Now that the NIS 2 Directive has been transposed into national law in numerous EU Member States – including Germany – the practical implementation phase has begun for many entities. Some countries have already passed initial deadlines, particularly regarding registration obligations with the relevant authorities (in Germany specifically since 6 March 2026 via the BSI portal). Other entities are still in the process of implementing their NIS 2 governance or are reviewing their existing approaches in light of specified regulatory requirements and initial practical experience.
Numerous manufacturers, suppliers, software companies, and other mobility providers in the automotive industry are currently dealing with the question of which entities within their groups fall within the scope of application, what organizational and technical measures are required, and how to establish a robust governance model.
The recurring questions and practical challenges encountered in this process are by no means limited to the automotive sector. Our exchanges with project partners and clients across different industries show that the "pitfalls" are often remarkably similar, regardless of whether the entities concerned are industrial companies, technology providers, service providers or operators of essential and important entities. We also discuss which approaches have proven effective in practice.
Below, we provide an overview of some of the most frequently asked questions in NIS 2 projects, as well as typical "lessons learned" and "best practices" from implementation.
1. Which regulatory provisions of the NIS 2 Directive and the national transposition laws do entities find most challenging in practice?
Based on our experience with ongoing NIS 2 implementation projects, the greatest challenges typically do not lie in the technical domain. Most automotive companies already have information security structures in place, often based on TISAX, ISO/IEC 27001, UNECE R155, or company-wide cybersecurity programs. In this context, entities often ask about the relationship between these certifications and the NIS 2 Directive's requirements.
The organizational and regulatory requirements of the NIS 2 Directive are particularly demanding. This is particularly true for: This concerns in particular:
- determining which group entities actually fall within the scope of application;
- conducting the so-called threshold analysis;
- identifying the relevant sectors and subsectors;
- allocating responsibilities within complex group structures;
- implementing management body responsibility, including training obligations;
- harmonizing different national transposition laws;
- addressing supply chain and third-party risks;
- establishing robust incident response and reporting processes.
In the automotive sector in particular, entities may simultaneously assume multiple roles. For example, a company may be a vehicle manufacturer while also providing digital services, operating cloud-based platforms, or acting as a managed service provider within the group. This often results in multiple potential points of regulatory connection.
Moreover, many entities underestimate the effort involved in documentation. Competent authorities not only expect the existence of security measures but also their comprehensible documentation, regular review, and robust governance structure.
2. How should the threshold analysis be conducted and when is the best time to do so?
Threshold analysis is typically the first and most critical step in an NIS 2 governance project. Errors at this stage can affect the entire project, leading to practical implementation difficulties and risks.
In our experience, a multi-step approach has proven advisable:
Step 1: Identification of all relevant group entities
First, a complete picture of the (European) group structure should be established. This should encompass not only operational entities but also shared service entities, IT entities, development centers, and digital platform operators, particularly with regard to their potential classification as providers of platform, cloud, or managed services.
Step 2: Mapping to NIS 2 sectors
Subsequently, it must be assessed whether and on the basis of which activity or activities the respective entity is potentially regulated.
In the automotive sector, entities are often regulated via the category "manufacture of motor vehicles" or through other industrial activities in the supply chain.
However, other points of regulatory connection may also be relevant, such as:
- cloud computing services,
- managed services,
- managed security services,
- data centre services,
- digital platform services,
- research and development services in critical areas.
It should be noted that the relevant provisions are often broadly interpreted, including with respect to services provided within groups of undertakings (see below for more information).
Step 3: Application of the size-cap rules
Only afterwards should the actual threshold assessment be carried out.
In practice, the most frequent source of error emerges here: many entities consider only the respective entity in isolation.
In fact, the European rules on linked and partner enterprises apply. The employee numbers and turnover of other group entities must often be considered in whole or in part.
International groups often find that seemingly small entities significantly exceed the thresholds when other group entities are included and may thus fall within the scope of application.
When should the analysis be conducted?
Ideally:
- at the outset of the NIS 2 governance project,
- following major M&A transactions,
- following restructurings,
- in the event of material changes to the business model,
- at a minimum as part of regular compliance reviews.
Many entities now treat the threshold analysis as an ongoing governance process rather than a one-off exercise.
3. Where do the national transposition laws diverge, and what particularities should internationally active entities be aware of?
Many entities are surprised that, despite its harmonization objective, the NIS 2 Directive has not been transposed uniformly.
Significant differences are already apparent with regard to:
- registration procedures,
- reporting channels,
- competent authority responsibilities,
- fine frameworks,
- deadlines,
- supervisory practice,
- evidentiary requirements.
National special provisions also merit particular attention.
A notable feature of the German transposition law is found, for example, in Section 28(3) of the BSIG (new version). According to this provision, when classifying an entity as important or essential, business activities that are "negligible" in relation to the entity's overall activity may be disregarded. This provision aims to prevent a situation in which a minor ancillary activity in a sector covered by NIS 2 results in the entire entity being subject to regulation, which would contradict the principle of proportionality. This may be relevant for industrial entities that engage in activities in a regulated sector only to a very limited extent alongside their actual core business.
However, the NIS 2 Directive itself does not provide for a comparable express exception, nor is one found in other national transposition laws. Germany has deliberately chosen a unique approach in this regard. Whether this approach is compatible with EU law remains to be seen.
The concept of "negligibility" is not defined by law. The legislative materials mention criteria such as the number of employees, turnover, and the activity's significance to the entity as a whole. Nevertheless, a holistic assessment of each case is always determinative. Facts that weigh against a finding of "negligibility" include when the relevant activity is expressly part of the corporate purpose or a significant part of the business model.
This creates a particular challenge for internationally active groups of undertakings: while an activity may potentially be classified as "negligible" in Germany, the same activity in other member states may lead to NIS 2 applicability without restriction. Therefore, entities should avoid basing their European NIS 2 governance model exclusively on the German exception.
In practice, a two-step approach has proven effective.
Step 1: First, a conservative assessment is made at the European level as to determine whether the activity in question has a fundamental NIS 2 nexus.
Step 2: Only subsequently is it evaluated whether national particularities – such as the German provision on negligible business activities – may lead to a different assessment in the individual case.
This approach avoids subsequent discussions with supervisory authorities, as well as the need for adjustments resulting from new administrative practices or developments in EU law.
Other Member States have additional special requirements regarding local contact persons, representation structures, cooperation with authorities, and notification procedures.
Furthermore, individual supervisory authorities have announced different enforcement priorities. While some authorities initially focus on raising awareness and cooperation (as the BSI in Germany appears to do), others pursue a notably stricter enforcement approach.
Therefore, a purely national approach is generally not recommended for internationally active automotive companies; rather, a European compliance concept with local supplements is advisable.
4. Are services provided exclusively within a group of undertakings fall within the scope of the NIS 2 Directive and its transposed laws?
This question currently concerns many groups of undertakings. The background is that many groups operate central IT, cybersecurity, cloud, development or shared service entities that provide their services exclusively to other entities within the same group of undertakings and do not operate on the external market.
Therefore, one might gain the impression at first glance that such purely intra-group services do not fall within the scope of NIS 2 regulation. As is often the case, a blanket answer does not exist.
This is particularly relevant for:
- intra-group IT service entities,
- shared service centres,
- cloud and platform entities,
- cybersecurity organisations,
- group-wide development and software units,
- central SOC or CERT structures.
Neither the European legislative texts nor the existing national transposed laws expressly answer this question for all situations. However, a trend is already emerging in which many competent authorities are considering the significance of a service for essential or important entities, regardless of whether those services are provided to external customers or exclusively within a group of undertakings.
This can have considerable practical implications, particularly in the automotive sector. Many manufacturers and suppliers have outsourced their IT, cloud, and cybersecurity functions to other group entities. If these entities were to fall outside the scope of application solely because they serve internal customers only, a substantial part of the protective purpose pursued by NIS 2 would be ineffective.
Therefore, our experience from implementation projects to date shows that entities are well advised not to prematurely classify intra-group service providers as "not regulated." Rather, an assessment should be made of:
- which services are specifically provided,
- which entities utilise these services,
- what significance the services have for the business continuity of the group,
- whether the respective entity performs central security or infrastructure functions,
- and what position the competent national authorities take on this matter.
In practice, many international groups now take a pragmatic approach: central IT, cybersecurity, and platform entities voluntarily join the group-wide NIS 2 governance model, despite remaining interpretive questions. This approach enhances the resilience of the entire group, simplifies governance, and reduces the risk of subsequent reassessments by supervisory authorities.
5. What about SaaS providers and digital services?
This is currently one of the most frequently discussed topics in practice.
Many automotive companies are developing extensive digital business models:
- connected car platforms,
- fleet management systems,
- over-the-air update platforms,
- data platforms,
- telematics services,
- customer portals,
- Mobility-as-a-Service offerings.
It is often assumed that NIS 2 relevance is determined solely by the role of vehicle manufacturer, but this is not necessarily the case.
Rather, it must be assessed whether individual digital services qualify as regulated services. This is particularly relevant when group entities offer digital services but do not manufacture vehicles.
Particularly relevant in this context are:
- cloud computing services,
- managed services,
- managed security services,
- data centre services,
- digital infrastructure.
A frequent point of discussion is whether Software as a Service (SaaS) providers automatically fall within the scope of the NIS 2 Directive. Neither the NIS 2 Directive itself nor the transposition laws have resolved this question. There are also no statements from competent authorities. Whether a SaaS offering is regulated depends materially on its configuration specifics and respective national transposition. In this regard, it is at least debatable whether SaaS providers that do not fulfill the characteristics of cloud computing services under the NIS 2 Directive, particularly the scalability of services available to users, may be excluded from its scope.
However, this regularly requires a separate analysis depending on the Member State in which the respective model is to be assessed.
6. Who qualifies as "management" and who must be trained in group structures?
Management body responsibility is one of the innovations with the greatest practical impact. The NIS 2 Directive expressly requires that management bodies to oversee the implementation of cybersecurity risk-management measures and receive appropriate training for this purpose. In practice, the question of who specifically is to be regarded as "management" regularly arises. The answer depends on the respective corporate structure and national transposition law.
Typically, this encompasses:
- managing directors (Geschäftsführer),
- members of the management board (Vorstandsmitglieder),
- managing directors of foreign entities,
- comparable management bodies of foreign entities, and/or
- where applicable, further management functions, insofar as these are entrusted with corresponding tasks and decision-making powers.
This is particularly relevant in groups. It is insufficient to merely train a central Group CISO team or a group IT department.
Instead, it must be assessed which management bodies of the respective regulated entities are responsible. In this regard, responsibilities may extend across entity boundaries within the group. This means the circle of people to be included may need to be broader than just "local" management, including in the case of holding structures. In large, international groups, this can quickly lead to a considerable number of people.
In practice, multi-tier training concepts have proven effective and comprise:
- group-wide awareness training,
- management briefings,
- role-based advanced training,
- regular refresher sessions,
- documented evidence for competent authorities.
7. How can entities that operate internationally establish uniform NIS 2 management despite differing national transpositions?
The most successful governance projects use a "Global Framework – Local Add-ons" approach. Under this approach, uniform minimum standards are defined at group level, for example regarding:
- information security management,
- risk management,
- supply chain management,
- incident response,
- reporting procedures,
- management governance,
- training,
- documentation.
These standards are then supplemented by country-specific additions.
This approach offers several advantages:
First, existing TISAX, ISO 27001, or UNECE R155 structures can largely continue to be utilised.
Second, it creates a uniform security culture within the group of undertakings.
Third, differences between national transposition laws can be efficiently mapped via local compliance matrices or country addenda.
Our experience shows that entities with a central European NIS 2 governance model can react significantly faster to new regulatory developments than entities that build entirely separate compliance structures for each country.
In the automotive industry, for example, where development, production, and IT processes are usually organized across borders, a group-wide approach is often the most efficient and sustainable long-term solution.
