As the events of this year show, the growing cybersecurity threats have a direct impact on the automotive sector, which is increasingly becoming a target of cybernetic attacks. In principle, the more a vehicle is using data or electronic processes, the higher the risk of potential cyberattacks. We have already alerted you on our blog of the new obligations and the expansion of the scope of cybersecurity regulation that is being brought about by the NIS 2 Directive. In this article, we will look in more detail at the impacts in the automotive sector.
Entities in the automotive sector
In general, the NIS 2 Directive applies to any entity that simultaneously meets two conditions - it must be active in a regulated sector (i.e. a sector listed in Annex I or II to the NIS 2 Directive) and, at the same time, it is a medium-sized or large enterprise within the meaning of Commission Recommendation 2003/361/EC (i.e. an enterprise that employs 50 or more employees and has an annual turnover or annual balance sheet exceeding EUR 10 million or CZK 250 million). However, the above conditions cannot be strictly generalised and applied across the board to all cases. The fulfilment of the volume criteria must be analysed, for example, in terms of the organisation’s holding structures. Attention should be paid to the circumstances in which an undertaking may fall within the scope of the NIS 2 Directive without having to take into account its size. However, these specific cases are not yet the subject of our attention.
In the automotive sector, the following areas fall within the regulated sectors under the NIS 2 Directive:
- operators of intelligent transport systems;
- manufacture of motor vehicles, trailers and semi-trailers;
- manufacture of electrical equipment; and
- manufacture of computer, electronic and optical products.
Therefore, if a company meets the above criteria, it should definitely pay increased attention to the topic of cybersecurity.
Selected obligations of regulated entities under the Czech transposition of the NIS 2 Directive
The NIS 2 Directive was transposed into Czech law through the new Cybersecurity Act, which entered into effect on 1 November 2025.
The new Act, together with the implementing regulations, significantly expands the range of entities covered by cybersecurity regulation. Compared to the previous legislation, this is a substantial extension of the scope of applicability, with estimates suggesting that up to six thousand entities will be subject to the new obligations.
The Act conceptually unifies the existing regulation of several types of obliged persons into a single category - provider of a regulated service. To be considered a regulated service provider, a company must meet the criteria set out in the Regulated Services Decree, which are based almost exclusively on the content of the NIS 2 Directive. The assessment of these criteria is now based on the self-assessment principle, where the companies and organisations concerned are obliged to assess for themselves whether they fall into one of the categories of regulated entities newly subject to cybersecurity management obligations.
In the automotive industry, the Annex to the Regulated Services Decree, in Part 7, distinguishes companies operating in two main fields of activity as providers of regulated services, namely (i) manufacture of motor vehicles (except motorcycles) and (ii) manufacture of other transport equipment. The series production of motor vehicles is classified as a regulated service, regardless of the size of the undertaking, under the regime of higher obligations. Other manufacturers of motor vehicles and means of transport are included in the regime of lower obligations if they are at least medium-sized enterprises. The main difference in the obligations imposed is the additional obligation for car manufacturers to ensure in series production safety also in the supply chain.
Any motor vehicle manufacturer subject to cybersecurity obligations will now have to comply with these obligations:
- determine whether it falls under the higher or lower obligation regime;
- no later than 60 days after the entry into force of the Act (i.e. by 31 December 2025), register through the NUKIB portal;
- regulated service providers have one year from receipt of the registration decision to implement the required cybersecurity measures in accordance with the specified regime of obligations and to start reporting security incidents to the National Cyber and Information Security Authority; and
- implement countermeasures, etc.
The nature and scope of sanctions and the responsibility of the governing bodies of obliged entities are practically identical in the Czech market as in Slovakia (only in CZK - see below for details).
Transposition of the NIS 2 Directive in Slovakia
Slovakia has managed to transpose the NIS 2 Directive earlier than the Czech Republic, and amendment to the Cybersecurity Act entered into force on 1 January 2025. The amendment (i) substantially expands the range of obliged entities (including selected entities from the automotive industry) and (ii) tightens the penalties for breaches of obligations (the maximum amount of fines for selected entities is set at EUR 10 million or 2% of the total global annual turnover); the amendment explicitly introduces the responsibility of the management bodies of obliged entities, which will be responsible for the measures taken and will also supervise these measures.
The first period of 60 days from the entry into force of the amended act for notification of the performance of any of the activities covered by the new legislation has already expired. We therefore recommend not to miss further deadlines, as the risk of incurring a fine, as well as its amount, may increase for the obliged entities as the delay in complying with the obligations increases.
In addition to the amendment to the act, implementing regulations have already been adopted, which further specify the scope of mandatory security measures and details regarding the reporting of cybersecurity incidents.
A few words in conclusion
Cybersecurity is one of the main specialisations of the HAVEL & PARTNERS technology team. If you are interested, we will be happy, together with our expert cybersecurity management consultants, to help you not only with the self-assessment process, but also with risk analysis and recommendations for setting up cybersecurity in your company (including assistance with mandatory registrations, advice on cross-border cybersecurity projects within the group, and providing training for employees and management).
