TISAX
as a pass to NIS2

To start with the good news – companies with a valid TISAX certificate are already largely prepared to meet NIS2 requirements, assuming, of course, that an information security management system (ISMS) has been implemented in the right scope and areas of the company. However, additional measures will still be necessary, especially in the context of the specifics of Polish regulations. A TISAX-compliant SZBI is therefore a great base, greatly facilitating the implementation of NIS2 requirements.

The NIS2 Directive, which should have been implemented by EU member states by October 17, 2024 (in Poland this was done through an amendment to the National Cyber Security System Act), significantly expands the scope of entities covered by cyber security regulations.

The revised legislation includes the production of motor vehicles, trailers and semi-trailers as an important sector, which means that medium and large companies in this industry will also be subject to new legal obligations.

In practice, for automotive companies, this means the need to implement a proportionate Information Security Management System (e.g., based on the requirements of the ISO 27001 standard), taking into account the specific requirements of NIS2, such as:

• Identifying and reporting security incidents to the CSIRT (Computer Security Incident Response Team),
• To perform self-identification and report to the Minister of Digitization,
• conducting regular audits,
• Training of entity managers (e.g., board members) on cyber security and NIS2 requirements.

In the context of the last point, it is worth mentioning that NIS2 introduces personal liability of board members for performing due diligence on the organization’s cyber security.

TISAX (Trusted Information Security Assessment Exchange) is an information security assessment standard developed by the German VDA association, based on the ISA (Information Security Assessment) catalog. The standard is based on ISO/IEC 27001, but includes additional specific requirements for the automotive industry, such as protection of prototypes (parts and vehicles), securing the supply chain, business continuity plans and appropriate physical security organization.

TISAX has for some time become a basic requirement for companies working in the supply chain with major auto manufacturers, so many companies have already made the required adjustments, passed the certification audit and obtained the label on the ENX portal.

It’s time to answer the most important question – does the TISAX label mean full compliance with NIS2 regulations?

The answer is no. An organization with a TISAX label should take additional steps to achieve full compliance with the new regulations. The scope of necessary work will vary, depending on the type of company (components produced, size, solutions implemented), but can be summarized as follows:

Although TISAX requirements are based on ISO27001, they are not the same. TISAX allows for different levels of implementation of the requirements – from self-assessment (unverified by an independent party), through the so-called AL2 (requiring a remote audit, the so-called plausibility check), to AL3 (where a full audit at a designated location is required). If a company has a TISAX label at the AL2 or AL3 level, the implementation of each requirement should be analyzed in detail.

While TISAX includes the need to provide adequate cyber security training (control 2.1.3 in the Information security area), it does not specify its scope. Therefore, it should be verified whether the training provided for management meets the requirements of NIS2. In doing so, it is also worth noting the structure of responsibility for information security and verifying that the role of top management has been properly defined. It is also necessary to appoint two people who will be responsible for contacting the relevant state authorities in case of serious incidents.

As mentioned earlier, NIS2 makes it mandatory to report information security incidents to the relevant CSIRT (in the case of enterprises, the relevant CSIRT is most often NASK). Procedures should therefore include:

• Update the definition of incidents in accordance with Polish regulations,
• Include cross-border effects of incidents in reporting procedures (e.g., when operating in a multinational group),
• Communication with entities within the National Cyber Security System,
• Preparation of report templates in accordance with national requirements.

Strengthening crisis management is related to the earlier point, but additionally implies the need to include issues related to cyber security threats in crisis planning (including business continuity). At this point, it is worth paying particular attention to whether the organization has updated the ISMS to VDA ISA TISAX version 6 requirements (the earlier version contained less detailed business continuity requirements).

In particular, activities in this area should include:

• Creation of alternative channels of communication in emergency situations (e.g., with GSM network unavailability, radio communication disruptions, lack of Internet),
• Procedures for communication with state bodies (identification of contact persons, prior definition of communication methods),
• recovery plans for systems and services taking into account RTO/RPO time requirements, for example, by planning the use of a Disaster Recovery Center.

The company is required to independently assess whether and to what extent it is subject to NIS2 regulations. Criteria for the automotive industry include:

• Medium-sized enterprises: employment of 50-249 people or turnover of 10-50 million euros,
• Large enterprises: employment of 250+ people and turnover of more than 50 million euros,
• Activities in the important sector: production of vehicles, trailers, semi-trailers.

After self-identification, notification must be made to the Minister of Digitization.

TISAX provides a solid foundation for meeting NIS2 and KSC requirements. Companies with a valid TISAX certificate are much better prepared for the new regulations than organizations starting “from scratch." However, additional measures will still need to be taken.

When implementing NIS2 requirements:

1. Take advantage of the TISAX advantage – don’t treat new regulations as a completely new challenge, but as an improvement of existing practices and accepted ways of managing information security (evolution, not revolution);
2. Plan the completion of the ISMS in advance – although the amendment provides a period to implement additional requirements, it is worthwhile to analyze the scope of the necessary changes in advance (in large organizations or complex ISMS, it may take more time to implement changes);
3. Prepare executives for new requirements – plan required training for executives, including on new legal requirements and KSC responsibilities;
4. Consult experts – despite TISAX’s high compliance with NIS2, the specifics of each organization may require a customized approach and adequate measures.

For the automotive industry, TISAX certification is already the ticket to meeting the cyber security requirements imposed by NIS2. The key to success will be the conscious and planned addition of elements to existing systems required by national NIS2 implementations.

Article prepared on the basis of the ENX Association report “NIS2 fulfillment through TISAX" and analysis of the current version of the draft amendment to the Polish law on KSC. We recommend following the current legislative changes and consulting with cyber security experts when planning implementations.

Rafal Grześkowiak, Manager – IT Projects at All for One Poland, summarizes: “We have been supporting our customers in the field of security for 20 years. ISO/IEC 27001 certification, the TISAX label or the NIS2 compliance requirement are part of All for One Poland’s everyday life. As a provider of critical IT services, we are aware of our responsibility to our customers, but also of the threats we must defend against.

We share our experience and proven organizational and technological solutions with organizations seeking to enhance their security.

Regardless of the industry – energy, automotive, industrial and food manufacturing, transportation, pharma or IT – the cyber security framework is the same. They start with defining roles and responsibilities. They extend to physical and personal security. Finally, they extend to technology. The common part – a kind of conceptual foundation – is risk analysis. It’s what allows organizations to know and better understand the risks, and in turn optimize security measures.

At this point, each organization’s ISMS already becomes different from the others and requires a customized implementation approach. The profile of the business, the size of the information assets and their value, the needs for business continuity and disaster recovery, the specifics and competencies of the IT team, contractual requirements, legal or normative requirements… There are hundreds of similar factors that determine the final shape of the management system. One that will fit the business and at the same time meet all formal requirements, allowing for audit proof of compliance and eventual certification.

A management system is both documentation (policies, procedures, instructions, business continuity plans, etc.) and a wide range of organizational and technical solutions. Touching only on selected issues, it is worth mentioning fundamental examples: employee training, workflow for granting and revoking privileges, data encryption, backups and restore tests, network protection (NGFW systems, IPS), high availability solutions for business applications, backup data centers, multi-component authentication, log analytics (SIEM/SOAR/SOC), vulnerability management (patching, vulnerability scanning, penetration testing), protection of industrial automation (OT) systems, physical security of premises, protection against data leakage (DLP systems).

Each of the listed items is another “brick" in building a security wall around the organization. All for One provides all the necessary components to build comprehensive security solutions – especially for NIS2, TISAX, ISO 27001."