If your organization supplies parts, software, or services to automotive manufacturers, understanding what TISAX is and how it works is essential. This guide covers the assessment framework, who needs it, levels, costs, timelines, and how to prepare.
If you already have a general idea about your TISAX requirements and are looking for help in starting your certification journey, reach out to a trusted and experience partner such as NRI SecureTechnologies.
TISAX stands for Trusted Information Security Assessment Exchange. The framework was developed by the VDA (Verband der Automobilindustrie), which represents more than 600 automotive manufacturers and suppliers. The VDA created the ISA (Information Security Assessment) catalogue – a comprehensive questionnaire that defines the security requirements companies must meet. This catalogue serves as the basis for every TISAX assessment.
The ENX Association acts as the governance body: it manages the online portal where assessment results are stored and shared, approves qualified audit providers, and ensures process integrity.
Before TISAX launched in 2017, automotive OEMs each conducted their own supplier security audits. A Tier 1 supplier working with five OEMs might face five separate, largely identical assessments every year. TISAX introduced the “assessed once, accepted by many” model – one standardized assessment whose results are shared through the ENX portal with authorized participants only after explicit release by the assessed company.
Key entities in the TISAX ecosystem:
If your organization handles any type of confidential information from an automotive manufacturer, especially a German or EU-based OEM, you will likely need a TISAX assessment. The requirement extends far beyond traditional parts suppliers.
Companies that typically need TISAX include:
TISAX compliance is driven primarily by German OEMs – Volkswagen, BMW, and Mercedes-Benz each require suppliers to hold valid TISAX labels to work with German automotive manufacturers. Adoption is expanding globally -- US-based OEMs such as Ford and General Motors are increasingly adopting TISAX as their supplier security standard.
While TISAX is not a legal requirement, it functions as a practical business requirement for working with automotive OEMs -- without a valid label, your organization will be excluded from supplier shortlists with participating OEMs.
| Company Type |
Expected Assessment |
Why |
| Tier 1 parts supplier | AL2 or AL3 | Handles confidential production data; AL3 if prototype-related |
| IT service provider | AL2 | Processes sensitive business and technical data remotely |
| Engineering/design firm | AL3 | Accesses prototype designs and pre-release specifications |
| Logistics/warehouse operator | AL3 | Physically handles prototypes and pre-production vehicles |
| Marketing agency | AL2 | Receives unreleased product imagery and launch plans |
| Administrative service provider | AL2 | Handles sensitive business data but not prototypes |
When registering for a TISAX assessment, you must select specific assessment objectives that define what will be evaluated. These fall into three categories, encompassing twelve individual objectives.
These objectives cover how your organization protects confidential business information – pricing strategies, production volumes, contract terms, and technical specifications. Controls align closely with ISO 27001 and its Annex A.
A TISAX-specific requirement with no direct ISO 27001 equivalent. Covers physical and digital protection of prototypes test vehicles, and pre-production materials. This includes secure storage, restricted access zones, CAD file encryption, camouflage requirements, and photography restrictions.
This set of objectives addresses general data processing as well as ‘special data’ processing, in compliance with the GDPR. Required if your organization processes personal data on behalf of an automotive partner (employee records, customer data, driver behavior data from connected vehicles).
Beyond objectives, you must define scope — which locations, processes, IT systems, and teams are included. Scoping requires attention: too narrow, and the assessment won't satisfy OEM requirements; too broad, and you increase cost, complexity, and the risk of non-conformity findings.
TISAX uses a three-tier assessment level system which drives the rigor or depth of the assessment the auditor will conduct. The level you need depends on data sensitivity and OEM partner requirements. Here is how the three levels compare:
| Criteria |
AL1 |
AL2 | AL3 |
| Protection Level | Normal | High | Very High |
| Assessment Method | Self-assessment only | Remote review (plausibility check) | On-site audit |
| TISAX Label Issued | No | Yes | Yes |
| Typical Use Case | Internal baseline | Sensitive business data | Prototypes, R&D, highly confidential |
| Third-Party Auditor | No | Yes (remote) | Yes (on-site) |
| Evidence Review | Self-review | Document-based | Document + physical inspection |
AL1 (Normal Protection): A self-assessment with no external auditor. No TISAX label is issued, so it cannot satisfy OEM requirements. Useful as a preparation tool to identify gaps before a formal AL2/AL3 assessment.
AL2 (High Protection): Introduces external verification through a remote plausibility check by an ENX-approved audit provider. The auditor reviews documentation and conducts interviews via video. A TISAX label is issued, and results can be shared via the ENX portal. Appropriate for suppliers handling sensitive but not highest-classification data. Note that under the TISAX rubric, “sensitivity” encompasses consideration of both confidentiality and availability.
AL3 (Very High Protection): A comprehensive on-site audit where the assessor physically visits your facilities, inspects security controls, interviews staff, and verifies that documented procedures match actual practice. Required for organizations handling prototypes, advanced R&D data, or highly confidential strategic information. Demands a mature ISMS with continuous monitoring, DLP tools, robust encryption, and strict physical access controls.
If your organization holds ISO 27001 certification, it gives you a significant head start – but it does not satisfy TISAX requirements.
| Aspect |
TISAX |
ISO 27001 |
| Industry Focus | Automotive-specific | All industries |
| Foundation | VDA ISA catalogue (based on ISO 27001) | ISO/IEC international standard |
| Assessment Levels |
3 tiers (AL1, AL2, AL3) |
Pass/fail only |
| Certification Type |
Label (shared via ENX portal) |
Certificate (publicly displayable) |
| Validity Period |
3 years (no annual surveillance audits) |
3 years (annual surveillance audits required in second and third year) |
| Audit Body |
ENX-approved TISAX assessors only |
Any accredited certification body |
| Additional Requirements |
Prototype protection, GDPR-specific controls |
None beyond Annex A controls |
| Result Sharing |
Via ENX portal to authorized participants only |
Freely publicizable and advertisable |
ISO 27001 cannot directly replace TISAX where a valid TISAX label has been expressly demanded by the OEM. This is because the ISO certificate lacks the dedicated prototype-protection module that TISAX adds, lacks automotive-specific data protection controls, and OEMs that are part of the TISAX ecosystem (mainly German OEMs or larger EU-based OEMs, or their major suppliers) will only accept a valid TISAX label through the ENX portal.
However, pursuing both offers real advantages. Organizations with ISO 27001 get a significant head start on TISAX because TISAX is based on it, reducing preparation time and cost. If starting from scratch, consider building your ISMS to ISO 27001 standards first, then layering on TISAX-specific requirements.
Step 1 – Preparation and Self-Assessment: Download the VDA ISA questionnaire and conduct a gap analysis. Build or improve your ISMS, document policies and procedures, and train your team. This is typically the longest and most resource-intensive phase.
Step 2 – Register on the ENX Portal: Register on the ENX portal, define your assessment scope and objectives, and pay the registration fee (~EUR 500).
Step 3 – Select an Audit Provider: Choose from the ENX-approved audit providers directory, which lists authorized firms including TUV SUD, DEKRA, DNV, and DQS. Schedule a kick-off meeting to confirm scope and timeline.
Step 4 – External Assessment: For AL2, the auditor conducts a remote plausibility check (document review and video interviews). For AL3, the auditor visits your facilities for a comprehensive on-site inspection.
Step 5 – Corrective Actions (If Needed): If non-conformities are identified, you receive a findings report and a defined period (up to nine months) to implement corrective actions. Any non-conformities (whether minor or major) will require a follow-up assessment to verify the implemented optimizations.
Step 6 – Label Issuance: Once all requirements are met, results are uploaded to the ENX portal. Your TISAX label is valid for three years and can be shared with any TISAX-participating partner through the ENX portal.
Timelines depend on your organization’s starting point and available resources. Here are typical timelines:
| Company Size |
Estimated Timeline |
| Small | 4–6 months |
| Medium | 6–8 months |
| Large | 8–12 months |
Existing ISO 27001 certification, a dedicated project team, and a focused scope shorten timelines. Significant corrective actions, multiple locations, limited security expertise, and competing priorities lengthen them.
Your TISAX label is valid for three years with no annual surveillance audits. However, you must undergo a complete reassessment before expiration. Begin planning at least one year before your label expires.
The VDA ISA catalogue defines security controls across eight main topic areas: Information Security Policies and Organization, Human Resources, Physical Security and Business Continuity, Identity and Access Management, IT Security / Cyber Security, Supplier Relationships, Compliance, and Prototype Protection.
TISAX evaluates the maturity of each control using a six-level model:
| Level |
Name |
Description |
| 0 |
Incomplete |
No process exists |
| 1 |
Performed |
Process is ad-hoc and unstructured |
| 2 |
Managed |
Process is planned, tracked, with assigned responsibilities |
| 3 |
Established *This is the minimum required |
Standardized, documented process consistently applied |
| 4 |
Predictable |
Process is measured with quantitative metrics |
| 5 |
Optimizing |
Subject to continuous, data-driven improvement |
Most controls require a minimum maturity level of 3 (Established) – meaning policies must be standardized, documented, consistently followed, and understood by relevant personnel.
If your scope includes prototype protection, additional requirements apply: restricted access zones, camouflage procedures for test vehicles, photography restrictions, and controlled destruction procedures for prototype materials. These are detailed in the TISAX Participant Handbook.
A: TISAX is not legally mandatory, but it functions as a practical business requirement for organizations working with German automotive manufacturers — Volkswagen, BMW, and Mercedes-Benz among them. US-based manufacturers including Ford and GM are increasingly adopting it as well. The certification has become a powerful filter, if not an express requirement, for EU-based automotives industry when selecting vendors and suppliers. This is also expanding to the wider global supplier chain of these OEMs, as these Tier 1 suppliers increasingly harmonize their minimum acquisition benchmarks to TISAX. Without a valid label, your organization may risk being excluded even from any initial consideration.
A: Three years from the date of assessment, with no annual surveillance audits. You must undergo a complete reassessment before expiration. Begin planning at least one year in advance.
A: No. ISO 27001 gives a significant head start on TISAX preparation because TISAX is based on it, but does not cover TISAX-specific requirements such as prototype protection or GDPR alignment. OEMs will only accept a valid TISAX label shared through the ENX portal. In fact, the ENX portal is the only way the label can be legitimately and officially shared under the system.
A: TISAX issues a “label,” not a certificate. Unlike ISO 27001 certificates, TISAX labels cannot be publicly displayed or advertised. Results are shared exclusively through the ENX portal with authorized participants.
A: The ENX Association maintains a directory of approved providers including TUV SUD, DEKRA, DNV, and DQS. You must select a provider from this approved list.
A: Yes. While developed for the German automotive industry, TISAX has become a global standard. Any supplier worldwide working with TISAX-participating OEMs may need a label, regardless of location. Assessments are conducted by ENX-approved audit providers, whose directory spans firms operating internationally.
Achieving TISAX compliance is a significant undertaking, but entirely manageable with the right approach. Key takeaways:
Whether you are a Tier 1 supplier or an engineering firm that positions or seeking to position itself as a Tier 1, Tier 2, or Tier 3 supplier in the automotives sector, the path to TISAX compliance begins with understanding the framework and making a plan.
If your organization needs guidance – from initial gap analysis through label issuance – consider working with experienced information security professionals such as NRI Secure, who understand both the technical requirements and practical realities of automotive compliance.