecurity strategy and governance.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	Federal Bureau of Investigation, the Transportation Security Agency, and the Department of Homeland Security.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	Cybersecurity incidents are reported directly to the CISO in accordance with the applicable incident response plan. The CISO, together with the DPO, determine incident severity and response, and in turn report material or potentially material incidents to our internal 8-K subcommittee (comprised of senior leaders from the law, accounting, finance, investor relations, and communications departments), our Chief Executive Officer (CEO), and our Chief Legal Officer, who in turn notify the Chair of the Board. The Board is promptly notified prior to filing any 8-K disclosing any material or potentially material cybersecurity incidents, with the CIDO and CISO providing the Board with further updates regarding root causes and remediation efforts. We also have a cybersecurity incident response plan including specific responsive protocols administered by a predesignated incident response team, led by the CISO and DPO and comprised of other members of management. This incident response team also conducts periodic table-top exercises with management to ensure adherence to our cybersecurity incident response plan.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Process

We use a multi-layered defensive cybersecurity strategy based on the cyber security framework drafted by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST). The NIST Cybersecurity Framework (NIST CSF) is a voluntary framework of best practices to identify, protect, detect, respond to, and recover from cybersecurity matters. Based on the NIST CSF, our processes to identify, assess, manage, and govern material risks from cybersecurity threats includes the following:

Identify

We identify risks from cybersecurity threats by first developing and maintaining an understanding of those assets essential to our operation and reputation, as well as assets that could provide value to threat actors. Any cyber act is considered a potential risk if a threat actor can use it to reduce the value of an asset, reduce our ability to utilize or otherwise access the value of an asset, or surreptitiously gain or increase their access to an asset or its value.

Assess

We assess risks from cybersecurity threats by evaluating exposure of our assets to identified cyber risks, as well as potential impacts to our operations or reputation from our inability to access or utilize an asset or realize its value, or a threat actor’s ability to gain access to an asset or its value. We further evaluate the potential materiality of these risks based on the potential impact to our operations or reputation.

Manage

We mitigate risks from cybersecurity threats by applying multiple layers of defense to ensure we have the continued ability to access or utilize an asset or its value, and deny threat actors the ability to gain or increase their access to an asset or its value. We prioritize defensive mechanisms, including administrative, procedural, and technical controls, according to their relative cost and reduction in risk based on the NIST CSF.

Govern

We govern cybersecurity risk by establishing and maintaining the policies, processes, and oversight mechanisms that define how risk is identified, assessed, and managed across the enterprise. Governance ensures that roles, responsibilities, and decision-making authority are clearly articulated and aligned with organizational objectives, regulatory requirements, and risk appetite. Through governance, we embed accountability and transparency into our cybersecurity program, enabling informed prioritization of resources and consistent execution of risk management practices.

We further monitor, test, assess, and update these processes, including working with government agencies and peers to implement practices to guard against an evolving threat environment and to ensure we remain compliant with relevant regulatory requirements.

Integration into our Risk Management Framework

Our processes to assess, identify, and manage cybersecurity risks are expressly incorporated into our enterprise risk management (ERM) framework. Technology is one of the five primary risk categories addressed by the ERM framework, and cybersecurity is identified as a subcategory of the technology risk. Our ERM leadership team works with the Chief Information and Digital Officer (CIDO), the Chief Information Security Officer (CISO), and other technology leaders to identify, define, and assess top areas of technology and cybersecurity risks, which are included in our ERM risk framework and mapped to the NIST CSF. Our internal ERM leadership meets regularly with our technology leadership team to review developments in our technology risk profile and works with the cybersecurity team to monitor key risk indicators linked to our cybersecurity risks. Any changes to the threat landscape are discussed and considered as adjustments to our risk profile.

Third-Party Engagement

We employ multiple service providers from time to time to perform periodic reviews and evaluations of our cybersecurity framework, the results of which are provided to and reviewed with management, with appropriate reporting to the Board. These reviews encompass a broad range of areas, including information technology system resilience, cybersecurity risk assessments, information security program assessments, external threat environment reviews, internal cybersecurity policy compliance, and near-term incident response to identify or disconfirm potential involvement of a threat actor.

Oversight of Third-Party Providers

Within our purchasing and third-party vendor management programs, we require all vendors who handle our data as well as vendors who provide technology and data services – including hardware, software, staffing, and support – to maintain certain security protections including, but not limited to, compliance with applicable data protection laws and implementation of administrative, physical, and technical safeguards to protect our data, including how our data is stored, accessed, and transmitted. In addition, all providers within these service categories must execute a data security addendum that articulates specific security standards, cybersecurity insurance, and mandatory incident reporting protocols applicable to the underlying provision of services.

Risks

Please see Item 1A. Risk Factors – Technology Risks – “A significant cybersecurity incident or other disruption to our technology infrastructure resulting from internal and external threats could disrupt our business operations” for our disclosures regarding the most pertinent risks we may experience from cybersecurity threats.

As noted therein, regardless of the cause, a significant disruption or failure of one or more information or operational technology systems operated by us or under control of third parties can result in service disruptions, unauthorized access to our systems, viruses, ransomware, and/or compromise, acquisition, or destruction of our data.

Such a direct or indirect cybersecurity incident could interrupt our service, cause safety failures or operational difficulties, decrease revenues, increase operating costs, impact our efficiency, damage our corporate reputation, and/or expose us to litigation, government action, increased regulation, penalties, fines or judgments, any or all which may ultimately have a materially adverse effect on our results of operations, financial condition, reputation, and business (including our strategy of operating a resilient freight railroad).

While we have previously experienced technology outages and cybersecurity events that have impacted our systems and service, future events may result in more significant impacts to our operations, reputation, or financial results. As a result of these prior events, and given the potential risks that a technology outage or cybersecurity event would result in a materially adverse effect on our results of operations, financial condition, reputation, or business, we have conducted and will continue conducting, internal and third-party assessments of information technology and

cybersecurity vulnerabilities, information technology resiliency, and our related processes and procedures, so that we can continue to identify and address key cybersecurity risks.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

The Norfolk Southern Board has direct oversight of cybersecurity risks. The Board receives periodic reports from the CIDO and CISO regarding the primary technology risks impacting the company, including risks impacting our information and operational systems, service resiliency, cybersecurity risks, and the related threat environment. Agendas for these periodic updates may be further adjusted to address any emerging risks or key topics in greater detail, including emerging regulations, best practices, cyber readiness, and third-party assessment results. Regular updates are also provided to the Board regarding all material or potentially material cybersecurity incidents, including root causes, and identification of and progress towards, remediation activities through completion.

The Board receives an annual report from the CIDO and CISO highlighting the emerging threat landscape, our progress executing on our defensive cybersecurity strategy, and a review of our cybersecurity incident investigation and response processes.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our CISO, reporting to the CIDO, is directly responsible for the assessment, oversight, and management of our enterprise-wide cybersecurity strategy and governance. Such individual has over 20 years of experience in critical infrastructure security, including significant experience working with government agencies such as the Federal Bureau of Investigation, the Transportation Security Agency, and the Department of Homeland Security. As noted above, our technology risk working group, comprised of leaders across the information technology, information security, and law departments, including our CIDO, CISO, and Data Privacy Officer (DPO), among others, further monitor developments in the threat landscape so that key cybersecurity threats impacting the Company continue to be identified and prioritized.

Management and Board Reporting

Cybersecurity incidents are reported directly to the CISO in accordance with the applicable incident response plan. The CISO, together with the DPO, determine incident severity and response, and in turn report material or potentially material incidents to our internal 8-K subcommittee (comprised of senior leaders from the law, accounting, finance, investor relations, and communications departments), our Chief Executive Officer (CEO), and our Chief Legal Officer, who in turn notify the Chair of the Board. The Board is promptly notified prior to filing any 8-K disclosing any material or potentially material cybersecurity incidents, with the CIDO and CISO providing the Board with further updates regarding root causes and remediation efforts.

We also have a cybersecurity incident response plan including specific responsive protocols administered by a predesignated incident response team, led by the CISO and DPO and comprised of other members of management. This incident response team also conducts periodic table-top exercises with management to ensure adherence to our cybersecurity incident response plan.

Cybersecurity Risk Role of Management [Text Block]

Management and Board Reporting

In an effort to deter and detect cyber threats, we also periodically provide all employees with a data protection and cybersecurity awareness training program, which covers timely and relevant topics, including phishing, password protection, confidential data protection, asset use, and mobile security and further educates employees on the importance of and process for reporting all potential incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster employee-based cybersecurity programs.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

CISO, reporting to the CIDO, is directly responsible for the assessment, oversight, and management of our enterprise-wide cybersecurity strategy and governance.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Federal Bureau of Investigation, the Transportation Security Agency, and the Department of Homeland Security.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true