Skip to main content
← Back to Blog

Cybersecurity

NIS2 for Automotive Suppliers: What Germany’s NIS2UmsuCG Means for Tier-1s and Tier-2s

By Shreyansh, Founder & CTO, Agnile Technologies·July 17, 2026·11 min read

Key Takeaways

TL;DR — Germany’s NIS2 implementation law, the NIS2UmsuCG, has been in force since 6 December 2025 and puts automotive manufacturers and suppliers — NACE Rev. 2 divisions C29 and C30, from 50 employees or EUR 10 million turnover — under BSI supervision as important entities. The statutory registration deadline of 6 March 2026 has lapsed; the BSI granted a grace period to 31 July 2026, and registration stays mandatory after it. The substantive duties, §30 risk management and §32 incident reporting, overlap enough with an ISO/SAE 21434 CSMS that suppliers can reuse incident response, Vulnerability Management, and supplier-management processes.

  1. 1.The NIS2UmsuCG entered into force on 6 December 2025 (BGBl. 2025 I Nr. 301) and recast the BSI-Gesetz; automotive manufacturing is in scope via Anlage 2 BSIG (NACE Rev. 2 divisions C29 and C30) at 50 or more employees or more than EUR 10 million in turnover or balance-sheet total.
  2. 2.Roughly 29,850 entities are affected per the official estimate — 8,250 particularly important and 21,600 important entities — but only about 18,500 had registered with the BSI by the end of May 2026.
  3. 3.The statutory §33 registration deadline was 6 March 2026 and has lapsed; a BSI grace period ran to 31 July 2026. Registration is a continuing duty — registering late is still required, and registration violations carry fines of up to EUR 500,000.
  4. 4.The core duties are §30 (technical and organizational risk-management measures, including supply-chain security) and §32 (staged reporting of significant incidents to the BSI).
  5. 5.Suppliers with an ISO/SAE 21434 CSMS can reuse incident response, Vulnerability Management, and Clause 7 supplier-management processes as the backbone of §30 compliance.

At a Glance

One-Sentence Answer
German automotive suppliers with 50 or more employees or more than EUR 10 million in turnover are now regulated entities under the recast BSI-Gesetz and must register with the BSI, implement §30 risk-management measures, and report significant incidents under §32.
Who This Is For
Managing directors, CISOs, plant IT leaders, and cybersecurity managers at German automotive suppliers — and at global Tier-1s and Tier-2s with German legal entities.
Last Reviewed
July 2026
Primary References
NIS2UmsuCG / recast BSI-Gesetz (§§30, 32, 33, Anlage 2), UNECE R155, ISO/SAE 21434, TISAX.
Practical Use
Use this guide to confirm whether your entity is in scope, close the registration gap, and map existing CSMS processes onto the new statutory duties.

Editorial Process: Written and reviewed by Agnile engineers working day-to-day in automotive cybersecurity and safety. AI tooling is used to assist with drafting, outlining, and copy-editing; every claim, standards reference, and technical statement is verified by a human engineer before publication.

On 6 December 2025, Germany’s NIS2 implementation act — the NIS2UmsuCG, promulgated in the Federal Law Gazette a day earlier (BGBl. 2025 I Nr. 301) — entered into force and recast the BSI-Gesetz, the statute behind the Federal Office for Information Security (BSI). With it, an officially estimated 29,850 German companies came under direct federal cybersecurity supervision — and vehicle and parts manufacturing is named in the annex of regulated sectors. If your company builds ECUs, harnesses, sensors, or embedded software in Germany — or owns a German subsidiary that does — NIS2 is now your law too.

This post covers who is affected, the registration timeline — including what happens if you missed the deadline, as many companies did — the duties in §30 and §32, and the question we hear most from engineering leaders: how does this relate to UNECE R155, ISO/SAE 21434, and TISAX, and how much existing work can be reused?

Why a Vehicle-Cybersecurity Company Is Writing About an IT-Security Law

Agnile’s day job is Automotive Cybersecurity — Threat Analysis and Risk Assessment, building out the Cybersecurity Management System, and Type Approval evidence under UNECE R155. NIS2 is none of those things. It is a horizontal IT-security law that regulates organizations, not vehicles. Vehicles are deliberately left out: product-level cybersecurity of the car runs through Type Approval under Regulation (EU) 2019/2144, which applies UNECE R155 — and the EU’s Cyber Resilience Act exempts type-approved vehicles for exactly that reason.

The reason to write about it anyway is that a Tier-1 or Tier-2 supplier is one legal entity with two attack surfaces. The first is the product — the ECU, its software, its vehicle interfaces. The second is the organization that engineers and builds the product: the plants, the enterprise IT, and the engineering network where TARA reports, signing keys, diagnostic tooling, and OEM interface documents live. UNECE R155 reaches the first surface, indirectly, through the requirements OEMs cascade down the supply chain — the mechanics are described in our UNECE R155 compliance roadmap. NIS2 reaches the second surface directly, with your German legal entity as the addressee. “Our products are regulated under R155” is therefore not an argument against NIS2 applicability; the two regimes regulate different objects and simply meet inside the same company.

Who Is Affected: Anlage 2, NACE C29/C30, and the Size Thresholds

The recast BSIG defines its scope through sector annexes plus size thresholds. Automotive manufacturing falls under Anlage 2, which lists regulated sectors by their NACE Rev. 2 statistical classification. Divisions C29 (Herstellung von Kraftwagen und Kraftwagenteilen — the manufacture of motor vehicles and motor-vehicle parts) and C30 (other transport equipment) are both included. The size threshold is low by automotive standards: 50 or more employees, or more than EUR 10 million in annual turnover or balance-sheet total. Entities that meet it are, as a rule, classified as wichtige Einrichtungen(important entities) — the second of the law’s two supervision tiers, alongside besonders wichtige Einrichtungen (particularly important entities).

The official estimate puts the affected population at roughly 29,850 entities across all sectors — 8,250 particularly important and 21,600 important entities. A mid-sized Tier-2 machining supplier with 60 employees clears the threshold just as a multi-site Tier-1 does. Important entities carry the same substantive §30 duties as the higher tier; the difference is supervisory intensity — the BSI acts when there is cause rather than through routine audits.

For global groups, the analysis is entity by entity. A German GmbH of a US, Japanese, or Indian Tier-1 that meets the sector and size tests is in scope on its own account, regardless of where the parent sits — and groups with several German entities may owe several registrations. This is worth an afternoon with your legal team now, not after a BSI letter arrives.

The Registration Timeline — and the Deadline Most Companies Missed

§33 BSIG required in-scope entities to register with the BSI within three months of the duties applying — 6 March 2026. That deadline has lapsed, and compliance lagged far behind it: by the end of May 2026 only about 18,500 of the estimated 29,850 affected entities had registered.

The BSI responded with an administrative grace period — a Nachfrist — announced by letter on 12 June 2026 and running until 31 July 2026. Two things matter about it. It was supervisory forbearance, not a change in the law — the statutory deadline had already passed. And it was tied to a date; that date does not reset the underlying duty.

Missed the Deadline?

If you are reading this after 31 July 2026 and your entity is still unregistered, the obligation has not expired — registration under §33 is a continuing duty, and registering late remains both legally required and materially better than staying dark. What changes after the grace period is the BSI’s posture: it can issue binding supervisory orders, demand evidence of compliance, and pursue fines. For registration violations the recast BSIG provides fines of up to EUR 500,000. Registration is the cheapest part of NIS2 compliance — an online notification, not an audit — and the wrong place to accumulate legal risk. Register first, then work the substantive gaps.

The Core Duties: §30 Risk Management and §32 Incident Reporting

Registration is the entry ticket; the substance sits in two paragraphs. §30 BSIG requires proportionate technical and organizational risk-management measures for the entity’s network and information systems. The catalogue follows the European NIS2 baseline: risk analysis and security policies, incident handling, business continuity and backups, supply-chain security, secure acquisition and development, training and cyber hygiene, cryptography, access control, and multi-factor authentication. For a manufacturing company this explicitly includes the production side — plant networks and OT systems are network and information systems in the law’s sense, not just office IT.

§32 BSIG adds staged reporting of significant incidents to the BSI: an early warning within 24 hours of becoming aware, a fuller notification within 72 hours, and a final report once the incident is worked through. Ransomware in a plant, a compromised engineering fileshare, or an attack on a logistics system can all qualify. The law also places approval and oversight duties on management personally — the days of delegating cybersecurity entirely to the IT department are, legally speaking, over.

NIS2 vs UNECE R155 vs ISO/SAE 21434 vs TISAX

Automotive suppliers now answer to four cybersecurity frameworks that are routinely confused with one another. The clean way to separate them is by regulated object: one regulates the organization, one the vehicle type, one the engineering process, and one is a customer-driven assessment of information security.

FrameworkRegulated ObjectWho EnforcesEvidence
NIS2 (NIS2UmsuCG / BSIG)The organization — enterprise IT, production and OT networks, engineering environments of the legal entityBSI, as Germany’s national supervisory authority under the recast BSI-Gesetz§33 registration, documented §30 measures, §32 incident reports, records produced on BSI request
UNECE R155The vehicle type, and the manufacturer’s Cybersecurity Management System behind itNational Type Approval authorities — KBA (Germany), RDW (Netherlands), UTAC (France)CSMS Certificate of Compliance plus per-vehicle-type approval evidence: TARA, Annex 5 traceability, monitoring plan
ISO/SAE 21434The Cybersecurity Engineering process for road-vehicle E/E systems across the lifecycleNo authority — assessed by customers and assessment bodies; the de facto benchmark behind R155The 42 Work Products of Annex A — Cybersecurity Plan, TARA, Cybersecurity Case, and lifecycle records
TISAXThe information-security posture of a company or site that handles OEM data — an assessment, not a lawENX Association governs the scheme on behalf of the VDA; OEM customers demand labels contractuallyAssessment result shared with business partners through the ENX exchange platform
Four frameworks, four different objects. None substitutes for another — a TISAX label does not discharge §32 reporting, and a CSMS Certificate of Compliance does not register you with the BSI.

One reading of this table is worth making explicit: NIS2 is the only regime in the set that puts a state supervisory authority directly over the supplier’s organization — R155 gates the OEM’s market access, while ISO/SAE 21434 and TISAX are enforced through contracts and customer demands. And ISO/SAE 21434 is the only one that tells engineers how to work, which is exactly why the reuse question matters.

Reusing Your CSMS: Where ISO/SAE 21434 Work Maps Onto §30

Suppliers that have built a Cybersecurity Management System for their OEM customers already operate a good share of what §30 demands — under a different name and with a product scope. Three overlaps carry most of the weight.

Incident response. An ISO/SAE 21434-conformant organization runs incident response for product-security events — triage, analysis, remediation, and notification to affected OEM customers under its Cybersecurity Interface Agreements. §32 adds a second reporting channel with hard clocks: the BSI at 24 and 72 hours. The efficient answer is one incident process with two output channels, not two teams. Align the severity definitions, put the §32 deadlines into the existing escalation procedure, and make sure a plant OT incident triggers the same machinery as a product vulnerability.

Vulnerability handling. The continual cybersecurity activities of ISO/SAE 21434 Clause 8 — monitoring, vulnerability analysis, and Vulnerability Management — are a direct counterpart to the incident-handling and risk-analysis measures §30 expects. A single intake and triage pipeline can serve both scopes; the delta is coverage of enterprise and production assets alongside product components.

Supplier management.Clause 7 of ISO/SAE 21434 already forces a supplier to assess the cybersecurity capability of its own sub-suppliers and to formalize responsibilities in interface agreements. §30’s supply-chain security measure asks the same discipline of the entity’s IT and service providers. The questionnaires, capability criteria, and contract clauses your CSMS team wrote for Tier-2s extend naturally to IT vendors, and evidence collected for TISAX or ISO 27001 slots into the same file.

The practical sequence we recommend: register (if not already done), run a gap analysis of §30 against your existing CSMS and information-security management, and close the gaps from the overlap zones outward. Teams that want the product-side foundation first will find the full clause map in our ISO/SAE 21434 guide.

Where Agnile Fits

Agnile works the vehicle side of this picture — Threat Analysis and Risk Assessment, CSMS build-outs, and UNECE R155 Type Approval evidence. NIS2 does not change that scope, but it raises the value of doing shared processes once: incident response, Vulnerability Management, and supplier interfaces built for ISO/SAE 21434 are the same muscles §30 exercises. If your team wants the two regimes to reinforce rather than duplicate each other, that is a conversation worth having early.

Frequently Asked Questions

Is my automotive company affected by NIS2 in Germany?

If your German entity manufactures motor vehicles, bodies, trailers, or parts (NACE Rev. 2 division C29) or other transport equipment (division C30) and has at least 50 employees or more than EUR 10 million in annual turnover or balance-sheet total, it falls under the recast BSI-Gesetz as an important entity (wichtige Einrichtung). It must register with the BSI, implement §30 risk-management measures, and report significant incidents under §32.

We already have ISO 27001 and a TISAX label. Does NIS2 still apply?

Yes. ISO 27001 certification and TISAX assessment results are strong evidence that §30 measures exist and shorten the implementation gap — but they do not replace the statutory duties. Registration with the BSI, §32 incident reporting, and management accountability apply regardless of certification status.

What happens if we missed the NIS2 registration deadline?

The statutory deadline under §33 BSIG was 6 March 2026, and the BSI’s administrative grace period ended on 31 July 2026. Registration is a continuing obligation, so a late registration is still legally required and materially better than none. Registration violations can draw fines of up to EUR 500,000, and the BSI can issue binding supervisory orders. Register first, then close the §30 and §32 gaps.

What is the difference between NIS2 and UNECE R155?

They regulate different objects. NIS2 regulates the organization — the enterprise IT, production networks, and engineering environments of the legal entity. UNECE R155 regulates the vehicle type through Type Approval and the manufacturer’s Cybersecurity Management System. A German supplier is typically touched by both: NIS2 directly, and R155 indirectly through the requirements its OEM customers cascade down using ISO/SAE 21434.

Does NIS2 regulate our ECUs or vehicle software?

No. NIS2 attaches duties to the organization, not to products. Product-level vehicle cybersecurity runs through UNECE R155 and UNECE R156 under EU Type Approval. Separately, components sold as standalone products outside Type Approval — connectivity modules or aftermarket devices, for example — can fall under the EU Cyber Resilience Act.

Need Help Applying This to a Real Programme?

Agnile supports engineering teams from architecture and requirements through implementation, validation, release, and evidence preparation.