We already hold TISAX. Is that enough for NIS-2?

TISAX covers many NIS-2 minimum measures, but not all. In particular BSI reporting obligations (24/72 hours), management accountability and the NIS-2-specific supply chain logic are not part of TISAX. The Cybervize platform maps both from a single control set so duplicate work falls away.

We are a Tier-2 supplier without direct NIS-2 status. What comes our way?

Tier-2 suppliers receive NIS-2 and TISAX requirements contractually from Tier-1 suppliers or OEMs. In practice that means supplier questionnaires with similar depth to NIS-2 obligations, without being directly NIS-2-affected. Structured answers are a competitive matter.

How do we handle CAD data and product IP in practice?

Product IP and CAD data are engineering assets with the highest confidentiality classification. NIS-2 requires encryption, access control and documented data flows. TISAX has its own protection levels for "high" and "very high" confidentiality that map directly.

Do we have to treat all plants identically?

No. The platform allows differentiated maturity levels per plant. Older plants with legacy OT and greenfield plants with modern equipment have different risk landscapes and compensating controls. Important is documentation of the differentiation, not one-size-fits-all.

What does a multi-plant rollout cost?

Platform licence scales by headcount and site count. Multi-plant rollout typically 16 to 20 weeks for three to five plants in Germany, longer for international subsidiaries. Exact indication comes from the risk check.

NIS-2 for automotive

Automotive faces NIS-2 plus TISAX. Dual obligations, one platform.

Annex II of the German NIS-2 implementation act covers automotive through the NACE category vehicles and components as an important entity. TISAX audits remain mandatory for OEM suppliers. The Cybervize platform maps NIS-2 and TISAX from a single control set, plus OT modules for plant IT.

Book the NIS-2 risk check

Cybervize Platform maturity report per ISO 27001 as evidence of cross-industry consulting expertise

What NIS-2 and TISAX mean together for automotive in practice

OEMs and Tier-1/Tier-2 suppliers typically fall under NIS-2 Annex II as „important entity" and additionally carry contractual TISAX requirements from the automotive supply chain. Four consequences of this dual regulation for OEM suppliers and plant operators. Sector alone is not enough: NIS-2 Annex II classification depends on size thresholds and concrete activity; TISAX remains a contractual requirement, not statute. The legally binding evaluation remains a matter for specialised counsel.

01 · Scope

Important entity with reactive supervision

Annex II means lower sanctions than Annex I, but the same ten minimum measures per §30 of the German NIS-2 implementation act. Supervision is reactive but kicks in on incidents or audit findings.

02 · Scope

TISAX as parallel security certification

TISAX (Trusted Information Security Assessment Exchange) is the industry standard for OEM suppliers. Audit levels 1 to 3 depending on protection needs. NIS-2 covers many TISAX requirements but not all, and vice versa.

03 · Scope

OT in plants plus office IT in engineering

Production plants with OT (robotics, presses, paint shops) and engineering centres with CAD and product data have different risk landscapes. Both belong in the NIS-2 scope.

04 · Scope

Supply chain reciprocity

OEMs pass TISAX and NIS-2 requirements down to suppliers. Tier-1 suppliers pass them down to Tier-2 suppliers. Whoever sits in a supply chain receives the requirements contractually, even without being directly NIS-2-affected.

Five minimum measures with automotive examples

Five NIS-2 minimum measures translated into automotive practice (with TISAX cross-reference).

Risk analysis for production and engineering

Risk register with plant OT (robotics, presses), engineering IT (CAD data, product IP) and office IT. Protection goals differ: production = availability, engineering = confidentiality, office = integrity.

Supply chain security with tier logic

Supplier inventory with tier classification and criticality. TISAX status of suppliers documented, alternative suppliers for single-source components identified.

Security in procurement of controllers and robotics

Procurement process with security requirements for new production assets, patch management with maintenance windows, remote-maintenance access for machine vendors documented.

Encryption for engineering data and product IP

CAD data and product IP encrypted at rest and in transit, key management documented, data classification aligned with TISAX protection levels.

Multi-factor authentication for engineering access

MFA for engineering workstations, cloud CAD platforms and supplier portals. Privileged accounts separated. Access rights recertified regularly.

Cybervize building blocks for automotive

The Cybervize platform covers ISMS, assessment (NIS-2 plus TISAX), TPRM and BCM in one solution. Especially relevant for automotive: TISAX mapping, multi-plant assessment, supplier tier logic.

Service 01

NIS-2 risk check

Free 30-minute initial call with an indicative NIS-2 classification, top-5 gaps and a path recommendation.

Learn more Service 02

Cybervize platform

ISMS, compliance and evidence from a single platform. Multi-entity, multi-country, AI-supported.

Learn more Service 03

Virtual CISO

Platform plus permanent CISO function. For organisations without an in-house CISO.

Learn more Service 04

NIS-2 onboarding project

Gap assessment, roadmap, implementation via the platform. Fixed price from 4,500 euros.

Learn more

Self-check available

NIS-2 maturity check: 30 questions, 10 §30 BSIG measures, instant traffic light

Free, no signup, around 5 minutes. Detailed evaluation by email if desired.

Start the check

Why Cybervize fits automotive

Industry experience in automotive and manufacturing from 25 years of ISMS practice at PwC, Deloitte and KPMG. TISAX experience from OEM and Tier-1 mandates. Platform covers TISAX and NIS-2 from a single control set.

TISAX: audit levels 1 to 3 coverage
Multi-plant: group-wide rollout
NIS-2 + TISAX: from one control mapping
OEM + Tier-1: industry mandates

Frequently asked questions from automotive

Classify NIS-2 and TISAX in 30 minutes

Free risk check with indicative NIS-2 classification, TISAX status indicator and path recommendation. Ideally with IT leadership or TISAX owner plus management board present.

Book the NIS-2 risk check

Memberships, programmes and partnerships

Content last reviewed: May 18, 2026

Automotive faces NIS-2 plus TISAX. Dual obligations, one platform.

Book the NIS-2 risk check

What NIS-2 and TISAX mean together for automotive in practice

Automotive faces NIS-2 plus TISAX. Dual obligations, one platform.

What NIS-2 and TISAX mean together for automotive in practice