At a glance: Automakers must comply with NIS2 cybersecurity standards from September or face multimillion-euro fines and regulatory sanctions.
With the NIS2 Directive taking full effect in September, automotive manufacturers face substantial penalties for breaches of cybersecurity requirements. This also affects suppliers and the entire supply chain.
The European Cybersecurity Directive NIS2 imposes stricter compliance requirements on automakers as operators of critical infrastructure. With its full implementation from September, multimillion-euro fines are due if companies cannot demonstrate their security measures or violate reporting obligations.
For a CISO, this concretely means: European automakers must align and document their cybersecurity management systems according to standards such as ISO 27001 or industry-specific frameworks. NIS2 requires a risk management system, regular security assessments, incident response plans, and a governance structure with board involvement. Particularly critical are the reporting obligations for security incidents (72-hour deadline).
The automotive industry is classified as a critical infrastructure (KRITIS) sector due to its importance for mobility and traffic safety. Non-compliance can result in administrative penalties in the double-digit million-euro range — for large corporations often a percentage of global revenue. Companies should review their cyber risk governance, conduct gap analyses, and validate incident management processes.
Source: news.google.com · Published 5 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.2.