VDA ISA Compliance

TISAX Label in Months, Not Years

40,000+ automotive suppliers need a TISAX label. Kopexa bundles ISA catalog, evidence, and audit preparation in one platform. Made & Hosted in Europe.

40,000+

suppliers affected

3 Levels

AL1, AL2, AL3

3 Years

label validity

Free ConsultationWhich level do I need?
Made in EuropeGDPR CompliantISO 27001 AlignedVDA ISA Ready

Background

What is TISAX and Why Do You Need It?

TISAX stands for Trusted Information Security Assessment Exchange and is the established standard for information security assessments in the automotive industry. It is operated by the ENX Association on behalf of the German Association of the Automotive Industry (VDA) and is based on the VDA ISA questionnaire (currently version 6.x).

Unlike ISO 27001, TISAX is not a certification but a label that is published on the ENX portal after a successful assessment. This label is visible to all participating OEMs and Tier-1 suppliers, creating a standardized trust mechanism across the entire automotive supply chain. The label is valid for 3 years, after which a re-assessment is required.

The VDA ISA catalog covers significantly more than classic IT security. In addition to information security (confidentiality, integrity, availability), it includes dedicated assessment objectives for prototype protection — both physical and digital — as well as data protection requirements that go beyond the GDPR. Companies must demonstrate maturity levels for each assessment objective on a scale from 0 (incomplete) to 5 (optimized).

Who needs TISAX? In principle, any company that processes, stores, or accesses confidential OEM data. This includes Tier-1 and Tier-2 suppliers, development partners, IT service providers, SaaS vendors, cloud providers, logistics companies, and aftermarket firms. OEMs increasingly require the TISAX label as a prerequisite for contracts. Without a label, you risk losing tenders and existing business relationships.

The assessment is carried out by an accredited audit provider (not by ENX itself). Depending on the required Assessment Level, the audit takes place remotely (AL2) or on-site (AL3). Companies with an existing ISO 27001 certification benefit from significant overlap — approximately 60 to 70 percent of TISAX assessment objectives are already covered. However, automotive-specific requirements such as prototype protection always require additional measures.

Key Assessment Objectives

Core areas of the VDA ISA catalog

  • Information Security (Confidentiality, Integrity, Availability)
  • Prototype Protection (physical and digital)
  • Data Protection (GDPR + TISAX-specific)
  • Third-Party Integration and Supply Chain Security

Who Needs TISAX?

Companies with access to OEM data

  • Tier-1/2 suppliers and manufacturing partners
  • Development partners and engineering service providers
  • IT service providers, SaaS vendors, and cloud providers
  • Logistics, tooling, and aftermarket companies
All TISAX Requirements in Detail

Free Assessment Level Finder

Which Assessment Level Do You Need?

Find out in 2 minutes. Free and anonymous.

TISAX Assessment Level Finder

Which assessment level do you need?

With the Assessment Level Finder by Kopexa, find out in just a few clicks whether you need AL2 or AL3 — and which TISAX labels are relevant for you.

  • Based on ENX requirements and common OEM demands.
  • Instant recommendation: assessment level, relevant labels, and estimated preparation time.
  • Anonymous, secure, and for orientation purposes.

Start now and determine your level.

Note: This initial assessment is based on your responses and publicly available criteria (NIS2). It is not legally binding and does not replace an individual case review.

Timeline

The Path to Your TISAX Label

Step 1

ENX Registration

Register on the ENX portal. Define scope and assessment level. Select an audit provider.

Step 2

Gap Analysis & ISMS

Assess current state, identify gaps, build or extend your ISMS.

Step 35 Steps

Self-Assessment

Work through the VDA ISA questionnaire. Document maturity levels. Collect evidence.

Step 4

Audit

Examination by an accredited audit provider. Remote or on-site, depending on level.

Step 5

Label & Publication

Upon passing: TISAX label on the ENX portal. Visible to all participating OEMs. Valid for 3 years.

The sooner you start, the sooner you have your label. Kopexa supports you at every step.

View Checklist

TISAX Assessment Objectives

What TISAX Demands from You

The key obligations every affected company must implement.

Information Security

Protection of information according to confidentiality, integrity, and availability.

Prototype Protection

Physical and digital protection of prototypes, test vehicles, and pre-release material.

Data Protection

Data protection per GDPR and TISAX-specific requirements for commissioned processing.

Third-Party Integration

Security requirements for subcontractors, cloud providers, and external service providers.

Business Continuity

Emergency plans, backup strategies, and recovery processes for critical systems.

Training & Awareness

Regular training for all employees with access to sensitive information.

Free Initial Consultation

How Kopexa Helps

From Requirement to Implementation

VDA ISA questionnaire?

ISA catalog ready to use

The complete VDA ISA questionnaire is pre-loaded in Kopexa. Answer assessment objectives directly in the platform, document maturity levels, and track your progress in real time.

  • ISA catalog out-of-the-box
  • Maturity tracking per objective
  • Gap analysis at the click of a button

Which controls are missing?

Automatic mapping to ISO 27001

If you already have ISO 27001, Kopexa instantly shows you which TISAX assessment objectives are already covered — and where gaps remain.

  • Automatic cross-mapping
  • Delta analysis ISO↔TISAX
  • Dual certification support

Audit evidence?

Evidence collection for the auditor

Manage policies, evidence, and reports centrally. During the audit, export everything with one click. Complete, current, and audit-ready.

  • Centralized evidence management
  • Policy management
  • Export-ready audit reports

All Frameworks. One System.

Built by GRC Experts for European Mid-Market Companies

ISO 27001NIS2TISAXDORABSI GrundschutzDSGVOSOC 2KRITISPCI-DSSNIST CSF

Kopexa is built on OSCAL, the open NIST standard for machine-readable compliance frameworks. Every framework, every standard, every regulation: available instantly or custom-built with our Framework Builder.

Content Hub

Deep Dive into TISAX

Assessment Levels

AL1, AL2 and AL3 compared

Labels

All 10 TISAX labels explained

Requirements

VDA ISA assessment objectives overview

VDA ISA Catalog

Deep dive into the questionnaire

Maturity Model

Maturity Levels 0–5 explained

Checklist

10-step plan for TISAX label

Costs & Process

Timeline, costs, and audit process

Audit Preparation

Audit day and common mistakes

ISO 27001 Mapping

Cross-mapping and dual certification

Prototype Protection

Assessment objective 12 in detail

Data Protection

TISAX data protection vs. GDPR

For Service Providers

IT/SaaS/Cloud specific

Recertification

After 3 years: re-assessment

Frequently Asked Questions

Let’s Assess Where You Stand

Free & non-binding. Response within 24h.

By submitting, you agree to our Privacy Policy .