Navigating Key Cybersecurity Requirement Changes in 2025

The year 2025 marks a pivotal moment for the automotive and related industries, with significant updates to cybersecurity standards and regulations. This article provides a comprehensive overview of the upcoming changes to ISO/SAE 21434, TISAX?, and NIS2—critical frameworks for ensuring cybersecurity and compliance.

ISO/SAE 21434 Updates

ISO/SAE 21434, the cornerstone standard for cybersecurity engineering in the automotive sector, is undergoing important revisions:

• Second Edition Development: The ISO/SAE joint working group is actively preparing the second edition of the standard. Industry experts were invited to submit formal comments by August 2024. The revised version is expected to address industry feedback and streamline cybersecurity processes for automotive systems (Source 1).
• Cybersecurity Assurance Level (CAL) and Targeted Attack Feasibility (TAF): A draft Publicly Available Specification (DPAS) is set to refine CAL and TAF components, with publication anticipated by July 2025. These enhancements aim to provide clearer guidance on assessing and mitigating cybersecurity risks in automotive systems (Source 1).

TISAX? (Trusted Information Security Assessment Exchange) Updates

TISAX?, a critical framework for information security in the automotive supply chain, introduces notable changes:

• VDA ISA Version 6.0 Implementation: Effective April 2024, the new version aligns with ISO/IEC 27001:2022 and the NIST Cybersecurity Framework. Assessments initiated after this date must adhere to the updated version, simplifying compliance efforts across the industry (Source 2).
• Introduction of New TISAX? Labels: Two new labels, “Confidentiality” and “Availability,” replace the previous “Information Security” label. These labels focus on specific security requirements, making the assessment process more targeted and efficient (Source 3).
• Mandatory TISAX? Level 2 Compliance: Starting July 2025, TISAX? Level 2 compliance will be mandatory for all Operational Service Providers (OSP), Engineering Service Providers (ESP), and Business Application Providers (BAP). A 12-month grace period is provided to meet these requirements (Source 4).

NIS2 Directive: A Game Changer

The NIS2 Directive, effective from October 2024, introduces sweeping changes to cybersecurity regulations across the European Union, impacting critical sectors, including automotive:

• Expanded Scope: NIS2 applies to a broader range of entities, including medium-sized organizations within critical sectors such as energy, transport, and manufacturing. Automotive suppliers that meet the criteria must implement measures to comply with NIS2 (Source 5).
• Harmonized Security Measures: Organizations must establish robust security frameworks, including risk assessments, incident response plans, and business continuity strategies (Source 6).
• Mandatory Reporting: Significant cybersecurity incidents must be reported within 24 hours of detection. This ensures timely response and transparency across the EU (Source 6).
• Board-Level Accountability: Leadership teams are now directly accountable for compliance. Non-compliance can result in significant fines, emphasizing the importance of executive oversight (Source 5).

OEM-Specific Requirements

Original Equipment Manufacturers (OEMs) are also tightening supplier requirements to ensure alignment with evolving cybersecurity standards:

• Daimler Truck's TISAX? Mandate: From 2025 onward, Daimler Truck will require TISAX? Level 3 compliance from all production material suppliers. This underscores the growing importance of stringent supply chain security measures (Source 7).

Preparing for 2025: Practical Recommendations

To navigate these changes effectively, organizations should:

1. Stay Updated: Regularly monitor updates from standardization bodies, certification organizations, and OEMs.
2. Conduct Gap Analyses: Evaluate existing cybersecurity measures against new requirements to identify and address compliance gaps.
3. Adopt Integrated Frameworks: Use ISO 27001 as a baseline for integrating ISO/SAE 21434, TISAX?, and NIS2 requirements, streamlining efforts and reducing redundancies.
4. Enhance Incident Response Plans: Implement robust incident detection and reporting mechanisms to comply with NIS2’s mandatory reporting requirements.
5. Engage with Certification Bodies: Collaborate with certification experts to ensure seamless compliance with updated frameworks.

Conclusion: Embracing Change for a Secure Future

The convergence of ISO/SAE 21434, TISAX?, and NIS2 represents an opportunity for organizations to elevate their cybersecurity posture. By proactively addressing these updates, companies can ensure compliance, strengthen supply chain resilience, and build trust with OEMs and end customers.

Are you prepared for 2025? Let’s start the conversation.

Sources

1. GlobalPlatform - ISO/SAE CS Activities Update
2. QFD Group - TISAX Requirement Update
3. DQS Global - New TISAX Labels
4. Catena-X Modular System Release
5. ENISA - NIS2 Directive News
6. ENISA - NIS2 Directive Overview
7. Daimler Truck - Cybersecurity Requirements
8. Cinco Días - New Cybersecurity Obligations
9. Henrichsen - NIS2 and TISAX Updates
10. Security Insider - NIS2 Directive Challenges