ISMS Copilot for German manufacturers
TISAX for automotive customers, NIS-2-DE under the BSIG, and IT-SiG 2.0 — the German Mittelstand security stack in one workspace.
TISAX and NIS-2-DE for the German Mittelstand
- Prepare TISAX assessments against the VDA ISA 6.0 questionnaire — the de facto requirement to supply German automotive OEMs
- Determine the correct TISAX assessment level (AL 1, AL 2, AL 3) for your information and prototype-protection scope
- Run the NIS-2-DE applicability test (Betreiber wesentlicher / besonders wichtiger Einrichtungen) under the BSIG
- Implement risk-management measures aligned to Section 30 BSIG
- Operate the 24-hour / 72-hour / one-month BSI incident-reporting timeline
- Document senior-management training and liability obligations introduced by the German transposition
Built for the Mittelstand supplier under OEM and BSI pressure
VDA ISA 6.0 gap analysis and ENX portal registration preparation for TISAX label exchange
Prototype-protection and confidentiality controls for automotive development data
BSI registration timelines and notification workflow under NIS-2-DE
IT-Sicherheitsgesetz 2.0 alignment for entities already inside the KRITIS / IT-SiG regime
Cross-mapping between TISAX (VDA ISA), ISO 27001 and BSI IT-Grundschutz so one ISMS serves all three
German-language support with native terminology (Bausteine, Schutzbedarf, Massnahmen)
TISAX and NIS-2-DE for the German Mittelstand
A German manufacturer faces two distinct pressures that a generic ISO 27001 page never addresses. First, customer-driven: if you supply automotive OEMs you will be required to hold a TISAX label, assessed against the VDA ISA 6.0 catalogue and exchanged through the ENX portal, with a specific assessment level (AL 1 to AL 3) and prototype-protection scope dictated by the data you handle. Second, regulator-driven: the NIS 2 Umsetzungsgesetz amends the BSIG so that roughly 30,000 German entities qualify as wesentlich or besonders wichtig, triggering BSI registration, Section 30 BSIG risk-management duties, a staged 24/72-hour/one-month incident-reporting chain, and personal liability for senior management. IT-Sicherheitsgesetz 2.0 sits underneath for entities already inside the KRITIS regime. ISMS Copilot runs the BSIG applicability test, maps your controls across TISAX, ISO 27001 and IT-Grundschutz, and keeps one ISMS serving the OEM requirement and the BSI duty at once.
NIS 2 Germany (BSIG) framework guidance →Frequently Asked Questions
Do I need TISAX if I supply German automotive OEMs?
In practice, yes. TISAX is the de facto information-security requirement across the German automotive supply chain, assessed against the VDA ISA 6.0 catalogue and exchanged through the ENX portal. The Copilot determines your assessment level (AL 1, AL 2 or AL 3) and prototype-protection scope, runs the gap analysis, and prepares ENX registration.
How does NIS-2-DE differ from the EU NIS 2 Directive?
Germany transposed NIS 2 through the NIS 2 Umsetzungsgesetz, which amends the BSIG. That is the law you actually comply with: it defines wesentliche and besonders wichtige Einrichtungen, the Section 30 risk-management measures, BSI registration timelines, and the 24/72-hour and one-month reporting chain. The Copilot runs the BSIG applicability test against your sector and headcount.
Can one ISMS cover TISAX, NIS-2-DE and IT-SiG 2.0 together?
Yes. TISAX (VDA ISA), the Section 30 BSIG measures and IT-Sicherheitsgesetz 2.0 obligations all map back to ISO 27001 and BSI IT-Grundschutz building blocks. ISMS Copilot cross-maps the controls so you implement once and satisfy the OEM requirement, the BSI duty and the IT-SiG regime from a single programme.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.