Executive Summary
In April 2025, ENX Association published an expert opinion concluding that companies holding a valid TISAX® label have, at label-covered sites, implemented the cybersecurity risk-management measures NIS2 requires. All ten measures in Article 21(2) map to specific VDA® ISA 6 controls, and an auditor has already checked them. Good news for automotive suppliers pulled into NIS2 scope.
It's not the whole story, though. The same document, read carefully, names the obligations a TISAX label doesn't touch: registration with your national authority, the 24-hour and 72-hour incident reporting channels, cross-border disclosure, and management-body training. Below we walk through the mapping control by control, then through the five gaps we close with clients who already hold a label. The full mapping is available as a downloadable checklist at the end.
Why NIS2 is landing on automotive suppliers' desks
TISAX NIS2 compliance became a real question the moment suppliers realised they sit in scope of both regimes at once. Manufacturing of motor vehicles, trailers, and other transport equipment is an Annex II sector under the NIS2 Directive. A supplier with 50 or more employees, or more than 10 million euros in annual turnover, typically qualifies as an important entity. We covered the two-axis scope test in our guide to NIS2 essential entity criteria.
The directive stopped being theoretical a while ago. Romania transposed it through OUG 155/2024, approved and amended by Law 124/2025, in force since July 2025. DNSC Orders 1/2025 and 2/2025 set the registration and incident-classification rules, and the initial registration window gave entities 30 days. Germany, Hungary, Czech Republic and the other manufacturing-heavy member states are at various stages of the same process. If your sites span several countries, you hold several sets of national obligations, not one.
So the question we hear in almost every NIS2 conversation with a TISAX-labelled supplier is the same one: we've already been through an assessment, how much of this do we get for free?
More than you might expect. Less than the headline suggests.
What the ENX expert opinion actually says
The short answer: ENX's working group concluded that TISAX-compliant sites "have fully implemented the requirements of NIS2" at the risk-management level, and that the ISA catalogue in several areas goes further than the directive asks.
The document behind that sentence is worth knowing precisely. "NIS2 fulfilment through TISAX" was published by ENX Association on 24 April 2025, edited by the ENX WG ISA working group, with input from automotive security experts and audit providers. It follows the methodology of an expert opinion and maps every measure in NIS2 Article 21(2), letters a through j, to named VDA ISA 6 controls.
One thing we always flag before anyone relies on it: ENX governs TISAX. This is the standard's owner assessing its own standard. That doesn't make the analysis wrong, and in our reading the control mapping holds up well. It does mean the caveats buried in the document deserve more attention than the conclusion, because ENX has every incentive to put the conclusion in the headline and the caveats in section 1.2.
Three preconditions carry the whole argument:
- The label must be based on ISA 6, the catalogue version mandatory for new assessments since April 2024. Older ISA 5.1 labels were not analysed.
- The label must come from a real assessment at AL2 or AL3. Self-assessments carry low confidence, and assessments covering only prototype protection don't provide sufficient information.
- Every NIS2-affected site must be covered by a label. One labelled plant doesn't cover the group.
If any of those fail, the opinion's conclusion simply doesn't apply to you.
The mapping: ten Article 21 measures, one ISA catalogue
NIS2 Article 21(2) lists ten minimum cybersecurity risk-management measures. Here is where each one lives in VDA ISA 6, per the ENX opinion:
- a · Risk analysis and information system security policies → ISA 1.4.1, 5.2.7, 5.3.1 (covered, exceeds NIS2)
- b · Incident handling → ISA 1.6.1, 1.6.2 (covered, exceeds NIS2)
- c · Business continuity, backup, disaster recovery, crisis management → ISA 1.6.3, 5.2.8, 5.2.9
- d · Supply chain security → ISA 1.2.4, 1.3.3, 5.3.3, 6.1.1, 6.1.2 (extends past direct suppliers to subcontractors)
- e · Secure acquisition, development, maintenance, vulnerability handling → ISA 1.2.3, 5.2.1 to 5.2.6, 5.3.1 to 5.3.4
- f · Policies to assess effectiveness of the measures → ISA 1.2.1, 1.4.1, 1.5.1, 1.5.2 (three-year cycle deemed appropriate)
- g · Cyber hygiene practices and security training → ISA 2.1.2, 2.1.3, plus 18 further controls
- h · Cryptography and encryption policies → ISA 5.1.1, 5.1.2
- i · HR security, access control, asset management → ISA 1.3.1 to 1.3.3, 2.1.1 to 2.1.4, 4.1.1 to 4.1.3
- j · MFA, secured voice, video, text and emergency communications → ISA 4.1.2, 4.1.3, 5.1.2, 5.2.8
In several rows the ISA goes further than the directive. Incident-handling processes in the ISA "go beyond the requirements stipulated in NIS2". Supply-chain controls extend past direct suppliers to subcontractors, which is more than Article 21(2)(d) strictly demands. And because TISAX uses a fixed assessment scope, you can't declare controls not applicable the way an ISO 27001 Statement of Applicability sometimes allows. That fixed scope is exactly why the opinion can generalise across the more than 17,500 locations assessed since 2017.
In practice, this mapping is the part your management board wants to see, because it means the expensive part of NIS2, the actual security operations, is already built and audited at labelled sites. The part your legal counsel wants to see comes next.
The five gaps a TISAX label does not close
This is the section the summaries skip, and it's where NIS2 enforcement risk actually concentrates.
Our TISAX® and ISO 27001 experts help European automotive suppliers achieve compliance within 95 days.
1. Registration with your national authority
NIS2 requires in-scope entities to identify themselves to the competent authority. In Romania that means registration with DNSC under the OUG 155/2024 framework. No TISAX process registers you anywhere. The ENX opinion explicitly leaves registration duties, and everything else tied to national implementation, out of scope.
2. The 24-hour and 72-hour reporting channels
Your ISA 1.6 controls prove you can detect, classify and handle incidents. They don't prove you can file an early warning with the national CSIRT within 24 hours and an incident notification within 72. The opinion is direct about this: national reporting requirements must be maintained and operated in parallel. Auditors check that an incident process exists. They can't guarantee you've embedded the right contact points, portals, thresholds and languages for every member state you operate in.
3. Cross-border disclosure
Where an incident has effects in other member states, NIS2 expects that to be part of the notification. Disclosure of cross-border impact is not explicitly required within the ISA. The opinion recommends expanding emergency communication procedures with the NIS2 specifics, and only then considers the requirement fully met.
4. Management-body training
Article 20(2) obliges members of management bodies to follow cybersecurity training. The ISA covers training through control 2.1.3, aimed at all employees by target group. The opinion itself concedes that the direct reference to management-body training is not explicitly listed in the ISA, and argues coverage by interpretation. Our practitioner reading: that argument may satisfy an auditor, but management accountability is the part of NIS2 regulators talk about most, and a documented board-level training record is cheap insurance. We wouldn't leave it to interpretation.
5. National transposition specifics
The opinion analysed the directive, not the 27 national laws implementing it. Deadlines, fine regimes, entity classifications and audit powers differ per country. Romania's Law 124/2025 is not Germany's implementation, and neither is Hungary's. Whatever your label covers, the country-by-country homework remains, and the opinion says checking it stays the responsibility of the companies.
What to do with this if you already hold a label
Here is the Monday-morning sequence we run with labelled clients, condensed:
- Confirm your label basis. ISA 6, AL2 or AL3, information security scope. An ISA 5.1 label or a prototype-only assessment doesn't carry the argument.
- Map label coverage against NIS2-affected sites. Every legal entity and site in NIS2 scope needs to sit inside a label's assessment scope. List the ones that don't.
- Verify registration status in each member state where you are an essential or important entity. In Romania, that conversation starts with DNSC.
- Wire the reporting channels into your incident process. Named authority contacts, submission portals, the 24h/72h/one-month cadence, and cross-border disclosure steps, written into the runbook your incident manager actually opens.
- Put your management body through documented cybersecurity training and keep the evidence with your ISMS records.
- File the ENX expert opinion with your compliance evidence. When an authority or an OEM customer asks how you address Article 21, the mapping above plus a valid label is a strong, documented answer.
We've packaged the full control mapping and the gap checklist into a two-page PDF you can hand to your ISMS owner: the TISAX to NIS2 Mapping Checklist.
If you'd rather have someone who has sat in the assessment rooms walk your specific scope, that's the work we do. Talk to us about your NIS2 position.
FAQ
Does a TISAX label make my company NIS2 compliant?
Partially, and substantially. Per ENX's April 2025 expert opinion, a valid ISA 6 label at AL2 or AL3 demonstrates implementation of all ten Article 21(2) risk-management measures at labelled sites. Registration, incident reporting to authorities and management-body training remain open and must be handled separately.
Do I still need to register with DNSC or my national authority if I have TISAX?
Yes. Registration is a national legal obligation under the NIS2 transposition laws, such as OUG 155/2024 and Law 124/2025 in Romania. TISAX has no registration function.
Does the ENX opinion apply to older TISAX labels?
No. It analysed ISA version 6, mandatory for assessments since April 2024. If your label still rests on ISA 5.1, the mapping was not assessed for it, and your next assessment moves you to the current catalogue anyway.
Is TISAX or ISO 27001 better evidence for NIS2?
They work differently. ISO 27001 allows a self-defined scope and Statement of Applicability, so coverage depends on scoping choices. TISAX applies a fixed scope with no control exclusions, which is why ENX could publish a general mapping. For automotive suppliers holding both, the TISAX label is usually the sharper NIS2 argument. We compared the two frameworks in our ISO 27001 to VDA ISA 6 control mapping.
What is still my responsibility even with a perfect label?
Registration, the 24h/72h/one-month reporting chain, cross-border disclosure, management training, and every country-specific requirement in the member states where you operate. That's the checklist half of the PDF above.

About Iulian Bozdoghina
Lead Auditor and Consultant
"Iulian Bozdoghina is a veteran cybersecurity strategist with over 15 years of experience in securing automotive supply chains and critical infrastructure. He specializes in TISAX®, ISO 27001, and the emerging NIS2/DORA regulatory landscape."




