NRI SecureTechnologies, Ltd. | Blog

What Is TISAX? The Complete Guide to Automotive Security

Written by NRI Secure Blog | Jul 9, 2026 9:10:55 AM

TISAX (Trusted Information Security Assessment Exchange) is a standardized assessment framework for information security in the automotive industry. Developed in 2017 by the German Association of the Automotive Industry (VDA) and managed by the ENX Association, TISAX enables companies to share verified security assessment results across the supply chain – eliminating redundant audits and establishing a single, trusted standard for automotive data protection.

If your organization supplies parts, software, or services to automotive manufacturers, understanding what TISAX is and how it works is essential. This guide covers the assessment framework, who needs it, levels, costs, timelines, and how to prepare.

If you already have a general idea about your TISAX requirements and are looking for help in starting your certification journey, reach out to a trusted and experience partner such as NRI SecureTechnologies.

What Does TISAX Stand For?

TISAX stands for Trusted Information Security Assessment Exchange. The framework was developed by the VDA (Verband der Automobilindustrie), which represents more than 600 automotive manufacturers and suppliers. The VDA created the ISA (Information Security Assessment) catalogue – a comprehensive questionnaire that defines the security requirements companies must meet. This catalogue serves as the basis for every TISAX assessment.

The ENX Association acts as the governance body: it manages the online portal where assessment results are stored and shared, approves qualified audit providers, and ensures process integrity.

Before TISAX launched in 2017, automotive OEMs each conducted their own supplier security audits. A Tier 1 supplier working with five OEMs might face five separate, largely identical assessments every year. TISAX introduced the “assessed once, accepted by many” model – one standardized assessment whose results are shared through the ENX portal with authorized participants only after explicit release by the assessed company.

Key entities in the TISAX ecosystem:

  • VDA - Develops and maintains the ISA security requirements
  • ISA Catalogue - The questionnaire and control framework used in assessments
  • TISAX - The assessment and exchange mechanism built on the ISA catalogue
  • ENX Association - Operates the TISAX platform, approves auditors, governs the process

Who Needs TISAX?

If your organization handles any type of confidential information from an automotive manufacturer, especially a German or EU-based OEM, you will likely need a TISAX assessment. The requirement extends far beyond traditional parts suppliers.

Companies that typically need TISAX include:

  • OEM suppliers (Tier 1–3): Any supplier in the automotive supply chain that processes sensitive OEM data
  • IT service providers: Companies providing software development, cloud hosting, or IT infrastructure to automotive companies
  • Engineering and design firms: Organizations accessing confidential vehicle specifications or CAD models
  • Logistics and warehouse operators: Companies handling physical prototypes or pre-production components
  • Marketing and communications agencies Firms with early access to unreleased vehicle designs or launch plans

TISAX compliance is driven primarily by German OEMs – Volkswagen, BMW, and Mercedes-Benz each require suppliers to hold valid TISAX labels to work with German automotive manufacturers. Adoption is expanding globally -- US-based OEMs such as Ford and General Motors are increasingly adopting TISAX as their supplier security standard.

While TISAX is not a legal requirement, it functions as a practical business requirement for working with automotive OEMs -- without a valid label, your organization will be excluded from supplier shortlists with participating OEMs.

Company Type

Expected Assessment
Level (AL)

Why
Tier 1 parts supplier AL2 or AL3 Handles confidential production data; AL3 if prototype-related
IT service provider AL2 Processes sensitive business and technical data remotely
Engineering/design firm AL3 Accesses prototype designs and pre-release specifications
Logistics/warehouse operator AL3 Physically handles prototypes and pre-production vehicles
Marketing agency AL2 Receives unreleased product imagery and launch plans
Administrative service provider AL2 Handles sensitive business data but not prototypes

TISAX Assessment Objectives and Scopes

When registering for a TISAX assessment, you must select specific assessment objectives that define what will be evaluated. These fall into three categories, encompassing twelve individual objectives.

1. Information Security (Objectives #1–6)

These objectives cover how your organization protects confidential business information – pricing strategies, production volumes, contract terms, and technical specifications. Controls align closely with ISO 27001 and its Annex A.

2. Prototype Protection (Objectives #7–10)

A TISAX-specific requirement with no direct ISO 27001 equivalent. Covers physical and digital protection of prototypes test vehicles, and pre-production materials. This includes secure storage, restricted access zones, CAD file encryption, camouflage requirements, and photography restrictions.

3. Data Protection (Objectives #11–12)

This set of objectives addresses general data processing  as well as ‘special data’ processing, in compliance with the GDPR. Required if your organization processes personal data on behalf of an automotive partner (employee records, customer data, driver behavior data from connected vehicles).

Defining Your Scope

Beyond objectives, you must define scope — which locations, processes, IT systems, and teams are included. Scoping requires attention: too narrow, and the assessment won't satisfy OEM requirements; too broad, and you increase cost, complexity, and the risk of non-conformity findings.

TISAX Assessment Levels Explained (AL1, AL2, AL3)

TISAX uses a three-tier assessment level system which drives the rigor or depth of the assessment the auditor will conduct. The level you need depends on data sensitivity and OEM partner requirements. Here is how the three levels compare:

Criteria

AL1

AL2 AL3
Protection Level Normal High Very High
Assessment Method Self-assessment only Remote review (plausibility check) On-site audit
TISAX Label Issued No Yes Yes
Typical Use Case Internal baseline Sensitive business data Prototypes, R&D, highly confidential
Third-Party Auditor No Yes (remote) Yes (on-site)
Evidence Review Self-review Document-based Document + physical inspection

 

AL1 (Normal Protection): A self-assessment with no external auditor. No TISAX label is issued, so it cannot satisfy OEM requirements. Useful as a preparation tool to identify gaps before a formal AL2/AL3 assessment.

AL2 (High Protection): Introduces external verification through a remote plausibility check by an ENX-approved audit provider. The auditor reviews documentation and conducts interviews via video. A TISAX label is issued, and results can be shared via the ENX portal. Appropriate for suppliers handling sensitive but not highest-classification data. Note that under the TISAX rubric, “sensitivity” encompasses consideration of both confidentiality and availability.

AL3 (Very High Protection): A comprehensive on-site audit where the assessor physically visits your facilities, inspects security controls, interviews staff, and verifies that documented procedures match actual practice. Required for organizations handling prototypes, advanced R&D data, or highly confidential strategic information. Demands a mature ISMS with continuous monitoring, DLP tools, robust encryption, and strict physical access controls.

TISAX vs ISO 27001: Key Differences

If your organization holds ISO 27001 certification, it gives you a significant head start – but it does not satisfy TISAX requirements.

Aspect

TISAX

ISO 27001
Industry Focus Automotive-specific All industries
Foundation VDA ISA catalogue (based on ISO 27001) ISO/IEC international standard
Assessment Levels

3 tiers (AL1, AL2, AL3)

Pass/fail only
Certification Type

Label (shared via ENX portal)

Certificate (publicly displayable)
Validity Period

3 years (no annual surveillance audits)

3 years (annual surveillance audits required in second and third year)
Audit Body

ENX-approved TISAX assessors only

Any accredited certification body
Additional Requirements

Prototype protection, GDPR-specific controls

None beyond Annex A controls
Result Sharing

Via ENX portal to authorized participants only

Freely publicizable and advertisable

ISO 27001 cannot directly replace TISAX where a valid TISAX label has been expressly demanded by the OEM. This is because the ISO certificate lacks the dedicated prototype-protection module that TISAX adds, lacks automotive-specific data protection controls, and OEMs that are part of the TISAX ecosystem (mainly German OEMs or larger EU-based OEMs, or their major suppliers) will only accept a valid TISAX label through the ENX portal.

However, pursuing both offers real advantages. Organizations with ISO 27001 get a significant head start on TISAX because TISAX is based on it, reducing preparation time and cost. If starting from scratch, consider building your ISMS to ISO 27001 standards first, then layering on TISAX-specific requirements.

The TISAX Assessment and Labeling Process: Step by Step

Step 1 – Preparation and Self-Assessment: Download the VDA ISA questionnaire and conduct a gap analysis. Build or improve your ISMS, document policies and procedures, and train your team. This is typically the longest and most resource-intensive phase.

Step 2 – Register on the ENX Portal: Register on the ENX portal, define your assessment scope and objectives, and pay the registration fee (~EUR 500).

Step 3 – Select an Audit Provider: Choose from the ENX-approved audit providers directory, which lists authorized firms including TUV SUD, DEKRA, DNV, and DQS. Schedule a kick-off meeting to confirm scope and timeline.

Step 4 – External Assessment: For AL2, the auditor conducts a remote plausibility check (document review and video interviews). For AL3, the auditor visits your facilities for a comprehensive on-site inspection.

Step 5 – Corrective Actions (If Needed): If non-conformities are identified, you receive a findings report and a defined period (up to nine months) to implement corrective actions. Any non-conformities (whether minor or major) will require a follow-up assessment to verify the implemented optimizations.

Step 6 – Label Issuance: Once all requirements are met, results are uploaded to the ENX portal. Your TISAX label is valid for three years and can be shared with any TISAX-participating partner through the ENX portal.

How Long Does TISAX Assessment and Labeling Take?

Timelines depend on your organization’s starting point and available resources. Here are typical timelines:

Company Size

Estimated Timeline

Small 4–6 months
Medium 6–8 months
Large 8–12 months

 

Existing ISO 27001 certification, a dedicated project team, and a focused scope shorten timelines. Significant corrective actions, multiple locations, limited security expertise, and competing priorities lengthen them.

Your TISAX label is valid for three years with no annual surveillance audits. However, you must undergo a complete reassessment before expiration. Begin planning at least one year before your label expires.

TISAX Requirements: What You Need to Prepare

The VDA ISA catalogue defines security controls across eight main topic areas: Information Security Policies and Organization, Human Resources, Physical Security and Business Continuity, Identity and Access Management, IT Security / Cyber Security, Supplier Relationships, Compliance, and Prototype Protection.

Maturity Levels

TISAX evaluates the maturity of each control using a six-level model:

 

Level

Name

Description
0

Incomplete

No process exists

1

Performed

Process is ad-hoc and unstructured

2

Managed

Process is planned, tracked, with assigned responsibilities

3

Established

*This is the minimum required

Standardized, documented process consistently applied

4

Predictable

Process is measured with quantitative metrics

5

Optimizing

Subject to continuous, data-driven improvement


Most controls require a minimum maturity level of 3 (Established)
– meaning policies must be standardized, documented, consistently followed, and understood by relevant personnel.

If your scope includes prototype protection, additional requirements apply: restricted access zones, camouflage procedures for test vehicles, photography restrictions, and controlled destruction procedures for prototype materials. These are detailed in the TISAX Participant Handbook.

Benefits of TISAX Compliance

  1. Market Access – TISAX is the gateway to OEM partnerships. Without a valid label, your organization is locked out of supplier relationships with major manufacturers based out of Germany, and increasingly in the wider EU, and sometimes their global supply chain too. This is because major suppliers to the OEMs are harmonizing their minimum acquisition benchmarks to satisfy the OEM’s baseline.
  2. Reduced Audit Fatigue – One assessment replaces multiple overlapping OEM audits, saving significant costs and effort.
  3. Strengthened Security Posture – The process builds a systematic, well-documented ISMS that reduces real-world breach risk.
  4. Supplier Credibility – A TISAX label signals third-party verified security competence to current and prospective partners.
  5. Competitive Advantage – TISAX compliance differentiates your organization when OEMs evaluate otherwise-equal suppliers.
  6. GDPR Alignment – Data protection objectives strengthen your GDPR compliance posture.

Common Challenges in TISAX Assessment (and How to Overcome Them)

  1. ISA Questionnaire Complexity – Start with a structured gap analysis rather than tackling every question at once. Prioritize remediation by risk.
  2. Documentation Burden – Use templates and adapt existing ISO 27001 (or other ISMS documentation, if not already ISO 27001 certified) where possible. Focus on living documents, not shelf-ware.
  3. Management Buy-In – Frame it in business terms: calculate revenue at risk from missing TISAX compliance vs. total cost.
  4. Resource Constraints – Phase implementation into manageable stages. Engage external consultants such as NRI Secure for specialized areas while building internal competence.
  5. Corrective Action Overload – Prioritize by risk level. Address major non-conformities first (these block your label), then work through minor findings systematically.

Frequently Asked Questions About TISAX

Q: Is TISAX mandatory?

A: TISAX is not legally mandatory, but it functions as a practical business requirement for organizations working with German automotive manufacturers — Volkswagen, BMW, and Mercedes-Benz among them. US-based manufacturers including Ford and GM are increasingly adopting it as well. The certification has become a powerful filter, if not an express requirement, for EU-based automotives industry when selecting vendors and suppliers. This is also expanding to the wider global supplier chain of these OEMs, as these Tier 1 suppliers increasingly harmonize their minimum acquisition benchmarks to TISAX. Without a valid label, your organization may risk being excluded even from any initial consideration.

Q: How long is a TISAX label valid?

A: Three years from the date of assessment, with no annual surveillance audits. You must undergo a complete reassessment before expiration. Begin planning at least one year in advance.

Q: Can I use ISO 27001 instead of TISAX?

A: No. ISO 27001 gives a significant head start on TISAX preparation because TISAX is based on it, but does not cover TISAX-specific requirements such as prototype protection or GDPR alignment. OEMs will only accept a valid TISAX label shared through the ENX portal. In fact, the ENX portal is the only way the label can be legitimately and officially shared under the system.

Q: What is the difference between a TISAX label and a certificate?

A: TISAX issues a “label,” not a certificate. Unlike ISO 27001 certificates, TISAX labels cannot be publicly displayed or advertised. Results are shared exclusively through the ENX portal with authorized participants.

Q: Who are the approved TISAX audit providers?

A: The ENX Association maintains a directory of approved providers including TUV SUD, DEKRA, DNV, and DQS. You must select a provider from this approved list.

Q: Does TISAX apply outside of Germany?

A: Yes. While developed for the German automotive industry, TISAX has become a global standard. Any supplier worldwide working with TISAX-participating OEMs may need a label, regardless of location. Assessments are conducted by ENX-approved audit providers, whose directory spans firms operating internationally.

Getting Started with TISAX: Next Steps

Achieving TISAX compliance is a significant undertaking, but entirely manageable with the right approach. Key takeaways:

  • TISAX is the automotive industry’s standard for information security, expanding beyond Germany to global OEMs
  • Your assessment level matters: understand whether you need AL2 or AL3 before planning
  • ISO 27001 is helpful but not sufficient: use it as a foundation, then add TISAX-specific requirements
  • Budget realistically: factor in registration, audit, consulting, and implementation costs
  • Start with a gap analysis: know where you stand before committing to a timeline

Whether you are a Tier 1 supplier or an engineering firm that positions or seeking to position itself as a Tier 1, Tier 2, or Tier 3 supplier in the automotives sector, the path to TISAX compliance begins with understanding the framework and making a plan.

If your organization needs guidance – from initial gap analysis through label issuance – consider working with experienced information security professionals such as NRI Secure, who understand both the technical requirements and practical realities of automotive compliance.