From regulation to implementation: Practical implications of NIS-2 for the automotive industry | TWheel

Many companies in the automotive sector are currently reviewing the applicability and implementation of the NIS 2 requirements, which are gradually being incorporated into the respective implementation laws of the EU member states.

The NIS 2 Directive was adopted on December 14, 2022, entered into force in January 2023, and should be transposed into national law by EU member states by October 2024. It will then apply to numerous companies and organizations that provide critical or important services in the EU.

NIS 2 aims to ensure that companies and public authorities in the EU are better protected against cyberattacks and other security risks by introducing common, binding standards for cybersecurity, risk management, and incident reporting, and by monitoring compliance with these standards.

In Germany, the NIS 2 Implementation Act has been in force since December 6, 2025, with no general transition period.

This means that plans are now becoming concrete obligations. For many companies, this currently means assessing their exposure, conducting initial gap analyses, and holding workshops with IT/OT and purchasing departments.

This also includes the registration and reporting obligation, which must be carried out – for Germany - via the regulator (BSI) portal, which has been activated since January 6, 2026. The portal is the "one-stop shop" for communication with the regulator, and registration is a two-step process.¹

The impact on companies in the automotive industry is considerable in some cases. We are taking this opportunity to take a look at NIS-2 and its significance for the industry in the following FAQ.

1. Which companies in the automotive industry are subject to NIS-2? Only OEMs, or also suppliers and service providers in the supply chain?

NIS-2 and the corresponding implementing laws regulate the manufacture of motor vehicles and motor vehicle parts as a critical activity that may be subject to the requirements of NIS-2 (see Annex II).

The wording already makes it clear that this is not purely an "OEM regulation," but rather an ecosystem-wide regulation for a large number of companies if they meet additional criteria.

The NIS-2 implementation in Germany distinguishes between "important" and "particularly important" entities, typically based on sector + size/threshold values. It generally applies to entities of the type specified in Annex I (particularly important) or Annex II (important) that are classified as at least medium-sized enterprises. "Medium-sized" are companies with at least ten employees or an annual turnover ≥ €10 million or an annual balance sheet total ≥ €10 million. On the other hand, only those companies with ≥ 250 employees or an annual turnover > €50 million or an annual balance sheet total > €43 million can fall into the "particularly important" category. At the same time, smaller companies can also be included in certain cases if they operate in certain critical business areas.

The classification includes, among others, the "manufacturing/production of goods" sector and explicitly companies that carry out activities listed in NACE Rev. 2, Section C, Division 29 – i.e., the core of motor vehicles and motor vehicle parts.

"Typical candidates" (depending on size/classification) include, for example:

• OEMs and vehicle plants (including associated IT/OT operating structures),
• Suppliers (Tier 1/2/3): Drive/powertrain, chassis, electronics/ECUs, ADAS components, interior, raw parts,
• Specialized manufacturers (e.g., die casting, forging, printed circuit boards/electronics manufacturing, semiconductor manufacturers) if clearly located in Division 29 or functionally closely linked
• Automotive-related digital service providers, if they themselves fall within NIS 2 sectors (e.g., managed services/cloud/data centers, etc.) – or if they are "indirectly" included in the chain of responsibility as critical suppliers.

Even if a company in the automotive industry is not directly classified as a NIS 2 facility, the requirements are often indirectly passed on in the supply chain (e.g., security requirements, evidence, audit rights) because "supply chain security" is explicitly part of the framework of obligations. For suppliers, this often has a comparable effect to being directly regulated themselves.

2. What is changing with NIS-2 specifically for automotive companies?

Until now, many automotive companies have essentially organized cybersecurity through industry standards and corresponding audits (e.g., ISMS/TISAX). NIS-2 shifts the picture to one where more companies are directly addressed by statutory law and must implement verifiable minimum measures by law – not only by industry standard commitment:

• More companies are directly obligated
  The circle of regulated entities is being significantly expanded. In Germany, there are around ~29,500 companies/institutions affected in the context of implementation.
• No general transition period: implementation capability now counts
  An immediate, binding framework of obligations for cyber risk management applies (no longer "nice to have," but now a legal standard).
• Cybersecurity explicitly becomes a "board-level" task
  Management bodies must approve measures, monitor implementation, and can be held responsible for violations; training for management bodies is also planned.
• Registration and reporting are mandatory and are carried out via the new regulator portal (Germany: BSI)
  First, one must register with the digital service "Mein Unternehmenskonto" (MUK), then register on the newly developed portal, which is now available. This is the new communication channel with the German regulator for mandatory reports and registrations.

3. What exactly do the "new" obligations entail?

According to NIS-2 RL, manufacturing, development, and the supply chain must be demonstrably cyber-resilient, with clear roles, deadlines, and documentation—immediately, in the absence of transition periods.

The core elements are registration, reporting processes, risk management measures, and documentation.

Registration and subsequent regulator supervision

For affected companies, registration is not "nice to have," but a prerequisite for authorities/CSIRTs to be able to communicate clearly in an emergency. The regulator portal is the central point of entry for this.

• Registration within 3 months of being (re)classified as an affected institution;
• Update changes within 2 weeks of becoming aware of them.
• This is all done via the BSI portal ("one-stop shop").

Governance: Management is jointly liable and must manage security

Security is a board issue because it directly affects production downtime, delivery capability, and product/backend risks.

• Management must monitor NIS 2 measures and is responsible/liable in the event of non-compliance.
• Mandatory training: Management must be trained; this includes regular cybersecurity training for employees.

Risk management: Minimum measures along the automotive value chain

NIS 2 requires appropriate, proportionate technical/operational/organizational measures and specifies at least the following components:

• Risk analysis
• Incident handling
• BCM/backup/recovery
• Supply chain security
• Secure development
• Vulnerability Management
• Effectiveness Measurement
• Training
• Cryptography
• Access Control/Asset Management,
• MFA & secure communication.

Typical automotive "hotspots" where the mandatory NIS-2 compliance program often becomes concrete:

• Production and plant operation: segmentation, remote access, patch/change processes, restart plans / recovery
• Engineering/toolchain: Protection of source code, CI/CD, build systems, signatures/artifact integrity, secrets management
• Connected car/backend landscape: IAM/MFA, monitoring, incident playbooks, dependencies on cloud/managed services
• Supply chain: Security requirements for Tier 1/2 and IT service providers, reliable evidence, escalation paths, exit/BC plans

Tightly scheduled reporting requirements:

The directive sets a timetable for reporting "significant security incidents":

• Within 24 hours at the latest: early warning
• Within 72 hours at the latest: Report of the security incident (with initial assessment/updates)
• No later than one month after the 72-hour report: Final report (including cause, measures, effects)

For the automotive industry, this is primarily a process issue: Who decides what is "significant," who provides the facts (IT/OT/engineering/legal/communications), and how can reliable information be gathered within 24–72 hours?

Companies are now required to define responsibilities and processes for this in a timely manner in order to be able to fulfill their respective obligations. This requires close integration with existing processes (including data protection incident management).

Certification & supervision: Proof is requested

Depending on the classification, the BSI can order audits/inspections/certifications with varying degrees of "severity" for (particularly) important entities and request evidence/documentation of implementation (e.g., audit reports, documented concepts).

The new BSIG (German NIS-2 implementation law) allows for a statutory order to be issued stipulating that certain ICT products/services/processes may only be used if they are certified in accordance with EU cybersecurity certification schemes (Section 30 (6) BSIG, new version, in conjunction with Section 56 BSIG, new version).

NIS 2 provides that Member States may require certified ICT products/services/processes to meet certain requirements, and the Commission may adopt delegated acts for this purpose if necessary (Art. 24 NIS 2).

Significant penalties:

NIS 2 provides for maximum amounts for fines across the EU of EUR 10 million or 2% of turnover (essential facilities) or EUR 7 million or 1.4% of turnover (important facilities), whichever is higher.

4. Next steps & outlook: What should automotive companies do next?

✔️ Verify impact
Which companies/locations are in scope of NIS-2? What is the NACE classification? Which services are covered? What dependencies exist? (NIS 2 scope is linked to Annex I/II and company size.)

✔️ Ensure registration is organized
Plan a two-stage registration process (MUK and BSI portal), define roles (owner, deputy), make contact points/availability "incident-ready."

✔️ Update incident runbook with regard to deadlines
Set up or update incident runbook with regard to the definition of criteria such as "significant," define and describe reporting workflow, design fact pack template, determine approvals (legal/management), define communication paths so that the tight deadlines (24 hours, 72 hours, 1 month) can be met.

✔️ Anchor risk measures as a checklist in IT/OT/engineering
There is no need to reinvent the wheel here: use existing ISMS building blocks, but close gaps in the supply chain, toolchain, OT recovery, and MFA/communication.

✔️ Operationalize the supply chain
Identify top-risk suppliers (including cloud/managed services), define minimum controls, evidence, audit/assessment cycle, escalation, and exit plan.

✔️ Management enablement
Board briefing, responsibilities, training requirements, regular review cycle, because governance is explicitly required.

¹ See the BSI press release