When is an automotive operation subject to NIS2?

Automotive operations (OEM, Tier 1 to Tier 3 suppliers) fall under NIS2 Annex II No. 10 (manufacturing) once they meet medium enterprise size (50 employees or 10M EUR annual turnover per SME Recommendation 2003/361/EC Art. 2) and industrial production structure. OEM and Tier 1 suppliers with critical customer systems may be classified as Essential Entities if their disruption impairs the supply of critical sectors.

What is the difference between NIS2 and TISAX for automotive companies?

TISAX (Trusted Information Security Assessment Exchange, VDA ISA 6) is an industry-specific information security audit framework of the automotive industry implementing OEM requirements on suppliers. NIS2 is legally binding and applies to all relevant sectors. Both requirements overlap heavily: TISAX compliance covers many NIS2 measures under § 30 BSIG-neu (access control, encryption, incident management), but does not replace NIS2 reporting obligations and BSI registration.

What supply-chain obligations apply to automotive suppliers under NIS2?

§ 30 Para. 2 No. 4 BSIG-neu requires supply-chain security. For automotive operations this means: passing security requirements down to Tier-n suppliers, adding security clauses to contracts with AUTOSAR and body control software vendors, and regularly auditing critical sub-suppliers. OEMs may in turn pass NIS2 requirements to suppliers via purchasing conditions, increasing pressure on the entire automotive sector.

What fines do automotive companies face for NIS2 violations?

§ 65 BSIG-neu provides Important Entities (medium suppliers) fines up to 10 million Euro or 2 percent of global annual revenue. Essential Entities (large OEM, Tier 1 groups) are subject to the same ceilings. Personal management liability under § 38 BSIG-neu is added. In the event of damage, contractual claims by OEMs against suppliers may also arise.

When must automotive companies register with the BSI?

§ 33 BSIG-neu requires registration within three months of determining NIS2 applicability. For operations that meet the criteria directly upon BSIG-neu's entry into force, a three-month transitional period applies. Registration includes sector classification, entity category, and contact details via the electronic BSI reporting portal.

How does NIS2 relate to an existing TISAX certification?

An existing TISAX certification (Level 2 or 3) demonstrates that basic information security measures per VDA ISA 6 are in place, covering many NIS2 requirements under § 30 BSIG-neu. However, TISAX does not replace legal obligations: BSI registration under § 33 BSIG-neu, reporting chain under § 32 BSIG-neu, and management liability under § 38 BSIG-neu remain independent requirements. A gap analysis between the TISAX assessment and NIS2 helps avoid duplication of effort.

Are automotive managing directors personally liable for NIS2 compliance?

§ 38 BSIG-neu requires management to approve and supervise risk management measures and actively participate in training. Culpable omission can trigger personal liability. Automotive companies with TISAX processes should explicitly integrate management obligations under NIS2 into their ISMS and archive resolutions and training records in an audit-proof manner.

Industry-specific Self-Check

Is my automotive operation affected by NIS2?

OEM, Tier 1, Tier 2, Tier 3: in automotive, supply-chain security counts double - NIS2 hits mid-size operations at 50 employees or 10M EUR turnover.

Step 1 / 2

Production and supply structure

NIS2 Annex II No. 10 covers manufacturing. Check what applies to your operation.

Direct OEM supply (Tier 1)Supplies final manufacturers such as VW, BMW, Mercedes, Audi, Stellantis, Ford directlyIndirect supply (Tier 2 / Tier 3)Supplies other automotive suppliers that in turn supply OEMsAutomated serial productionCNC lines, welding robots, paint lines, pressing or injection-moulding equipmentTISAX-certified or in preparationIndustry indicator for OEM-relevant contracts and structured IT security

Step 2 / 2

Company size

Automotive: The Complete NIS2 Guide

Companies in the automotive sector - from OEMs to Tier 1 and Tier 2 suppliers - are in scope under NIS2 Annex II No. 5 (Manufacturing) when they exceed 50 employees or EUR 10 million in annual revenue. Those already fulfilling TISAX obligations have a significant head start on NIS2 - but not all TISAX requirements cover NIS2. This guide is written for IT security managers, CISOs, and compliance managers in the automotive environment.

Who is affected?

Automotive manufacturers (OEMs), Tier 1 and Tier 2 suppliers, software developers for vehicle systems, and vehicle inspection service providers fall under NIS2 Annex II No. 5 (Manufacturing, NACE C.29) when they exceed the SME thresholds: at least 50 employees or at least EUR 10 million in annual revenue (EU Recommendation 2003/361/EC Art. 2).

Large OEMs (VW, BMW, Mercedes, Stellantis) with more than 250 employees and >EUR 50 million in revenue are Essential Entities under NIS2 Annex I, provided their production capacity represents a critical national economic function.

A Tier 1 supplier with 200 employees and EUR 50 million in revenue producing ECUs for multiple OEMs is an Important Entity under NIS2 Annex II.

Obligations under § 30 BSIG-new

§ 30 BSIG-new lists seven obligation areas that are especially relevant for the automotive sector because of the tight integration of development IT, production OT, and OEM requirements:

Risk analysis and management: Development IT (CAD, PLM, test infrastructure), production OT (MES, robotics controls), and connections to OEM portals must all be assessed.
Incident handling: An attack on the PLM system can jeopardize the entire model development. Escalation and crisis communication must account for OEM notification obligations.
Business continuity: Automotive suppliers are JIT/JIS suppliers. An IT outage of more than 4 hours can trigger line shutdowns at the OEM.
Supply chain security: OEMs will already require security certifications from suppliers under § 30 Para. 2 No. 4 BSIG-new. Contract adjustments are expected.
Access control and MFA: Access to development environments, OEM portals, and production systems must be secured by MFA.
Encryption: Development data, vehicle development plans (NDA-protected), and customer data must be stored and transmitted encrypted.
Training and awareness: Engineers, production staff, and administrative employees must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months. For security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

An incident that impairs delivery capability to an OEM customer must simultaneously satisfy NIS2 reporting obligations (to the BSI) and OEM notification obligations under supply contract clauses.

Fines and personal liability

Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover. Essential Entity (Annex I): up to EUR 10 million or 2% of turnover.

§ 38 BSIG-new: personal liability for management. OEM contracts add penalty clauses for line shutdowns - NIS2 fines plus OEM contract penalties can accumulate simultaneously.

TISAX Level 3 and NIS2: managing dual regulation intelligently

TISAX (Trusted Information Security Assessment Exchange) is the automotive industry standard for information security. TISAX is based on VDA ISA (Information Security Assessment), which is strongly aligned with ISO 27001.

TISAX Level 3 (protection of prototypes and highly sensitive data) covers many requirements that § 30 BSIG-new also demands: risk analysis, access control, encryption, incident management. Those certified to TISAX Level 3 already fulfill core parts of NIS2.

What NIS2 additionally requires: BSI reporting obligations (TISAX assessments do not report to authorities), personal management liability, and the explicit supply chain obligation. A gap analysis between TISAX compliance and NIS2 is recommended to avoid duplication.

First steps

Check headcount and revenue. Over 50 employees or EUR 10 million: Important Entity.
Conduct a gap analysis between your existing TISAX status and NIS2 requirements.
Review all OEM portal access points and connections to development platforms.
Map dependencies between development IT and production OT.
Review current supplier contracts for NIS2-specific security clauses.
Develop a BCP that explicitly models OEM line shutdown scenarios.
Register with the BSI.

Common pitfalls

TISAX = NIS2 compliance: TISAX fulfills many NIS2 requirements but not all. Reporting obligations, management liability, and supply chain obligations are NIS2-specific.

OEM portal access without MFA: Access to OEM development platforms (e.g., VW Group Supplier Portal) with password alone is not NIS2-compliant.

PLM system excluded from risk analysis: The PLM system contains sensitive development data. An attack on it is a significant security incident.

JIT/JIS dependencies not reflected in the BCP: An 8-hour IT outage can shut down multiple OEM production lines and trigger contract penalties.

Use the industry-specific NIS2 calculator for automotive to verify your obligations.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my automotive operation affected by NIS2?

Automotive: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

TISAX Level 3 and NIS2: managing dual regulation intelligently

First steps

Common pitfalls

Frequently asked questions

01When is an automotive operation subject to NIS2?

02What is the difference between NIS2 and TISAX for automotive companies?

03What supply-chain obligations apply to automotive suppliers under NIS2?

04What fines do automotive companies face for NIS2 violations?

05When must automotive companies register with the BSI?

06How does NIS2 relate to an existing TISAX certification?

07Are automotive managing directors personally liable for NIS2 compliance?