News

The NIS2 Directive: Implications for the Automotive Sector

At the beginning of 2023, the European NIS2 Directive (Network and Information Systems Directive) came into force, marking a significant shift in cybersecurity requirements across various industries, including the automotive sector. The goal of this directive is to enhance the protection of critical infrastructure across Europe and align cybersecurity measures with evolving technologies and emerging threats. As an EU directive, it states the desired objectives but leaves it to the EU member states to decide how to achieve them via national legislation. The NIS 2 maturity level differs across CE countries. While Hungary, Croatia, and Slovakia have already fully implemented the requirements into national law, in other countries such as the Czech Republic, Poland, or Romania, the legislative process for the relevant regulations is underway. This article highlights the key aspects of the regulation, its impact on the automotive industry, and recommendations for implementation.

The NIS2 Directive: Objectives and Key Changes

The NIS2 Directive is the updated version of the first NIS Directive, adopted back in 2016. The stated reason for its revision was the increasing complexity of digital technologies, the rise in cyberattacks, and the growing dependence on IT systems in critical sectors. NIS2 focuses on improving protection against cyber threats, not only at the state level but also for private companies that provide key services.

Some of the key changes brought on by the updated directive include:

Expanded Scope of Organizations

NIS2 applies to a wide range of organizations, not just operators of critical infrastructure, but also companies in manufacturing, wastewater management, the food industry, postal services, and more. This includes selected large tech firms that provide essential services, such as telecommunications, also to automotive sector. The directive also covers supply chains, meaning companies must ensure cybersecurity among their vendors.

Risk Management Requirements

Companies are required to implement appropriate risk management measures and secure their network and information systems. This includes not only protection against cyberattacks but also preventing disruptions and system failures.

Incident Reporting

The NIS2 Directive introduces stricter incident reporting rules. Companies must inform the relevant authorities within 24 hours of identifying an incident and provide detailed information about the nature and scope of the incident within 72 hours.

The Impact of NIS2 on the Automotive Sector

The automotive industry is increasingly reliant on digital technologies, whether it be in design and production, autonomous vehicles, connected systems, virtual testing or cloud services. Automakers and their suppliers are facing more sophisticated cyber threats. Compliance with NIS2 will significantly impact companies in this sector, requiring them to implement adequate security measures not only in production facilities but also in digital ecosystems and supply chains.

Automotive companies will need to ensure:

Protection against cyberattacks targeting manufacturing systems, vehicle development, and communication infrastructure.
Secure data flows, especially concerning autonomous vehicles.
The protection of sensitive data, such as vehicle design information, customer data, or vehicle-generated or synthetic data used to train self-driving technologies.

Therefore, implementing NIS2 in the automotive sector is not only about securing systems but also about managing risks strategically across the organization, involving executives and other experts who can contribute to overall security.

Implications for Companies

Following the NIS2 Directive, specific security requirements are outlined for organizations:

Organizational Measures

Companies must assign selected security roles, establish incident management processes, plan for contingencies and service continuity, and maintain documentation and access control.

Technical Measures

Companies are required to manage identities & access to company ICT (Information and Communication Technology) resources, enforce network and application security, use cryptographic algorithms, and ensure the physical security of their ICT assets, along with complying with new data localization rules.

Statutory Body Responsibility

Company leadership is accountable for implementing cybersecurity measures. Failure to comply can result in sanctions, including a management ban for executives.

Executive Training

Top executives must undergo regular cybersecurity training, and statutory bodies have increased responsibilities in overseeing security policies and measures.

The law will apply to entities operating critical infrastructure, as well as private companies in selected sectors set out by the NIS2 Directive.

Recommendations for Implementing NIS2

For automotive companies and their suppliers, it is crucial to begin implementing NIS2 requirements as soon as possible. Several key steps for successful implementation include:

Comprehensive Risk Assessment and Management: Identify and assess cybersecurity risks specific to the automotive sector and your organization.
Internal Expert Team: Ensure collaboration between IT specialists, managers, and security experts to ensure comprehensive protection.
Training and Awareness: Invest in training employees on cybersecurity best practices and data protection.
Automation and Monitoring: Implement systems for automated cybersecurity monitoring and efficient incident reporting.

NIS2 will also bring more cybersecurity audits and contingency planning in all covered sectors, including automotive.

Conclusion: Embracing Cybersecurity Challenges – A Critical Step for Automotive Resilience

The NIS2 Directive brings significant changes for automotive companies and their suppliers. Adhering to these regulations is essential not only to ensure the security of company systems but also to protect sensitive data and maintain customer trust. Automotive companies should begin implementing these regulations as soon as possible to avoid potential legal, reputational and financial consequences while ensuring the security of their digital and physical assets.