TISAX Assessment Levels: AL1, AL2 and AL3

What Are TISAX Assessment Levels?

TISAX distinguishes three Assessment Levels (AL) that determine how rigorously your organization is audited. The level depends on the protection needs of the information you process for OEMs or Tier-1 suppliers. Choosing the right Assessment Level is one of the first and most important decisions in the TISAX process, as it significantly affects effort, cost, and timeline.

Assessment Levels are not quality tiers in the traditional sense. An AL2 label is not "worse" than an AL3 label. It simply reflects that the information being processed has different protection needs and therefore requires a different depth of assessment.

AL1: Self-Assessment

AL1 is the lowest Assessment Level and consists of a pure self-assessment. You complete the VDA ISA questionnaire on your own, without external review. No audit by an accredited audit provider takes place, and the result is not visible on the ENX portal.

In practice, AL1 has little relevance for the automotive supply chain. No OEM accepts an AL1 assessment as proof, since it involves no independent verification. AL1 is suitable exclusively for internal purposes — for example, to gauge your own maturity level before pursuing an AL2 or AL3 assessment, or to internally prepare new locations.

AL2: Remote Audit by an Audit Provider

AL2 is the standard assessment level for most TISAX participants. The assessment is conducted by an accredited audit provider, typically as a remote audit via video conference. The auditor reviews documentation, conducts interviews with responsible personnel, and evaluates the maturity level of your processes.

The AL2 result is published on the ENX portal and is visible to all TISAX participants. This makes AL2 the standard for all organizations that process information with high protection needs. Typical TISAX labels at AL2 level include "Info high", "Data Protection", "Test Vehicles", and "Prototype Events".

The advantage of AL2: The assessment can be conducted entirely remotely, saving travel costs and offering more flexibility in scheduling. The audit duration is generally shorter than AL3, since no physical inspection takes place.

AL3: On-Site Audit with Highest Assessment Depth

AL3 is the highest assessment level in TISAX. The audit is mandatory on-site, conducted by an accredited audit provider. In addition to document review and interviews, AL3 includes a physical inspection of the premises, spot checks on technical systems, and verification of physical security measures.

AL3 is required for "Info very high" and all Prototype Protection labels. If you have access to pre-release vehicle data, CAD drawings of prototypes, or test vehicles, AL3 is mandatory. The physical inspection covers, among other things, access controls, camera surveillance, visitor management, server rooms, and secured areas.

The effort for AL3 is noticeably higher: audit duration is longer (typically 3-5 days on-site), preparation is more extensive, and requirements for physical security measures are stricter. In return, an AL3 label signals the highest level of trust to OEMs.

Comparison Table: AL1 vs. AL2 vs. AL3

Decision Matrix: When AL2, When AL3?

The choice between AL2 and AL3 is primarily determined by the data classification and the specific requirements of your OEM partners. Here is a clear decision guide:

You need AL2 if:

• You process information with high protection needs (e.g., production plans, supplier lists, bills of materials)
• Your OEM requires the "Info high" or "Data Protection" label
• You process personal data on behalf of an OEM (standard data processing agreement)
• You participate in prototype events or handle test vehicles
• You need to meet availability requirements at a high level

You need AL3 if:

• You process information with very high protection needs (e.g., pre-release vehicle data, CAD drawings, design studies)
• You have direct access to prototypes — physically or digitally
• Your OEM requires the "Info very high" or "Prototype Protection high/very high" label
• You process special categories of personal data (health data, biometric data)
• You need to meet availability requirements at a very high level

Practical Tip: When in Doubt, Ask Your OEM

If you are unsure, ask your OEM partner directly which labels and which assessment level they expect from you. The requirement is typically stated in the contract or communicated via the ENX portal. A misjudgment can be costly: if you start with AL2 and later need to switch to AL3, you essentially pay twice. The detailed breakdown of costs and timelines will help you plan.

Common Misconceptions About Assessment Levels

"We will just go with AL2, that should be enough." — We hear this regularly, and it is dangerous. If your OEM expects AL3 and you can only present AL2, your label is worthless to them. Check the contractual requirements carefully before deciding on a level.

"AL3 is more secure than AL2." — This is a misconception. Both levels are assessed against the same VDA ISA catalog and expect the same maturity level. AL3 simply has a greater assessment depth due to the physical inspection. A company with AL2 can be just as secure as one with AL3 — it simply processes different data classifications.

"We will do AL1 first, then upgrade." — AL1 as a preliminary step is generally useful for gauging your own maturity level. However, it does not replace the preparation for AL2/AL3. The jump from AL1 to AL2 requires the same preparation as starting directly with AL2.