NIS2 Directive · Multi-AI Analysis · Public Report
Your Customer's Compliance
Is Not Your Obligation.
A 220-employee automotive parts manufacturer. NIS2 is required by their main customer. Does the directive actually apply — or is this a contractual demand dressed as regulation?
Published May 23, 2026 · Xi AI
The critical distinction: There are two different questions here. (1) Does NIS2 apply directly to this company as a regulatory matter? (2) Must this company comply with NIS2-equivalent standards as a contractual matter? The answers may differ — and confusing them leads to the wrong compliance strategy.
The Question Submitted to Three AI Systems
We are a manufacturing company in the automotive supply chain with 220 employees. Our main customer (a Tier 1 supplier to BMW) requires NIS2 compliance in their contracts. We have 220 employees. Are we actually covered by NIS2 directly — or only by our customer's contractual requirement?
Where All Three Systems Agree
Confirmed without contradiction across AI1, AI2 and AI3:
- Manufacturing is not listed in Annex I (essential sectors) but is listed in Annex II (important sectors) for "manufacturing of critical products" — including automotive, aerospace, defence, and medical devices.
- For Annex II (important entities), NIS2 applies to medium and large enterprises (50+ employees or €10M+ turnover). A 220-employee automotive parts manufacturer almost certainly meets this threshold.
- The customer's contractual NIS2 requirement stems from NIS2 Article 21(2)(d): NIS2-covered entities must assess and manage cybersecurity risks in their supply chain, which means requiring their suppliers to meet security standards.
- Direct regulatory obligation and contractual obligation are legally distinct — but for a manufacturer with 220 employees making automotive parts, both likely apply.
- Non-compliance with the Tier 1 customer's contractual requirement is a commercial risk (loss of contract) that is separate from — but may be larger than — the regulatory risk from competent authorities.
The customer's demand is not a coincidence. It is the supply chain obligation of NIS2 flowing downstream — and it will reach every supplier that is material to the covered entity's operations.
Where the Three Systems Diverge
AI1 — Claude
AI1 says this company is directly covered by NIS2 as a manufacturer of automotive parts, which falls under Annex II "manufacturing of machinery and equipment" or "motor vehicles, trailers and semi-trailers." With 220 employees, it exceeds the medium enterprise threshold. AI1 frames the customer's contractual requirement as a second, parallel obligation — not as the primary source of compliance duty. The regulatory obligation comes from the national transposition of NIS2 in the company's home member state; the contractual obligation comes from the customer. Both require similar measures, but the consequences of breach are different: regulatory fines for the former, contract termination for the latter.
AI2 — Gemini
AI2 focuses on the ambiguity in Annex II classification. NIS2 Annex II lists "manufacturing" as a sector for important entities — but the relevant subsections specify "medical devices," "computers and electronics," "machinery," "motor vehicles," and "other transport equipment." A Tier 2 automotive parts manufacturer making mechanical components (rather than software-intensive or safety-critical electronic components) may fall in a gray zone. AI2 argues that the classification depends on what the company actually manufactures: a maker of seat components is differently positioned from a maker of brake control electronic modules. The company should seek a formal opinion from the national NIS2 competent authority on its classification before committing to a full compliance programme.
AI3 — DeepSeek
AI3 focuses on practical sequencing. Whether or not NIS2 applies directly to this company is a question that takes time to resolve definitively — especially given AI2's ambiguity point. But the customer's contractual deadline is immediate. AI3 recommends treating the customer's NIS2 compliance requirement as the operative constraint and building a compliance programme accordingly. If the regulatory analysis later confirms direct NIS2 coverage, the company will have built a programme that satisfies both obligations simultaneously. If the analysis shows the company is not directly covered (unlikely given size), the company will still have met its customer's contractual requirement and improved its cybersecurity posture. The compliance cost is the same either way; the sequencing logic suggests not waiting for regulatory certainty before starting.
The three systems present three valid but incompatible framings. AI1 says: you are directly covered, two parallel obligations exist. AI2 says: direct coverage is ambiguous depending on what you make, seek formal guidance. AI3 says: customer deadline is immediate, comply now and resolve the classification question in parallel.
The most important divergence is between AI1 and AI2 on Annex II classification. AI1 assumes coverage based on size and sector. AI2 says the specific product line determines whether the company falls in an Annex II subcategory. This is a genuine legal ambiguity — NIS2 does not define "motor vehicles and trailers" manufacturing exhaustively. A Tier 2 mechanical parts manufacturer might argue it does not manufacture "motor vehicles" — it manufactures components for them.
AI3's pragmatic conclusion is nonetheless correct: the compliance programme required by the customer and the compliance programme required by the directive are nearly identical. Starting the programme now, resolving the classification question in parallel, and using the customer relationship as the driver is the most rational sequence for a 220-employee company without dedicated legal resources.
What the Three Systems Miss
None of the three AI systems address the insurance and indemnity dimension. Automotive Tier 1 suppliers like BMW's direct suppliers have increasingly specific cyber insurance requirements in their supply contracts. NIS2 compliance certification (or equivalent evidence of compliance) is becoming a prerequisite for cyber insurance coverage at reasonable premium levels. A 220-employee automotive manufacturer that cannot demonstrate NIS2-equivalent controls is likely to face either uninsurable cyber risk or premiums that price in the control gap. The commercial pressure for NIS2 compliance is therefore not only contractual (customer requirement) but also insurance-driven — and the insurance market moves faster than regulatory enforcement.
Appendix — Raw AI Responses (unedited)
The three responses below are reproduced without synthesis or editing.
NIS2 Annex II explicitly includes "manufacturing" as a sector for important entities. The relevant subcategories include motor vehicles, trailers and semi-trailers (NACE Rev. 2 Section C Division 29), machinery and equipment (Division 28), and computers and electronics (Division 26). A 220-employee Tier 2 automotive parts manufacturer almost certainly falls within Division 29. With 220 employees, you exceed the medium enterprise threshold (50 employees). You are therefore, in all probability, an important entity under NIS2 and subject to its obligations. Your Tier 1 customer's contractual requirement is a separate obligation running alongside the regulatory one — it originates from their own NIS2 Article 21(2)(d) supply chain security obligation. The obligations are parallel, not alternatives. Non-compliance with the regulatory obligation creates competent authority risk; non-compliance with the contractual obligation creates commercial risk. The measures required are substantially similar in both cases.
I want to flag a genuine ambiguity in your situation. NIS2 Annex II covers manufacturing — but the scope of "manufacturing" is defined by NACE Rev. 2 sectoral codes, and not every company that makes parts for the automotive sector falls within the covered divisions. If you manufacture mechanical components (seat frames, stamped metal parts, gaskets) without integrating electronics or software, you may fall outside the specific Annex II subcategories even if your customer is in the automotive sector. This is not a safe assumption in either direction — it requires a specific review of your NACE code and product lines. I recommend requesting a formal classification opinion from your national NIS2 competent authority. In the meantime, the contractual obligation from your Tier 1 customer is unambiguous and immediate — you should treat it as operative regardless of the regulatory classification outcome.
The practical question for a 220-employee manufacturing company is not primarily "are we in scope?" — it is "what do we do next?" Resolving the scope question with certainty could take months of legal analysis and potentially a formal competent authority opinion. Your Tier 1 customer's deadline is more immediate. My recommendation: treat the customer's NIS2 compliance requirement as your operative mandate and build a compliance programme accordingly. NIS2 Article 21 requirements (risk management, incident detection, business continuity, supply chain security, training) are sensible cybersecurity practices regardless of whether you are formally in scope. If your regulatory analysis confirms direct coverage (which is likely given your size and sector), you will have already built the required programme. If it shows you are not directly covered, you will have met your customer's requirement and materially improved your security posture. Start now; resolve the classification question in parallel.