TISAX and Cybersecurity in Industry – Expert Analysis Confirms NIS2 Coverage
2025-07-02 by Robert Müller TISAX
The EU’s NIS2 Directive introduces significantly higher cybersecurity requirements across a wide range of sectors. Many organizations are now required to take action to ensure compliance. According to a recent analysis, companies that are already TISAX-assessed are in a strong position: they have established a solid foundation that covers all key aspects of the NIS2 requirements. These organizations have implemented appropriate measures, demonstrated compliance through independent assessment, and committed to maintaining their security posture over time.
TISAX was developed early on by automotive manufacturers in collaboration with their suppliers and partners. Since then, it has become a widely recognized standard for information security assessments. With more than 17,500 assessed sites in over 90 countries—including several thousand in Europe, the Americas, and Asia—TISAX is now one of the most widely used assessment frameworks globally.
Its applicability extends far beyond the automotive sector. TISAX is successfully used in nearly all industries that interact with the automotive industry, including:
- Mechanical, equipment and plant engineering
- Information and communication technology
- Marketing and creative industries
- Insurance and financial services
- Logistics, engineering, consulting, and other service sectors
The ISA catalog, which forms the basis of TISAX, is designed to be flexible and scalable—making it suitable for organizations of various sizes, business models, and protection needs.
Expert Analysis: NIS2 Coverage of TISAX
An analysis conducted within ENX's expert working groups examined how well a TISAX assessment based on the ISA6 catalog aligns with the requirements of the NIS2 Directive. The key findings include:
- All relevant NIS2 requirements are addressed, including risk management, incident response, supply chain security, governance, and technical safeguards.
- TISAX goes beyond minimum legal requirements, incorporating structured maturity assessments, systematic vulnerability management, and continuous improvement mechanisms.
- The established three-year assessment cycle is considered appropriate in the context of NIS2.
- TISAX labels are publicly accessible via the ENX database, enabling transparent verification.
- Additional national requirements must be addressed separately. This includes, in particular, country-specific reporting obligations to authorities or national CSIRTs. While not part of the TISAX standard, these requirements can be effectively managed using existing TISAX structures.
Conclusion
Investments made in TISAX are not only necessary for robust information security but also contribute significantly to NIS2 compliance. Organizations that are already TISAX-assessed—or have aligned their practices accordingly—are well prepared to meet the expectations of the directive, regardless of industry or company size.