nexalign

Branche · Automotive & Suppliers

DecisionOS for Automotive and Suppliers

Automotive in 2026 faces the densest regulatory wave in its history: TISAX as procurement requirement, UNECE R155 (CSMS) and R156 (SUMS) as type-approval requirements, ISO/SAE 21434 as product cybersecurity standard, NIS2 as horizontal layer. Every IT decision for engineering tools, MES, OTA update platforms or the SDV stack must serve all axes simultaneously.

TL;DR

Automotive = TISAX + UNECE R155/R156 + ISO 21434 + NIS2. The decision memo is the only format that maps all four in parallel.

Regulatorik im Überblick

TISAX/ISA 6.xUNECE R155 (CSMS)UNECE R156 (SUMS)ISO/SAE 21434NIS2EU Data ActMachinery Regulation 2023/1230

Regulatory context

TISAX applies to all suppliers processing OEM data. Levels: high, very high, special requirements. Mandatory label since 2017, audited by ENX-accredited providers.

UNECE R155 requires manufacturers to operate a certified Cyber Security Management System (CSMS) across the vehicle lifecycle. R156 requires a Software Update Management System (SUMS). Both apply since July 2024 for all type approvals.

ISO/SAE 21434 is the product standard for automotive cybersecurity engineering. Often used as evidence for CSMS conformity.

The EU Data Act brings from September 2025 new duties for data portability between data holders (manufacturers) and users / third-party providers.

Typische Entscheidungen

EDR / XDR selection

IAM / IGA / PAM

Sovereign cloud migration

NIS2 readiness programme

Pentest and red team

Backup and DR

Dealbreaker (nicht verhandelbar)

  • TISAX label high for vendors with data access

    OEM procurement requirement. No TISAX, no engineering tool in the group.

  • ISO/SAE 21434 compatibility for product tools

    Engineering tools in the vehicle CSMS scope need 21434 conformity evidence.

  • OTA update security and SUMS conformity

    R156 requires a software update management system. The OTA platform must comply.

  • EU data residency and engineering IP protection

    Design and function data are crown-jewel trade secrets.

Typical decisions

Engineering tool stack (PLM, CAD, simulation, test) with TISAX fitness and IP protection.

MES and shop-floor platforms with OT-IT convergence.

OTA update platform with R156-conformant SUMS.

Connected-car cloud with EU data residency and R155-conformant CSMS backend.

Where DecisionOS plugs in

Criteria mapping onto TISAX-ISA modules, dealbreakers as R155 / R156 / 21434 requirements, stakeholder alignment across engineering, IT, cybersecurity, procurement, plant IT. Versioning when vendors change.

Hosting and data sovereignty

DecisionOS is hosted in Germany on Hetzner, EU-only data flow, Art. 28 GDPR data processing agreement. Suited as decision layer for TISAX / R155 / R156 tool procurement.

FAQ

Is TISAX mandatory or voluntary?

De facto mandatory, formally contractual. Nearly all German OEMs require a TISAX label from suppliers with data access. No TISAX, no contract.

What does TISAX initial certification cost?

Implementation and ISMS build typically 80-300 k EUR in year one. Audit itself 15-40 k EUR. Validity 3 years. Significantly cheaper with existing ISO 27001.

How do R155 and ISO 21434 relate?

R155 requires a CSMS but does not specify the standard. ISO/SAE 21434 is the accepted technical standard to meet it. Companies implementing ISO 21434 are effectively R155-compliant; without ISO 21434 the conformity evidence becomes harder.

Demo buchen →Was ist DecisionOS?