TISAX for IT Service Providers & SaaS Companies

Why IT Service Providers and SaaS Companies Need TISAX

TISAX is no longer relevant only for traditional suppliers. The digitalization of the automotive industry means that IT service providers, SaaS vendors, and cloud providers are increasingly integrated into the supply chain — and therefore fall under TISAX requirements. If you provide software, IT services, or cloud infrastructure for OEMs or Tier-1 suppliers, you will sooner or later be asked for a TISAX label.

The driver is the OEM requirement: More and more automotive manufacturers require all partners in the supply chain — not just parts suppliers but also IT partners — to hold a TISAX label. No label means no contract, no access to the ENX portal, and no visibility as a trusted partner.

Scope Definition for IT Service Providers

Scope definition is particularly important for service providers — and often trickier than for traditional suppliers. The scope must clearly delineate what is assessed and what is not.

What Is Typically in Scope

• Systems: All IT systems that process, store, or transmit OEM data — production servers, databases, backup systems, CI/CD pipelines
• Data: All information processed by or for OEMs — customer data, production data, personnel data, configuration data
• Personnel: All employees with access to OEM data or the systems that process it — developers, admins, support staff, project managers
• Locations: All sites where OEM data is processed — offices, data centers, home offices (for remote work)

What Is Typically Not in Scope

• Systems and processes operated exclusively for non-automotive customers (provided they are fully separated)
• Internal company processes with no connection to OEM data (marketing, accounting, internal HR)
• Locations with no OEM data involvement (purely administrative sites)

Important: The delineation must be cleanly documented and presented to the auditor in a comprehensible manner. A scope that is too narrow will be questioned by the auditor; a scope that is too broad unnecessarily drives up costs.

Cloud and SaaS-Specific Requirements

Multi-Tenant Architecture

SaaS providers with multi-tenant architecture face particular challenges: How do you ensure that OEM data is isolated from other tenants? The auditor checks: logical data separation, tenant isolation at the database and application level, access controls between tenants, and demonstrability of the isolation.

With multi-tenant systems, the scope can be limited to the specific OEM tenant — provided the isolation is demonstrable. Without demonstrable isolation, the entire platform falls in scope.

Dedicated Environments

Dedicated environments (dedicated servers, dedicated database instances, dedicated network segments for the OEM) significantly simplify scope delineation. The auditor only needs to assess the dedicated environment, not the entire platform. Downside: higher operational costs and more complex infrastructure.

Data Center Location

Data center location is relevant for TISAX: OEM data should be processed in the EU/EEA. Data centers in third countries (particularly the USA) require additional safeguards and legal bases (e.g., EU-US Data Privacy Framework, Standard Contractual Clauses). Some OEMs explicitly require data centers in Germany or the EU.

TISAX as a Competitive Advantage

A TISAX label is not just a compliance obligation but a strategic market advantage. The automotive industry is one of the largest IT markets in Europe. With a TISAX label, you gain access to a market that remains closed to many competitors:

• Access to the automotive supply chain: Without a TISAX label, you will not be considered in OEM procurement processes
• Trust signal: A TISAX label demonstrates that you meet the stringent security requirements of the automotive industry — building trust even with non-automotive customers
• Differentiation: Many IT service providers do not yet hold a TISAX label. Those who invest early gain an edge over competitors
• Cross-selling potential: With a TISAX label, you can win existing automotive customers for additional services that require TISAX

Typical Timeline for IT Service Providers

IT service providers have an advantage over traditional suppliers: IT security measures are usually already in place. Encryption, access control, monitoring, and patch management are standard in day-to-day IT operations. This often results in a shorter timeline than for manufacturing companies.

With an existing ISMS (e.g., ISO 27001), the effort is reduced to 6-10 weeks. Detailed cost breakdowns are available on our TISAX costs and process page.

Typical Labels for IT Service Providers

Most IT service providers require the following labels:

• Info high (AL2): Standard for all service providers processing confidential OEM data
• Data Protection (AL2): For commissioned processing of personal data for OEMs
• Availability high (AL2): For production-critical IT systems and cloud services

AL3 labels are rarely required for IT service providers unless you process special categories of personal data or have direct access to prototype data. For scope definition, learn about the Assessment Levels.

The complete step-by-step guide for TISAX preparation is available in our TISAX checklist.