IT Security on the Fast Lane: What are the IT Security requirements for the Automotive Industry? | TWheel

In-depth analysis

The legal requirements for IT security of networked products and services are becoming increasingly strict. With the NIS-2 directive, the EU is setting a comprehensive legal framework for IT security in the economy, which covers a wide range of companies. The requirements are accompanied by sector-specific requirements, including for the automotive industry. Handling the various national, EU-wide and international requirements regularly presents major challenges for car manufacturers and suppliers. In the following Q&A, we provide an initial overview of the current legal framework and the main issues that the industry is currently dealing with or should be dealing with.

1. What legal requirements for IT security apply to automobile manufacturers and suppliers in the automotive industry under European and international law at the UNECE level?

Automotive manufacturers have to implement the requirements of UNECE Regulations R155 (Cyber Management System for Vehicles) and R156 (Requirements for Updates of Vehicle Software/Systems), since 2024 via Regulation (EU) 2018/2144. They now need to obtain the corresponding official approvals, without which it will no longer be possible to sell vehicles in the EU in the future. The respective regulations are accompanied by corresponding industry standards which also need to be taken into account.

Until now, automotive manufacturers have not been directly subject to the strict IT security requirements of the Network Information Directive (NIS) and the corresponding member state laws such as BSiG in Germany (which incorporated aspects of the NIS Directive). However, as a result of the changes introduced by NIS-2 Directive and corresponding member state law automotive manufacturers will be subject to significantly more comprehensive technical and especially organizational requirements (including in the area of cyber governance, risk management and management liability), either as manufacturers or – depending on their service offering – as providers of certain regulated IT services.

Cyber Resilience Act (CRA) will introduce security requirements for a wide range of (connected) products with digital elements and networked software and supplements existing regulations with product related specifications (including the obligation to perform product-related cybersecurity risk assessments and documentation for products and third-party components). Similar to the AI Act and the Data Act, special regulations for the automotive environment are planned here, which will then take precedence over the CRA as a lex specialis. It is not yet clear exactly how the boundaries between the regulations will be drawn and which regulations will actually apply, for which function or product in the vehicle landscape (or not), as a more precise regulation by the EU is still pending. This is already creating certain uncertainties and questions in the implementation of the requirements in accordance with UNECE R155 (e.g. with regard to non- safety components of products or systems in the vehicle), which need to be clarified in a timely manner.

The revised EU Product Liability Directive has entered into force in December 2024 and enhances the liability of product manufacturers, importers and deployers for damage suffered by natural persons caused by defective products. This now also explicitly includes the liability for software and software-driven products and services which is now relevance for liability in the tech transformation in the automotive industry. The Directive follows a strict no-fault liability approach and includes comprehensive transparency and notification obligations, also in the online distribution of related products via platforms and market places including far reaching supplier and product screening requirements for platform and marketplace operators.

2. Under what conditions can automobile manufacturers and suppliers to the automotive industry be subject to the requirements of the NIS-2 Regulation and the respective national implementing laws?

Under the NIS-2 Directive, automobile manufacturers and suppliers to the automotive industry may be subject to its requirements under several conditions:

Inclusion in the Manufacturing Sector: The NIS-2 Directive extends its scope to various sectors, including manufacturing. Specifically, it encompasses the manufacturing of motor vehicles, trailers, and semi-trailers. Therefore, automotive manufacturers fall under this category and are classified as "important entities." As such, they are required to implement appropriate cybersecurity measures and report significant incidents. In a second step, the classification requires an analysis of which group companies in the automotive manufacturer's group are involved in the production of the relevant products and which are not, since not all group companies of the automotive manufacturer are subject to these requirements, but rather an analysis is generally carried out by legal entity.

Provision of ICT or Platform Services: If automotive manufacturers or their suppliers provide Information and Communication Technology (ICT) services, platform services, or similar services—either externally or within their corporate group—they may also be subject to NIS-2 requirements. The directive applies to entities offering services within the EU, irrespective of their location. This includes sectors like digital infrastructure and ICT service management. Therefore, if an automotive company provides such services, it must comply with the directive's provisions.

Company Size and Impact: The NIS-2 Directive primarily targets medium-sized and large organizations. Companies with 50 or more employees and an annual turnover exceeding €10 million are generally within its scope. To what extent only the number of employees and the revenues of the divisions that carry out the regulated activities are to be included is unclear. In individual cases, a group consideration may also be required. However, even smaller entities can be included if their activities are deemed critical, pose a risk to public order, or have systemic or cross-border implications.

Extraterritorial Application: The directive's reach is extraterritorial, meaning it applies to companies outside the EU if they offer services within the EU. Factors such as using languages or currencies common in EU member states, or referencing EU customers in marketing materials, can indicate service provision within the EU.

Role of suppliers: Suppliers to the automotive industry can be subject to the requirements of the NIS-2 Directive. Suppliers active in sectors explicitly listed as "essential" or "important" entities in Annexes I and II of the NIS-2 Directive—such as digital infrastructure, ICT services, energy, chemicals, or other critical sectors—are directly within the scope of the directive and must comply accordingly.

Even suppliers not explicitly listed under Annexes I and II may become indirectly subject to NIS-2 requirements as part of the OEMs supply chain. Companies regulated under NIS-2 are obligated to secure their supply chains. Thus, suppliers may be contractually required by automotive manufacturers or other regulated entities to implement specific cybersecurity measures to manage and mitigate risks.

In summary, automotive industry suppliers can be regulated by NIS-2 if they directly fall under regulated sectors, are contractually obligated by customers to comply with cybersecurity standards, provide ICT or platform services, or meet specific thresholds regarding size or criticality of their operations.

3. How can legal teams in the automotive industry effectively manage the complex legal framework, and are certifications such as TISAX a useful approach to reducing complexity and effort?

Legal teams in the automotive industry face a highly complex and evolving legal landscape, driven by cybersecurity regulations (like NIS-2), data protection (GDPR), and compliance requirements across multiple jurisdictions. Effectively managing this complexity requires a structured approach, which includes proactive compliance management, leveraging industry standards, and streamlining internal processes. Certifications such as TISAX (Trusted Information Security Assessment Exchange) offer a practical and valuable tool, as they can significantly simplify compliance efforts, improve standardization, enhance credibility, and reduce the overall complexity and resource burden.

An essential success factor for a legally compliant, effective and practical implementation is the early on support of the respective development projects and collaborations in interdisciplinary product groups consisting of experts from the respective specialist areas, such as IT security, R&D, compliance & legal, in order to identify challenges at an early stage and develop pragmatic solutions in good time.

Legal teams can use the following checklist to effectively monitor the implementation of relevant requirements and check all the necessary aspects.

Assessment & Gap Analysis

Identify applicable laws and regulations (NIS-2, GDPR, etc.).
Conduct gap analysis between current practices and compliance obligations.
Evaluate whether certifications (e.g., TISAX, ISO 27001) can address identified gaps.

Implementation of Compliance Measures

Support IT Security teams in developing and maintaining internal cybersecurity policies and guidelines.
Align internal processes within IT Security or R&D with compliance obligations (incident reporting, risk management, supplier controls).
Establish clear roles and responsibilities (legal, IT, compliance, cybersecurity, management).

Supplier & Contract Management

Ensure contracts with suppliers contain necessary compliance clauses (including cybersecurity and data protection as well as audit and reporting mechanisms).
Require and verify certifications such as TISAX from critical suppliers where relevant.
Implement processes for regular supplier audits and monitoring.

Training & Awareness

Provide regular compliance and cybersecurity training sessions for employees and management.
Ensure management and legal team are aware of new regulatory developments.
Maintain awareness materials and guidelines for internal stakeholders.

Incident Management & Reporting

Establish clear incident response plans (aligned with NIS-2 and GDPR obligations).
Ensure internal procedures clearly define reporting channels and timelines.
Regularly test and update incident management plans through exercises.
Do dry-runs to verify proper process design and implementations

Continuous Improvement