TISAX
as a Gateway to NIS2

To start with the good news – companies holding a valid TISAX certification are already largely prepared to meet NIS2 requirements, provided that an Information Security Management System (ISMS) has been implemented with the appropriate scope and in the right areas of the organization. However, additional actions will still be required, especially in the context of the specific nature of Polish regulations. A TISAX-compliant SZBI therefore provides an excellent foundation, significantly facilitating the implementation of NIS2 requirements.

The NIS2 Directive, which was to be implemented by EU Member States by 17 October 2024 (in Poland through an amendment to the National Cybersecurity System Act), significantly expands the scope of entities covered by cybersecurity regulations.

The revised legislation includes the production of motor vehicles, trailers and semi-trailers as an important sector, which means that medium and large companies in this industry will also be subject to new legal obligations.

In practice, for automotive companies, this means the need to implement a proportionate Information Security Management System (e.g., based on the requirements of the ISO 27001 standard), taking into account the specific requirements of NIS2, such as:

• identifying and reporting security incidents to the CSIRT (Computer Security Incident Response Team)
• self-identification and registration with the Ministry of Digital Affairs
• conducting regular audits
• training entity management (e.g., board members) in cybersecurity and NIS2 requirements.

In the context of the last point, it is worth mentioning that NIS2 introduces personal liability of board members with regard to exercising due diligence in the organization’s cybersecurity.

TISAX (Trusted Information Security Assessment Exchange) is an information security assessment standard developed by the German VDA association, based on the ISA (Information Security Assessment) catalog. The standard is built on ISO/IEC 27001 but includes additional, detailed requirements specific to the automotive sector, such as protection of prototypes (parts and vehicles), securing the supply chain, business continuity plans, and appropriate physical security organization.

For some time now, TISAX has become a baseline requirement for companies operating within the supply chains of major automotive manufacturers. As a result, many organizations have already implemented the necessary adjustments, successfully passed certification audits, and obtained a TISAX label on the ENX portal.

It is time to address the key question: does holding a TISAX label mean full compliance with NIS2 regulations?

The answer is no. An organization holding a TISAX label must take additional steps to achieve full compliance with the new regulations. The scope of required actions will vary depending on the type of company (components produced, size, solutions implemented), but can be summarized as follows:

Although TISAX requirements are based on ISO27001, they are not identical. TISAX allows for different levels of implementation of the requirements – from self-assessment (unverified by an independent party), through the so-called AL2 (requiring a remote audit, the so-called plausibility check), to AL3 (which requires a full on-site audit at a designated location). If a company holds a TISAX label at the AL2 or AL3 level, the implementation of each requirement should be analyzed in detail.

While TISAX requires adequate cybersecurity training (control 2.1.3 in the Information security area), it does not specify its scope. Therefore, it should be verified whether the training provided for management meets the requirements of NIS2. In doing so, it is also worth noting the structure of responsibility for information security and verifying that the role of top management has been properly defined. It is also necessary to appoint two individuals who will be responsible for contacting the relevant state authorities in case of serious incidents.

As mentioned earlier, NIS2 introduces an obligation to report information security incidents to the relevant CSIRT (for enterprises, the relevant CSIRT is most often NASK). Procedures should therefore include:

• updating the definition of incidents in accordance with Polish regulations
• including cross-border effects of incidents in reporting procedures (e.g. when operating within a multinational corporate group)
• communication with entities within the National Cybersecurity System,
• preparing report templates in accordance with national requirements.

Strengthening crisis management is related to the previous point, but additionally requires that crisis planning (including business continuity) address issues related to cybersecurity threats. At this stage, particular attention should be paid to whether the organization has updated its ISMS to meet the requirements of VDA ISA TISAX version 6 (the earlier version contained less detailed business continuity requirements).

In particular, activities in this area should include:

• establishing alternative communication channels in crisis situations (e.g., with GSM network unavailability, radio communication disruptions, lack of Internet access),
• procedures for communication with state authorities (designation of contact persons, prior definition of communication methods),
• recovery plans for systems and services taking into account RTO/RPO time requirements, for example, by planning the use of a Disaster Recovery Center.

The company is required to independently assess whether and, to what extent, it is subject to NIS2 regulations. Criteria for the automotive industry include:

• Medium-sized enterprises: 50–249 employees or turnover of EUR 10–50 million
• Large enterprises: 250+ employees and turnover exceeding EUR 50 million
• Activities in an important sector: production of vehicles, trailers, semi-trailers.

Following self-identification, a notification must be submitted to the Minister for Digital Affairs.

TISAX provides a solid foundation for meeting NIS2 and KSC requirements. Companies holding a valid TISAX certification are much better prepared for the new regulations than organizations starting from scratch. Nevertheless, additional measures will still be required.

When implementing NIS2 requirements:

1. Leverage your TISAX advantage – do not treat the new regulations as an entirely new challenge, but as an enhancement of existing practices and established approaches to information security management (evolution, not revolution)
2. Plan the enhancement of the ISMS in advance – although the amendment provides for a period to implement additional requirements, it is worth analyzing the scope of the necessary changes in advance (in large organizations or complex ISMS, it may take more time to implement changes)
3. Prepare executives for new requirements – plan required training for executives, including training on new legal requirements and KSC responsibilities
4. Consult experts – despite TISAX’s high compliance with NIS2, the specific characteristics of each organization may require a customized approach and adequate measures.

For the automotive industry, TISAX certification is already a gateway to meeting the cybersecurity requirements imposed by NIS2. The key to success will be the deliberate and well-planned enhancement of existing systems with elements required by national implementations of NIS2.

The article was prepared on the basis of the ENX Association report “NIS2 fulfillment through TISAX" and an analysis of the current version of the draft amendment to the Polish KSC Act. We recommend following ongoing legislative changes and consulting cybersecurity experts when planning implementations.

Rafal Grześkowiak, IT Project Area at All for One Poland, summarizes: “We have been supporting our customers in the field of security for 20 years. ISO/IEC 27001 certification, the TISAX label or the NIS2 compliance requirement are part of All for One Poland’s everyday life. As a provider of critical IT services, we are aware of our responsibility to our customers, as well as the threats we must defend against.

We share our experience and proven organizational and technological solutions with organizations seeking to enhance their security.

Regardless of the industry – energy, automotive, industrial and food manufacturing, transportation, pharmaceuticals or IT – cybersecurity frameworks are the same. They start with defining roles and responsibilities. They encompass physical and personal security. Finally, they extend to technology. The common part – a kind of conceptual foundation – is risk analysis. This is what allows organizations to identify and understand threats and, as a result, to select optimal security measures.

At this stage, each organization’s ISMS already becomes distinct and requires a customized implementation approach. The profile of the business, the volume of the information assets and their value, the needs for business continuity and disaster recovery, the specific characteristics and competencies of the IT team, contractual requirements, legal or normative requirements… There are hundreds of similar factors that determine the final shape of the management system. The one that is aligned with the business and, at the same time, meets all formal requirements, enabling audit-based confirmation of compliance and potential certification.

A management system is both documentation (policies, procedures, instructions, business continuity plans, etc.) and a wide range of organizational and technical solutions. Focusing only on selected aspects, it is worth highlighting fundamental examples: employee training, workflows for granting and revoking access permissions, data encryption, backups and recovery testing, network protection (NGFW systems, IPS), high-availability solutions for business applications, backup data centers, multi-factor authentication, log analytics (SIEM/SOAR/SOC), vulnerability management (patching, vulnerability scanning, penetration testing), protection of industrial automation (OT) systems, physical security of facilities, and protection against data leakage (DLP systems).

Each of the elements listed is another “brick" in building a security wall around the organization. All for One provides all the necessary components to build comprehensive security solutions – particularly for NIS2, TISAX and ISO 27001."