All TISAX Labels at a Glance

What Are TISAX Labels?

TISAX labels are the official certifications published on the ENX portal after a successful assessment. Each label certifies that your organization meets specific security requirements. OEMs and Tier-1 suppliers use the ENX portal to verify their partners' labels — without labels, no contract.

There are currently 10 TISAX labels, grouped into five categories: Information Security, Prototype Protection, Test Vehicles and Prototype Events, Data Protection, and Availability. Each label is tied to a specific Assessment Level (AL2 or AL3).

All 10 TISAX Labels in Detail

Information Security

Info high (AL2) — The standard label for organizations that process confidential information from OEMs. This includes production plans, bills of materials, supplier lists, pricing information, and technical specifications. Most TISAX participants need this label. The assessment is conducted remotely by an accredited audit provider.

Info very high (AL3) — For information with very high protection needs, such as pre-release vehicle data, design studies, strategic product planning, or technology developments that would cause significant financial damage if disclosed. Requires an on-site audit with physical inspection.

Prototype Protection

Prototype Protection high (AL3) — For organizations that have physical or digital access to prototypes. Covers access controls, camera surveillance, restricted zones, encryption, and access management. Typical recipients: body manufacturers, design studios, suppliers of prototype parts.

Prototype Protection very high (AL3) — The highest level for prototype security. In addition to the requirements of "high", extended physical security measures are assessed: airlock systems, biometric access controls, comprehensive video surveillance, and strict visitor management processes. More details can be found on our TISAX Prototype Protection page.

Test Vehicles and Prototype Events

Test Vehicles (AL2) — For organizations that handle camouflaged vehicles, test vehicles, or pre-series vehicles. Requirements include camouflage wrapping, secured parking areas, photography bans, and GPS tracking. Typically applies to workshops, testing grounds, and logistics service providers.

Prototype Events (AL2) — For organizations that display or transport prototypes at trade shows, test drives, or presentations. Requirements include special protective measures for the event period: access controls, NDA management, photography bans, and transport security.

Data Protection

Data Protection (AL2) — For organizations that process personal data on behalf of an OEM (data processing under GDPR Art. 28). Assesses compliance with data protection requirements beyond GDPR with TISAX-specific additions for the automotive context. Typical recipients: HR service providers, payroll providers, CRM system operators.

Data Protection special categories (AL3) — For processing special categories of personal data under GDPR Art. 9: health data, biometric data, trade union membership, or ethnic origin. Requires an on-site audit and stricter technical and organizational measures. Primarily affects occupational health physicians, health management providers, and systems with biometric access control.

Availability

Availability high (AL2) — Since 2023, dedicated labels exist for availability requirements. This label assesses whether your organization has implemented business continuity measures that ensure high availability of critical systems and services. Relevant for IT service providers operating production-critical systems.

Availability very high (AL3) — The highest level for availability requirements. In addition to the requirements of "high", extended redundancy concepts, disaster recovery plans, and recovery times (RTO/RPO) with very high requirements are assessed. Applies to providers of systems whose failure would directly impact vehicle production.

Overview: All Labels, Levels, and Use Cases

New Labels Since 2023

With the introduction of VDA ISA 6.x, the availability labels were added as a standalone category. Previously, availability was part of the general information security requirements. The split into dedicated labels reflects the growing importance of Business Continuity and Disaster Recovery in connected automotive manufacturing.

For organizations that already hold a TISAX label under older ISA versions, this may mean an expanded scope at recertification. Check at your next recertification whether your OEM now explicitly requires an availability label. More details can be found on our TISAX Requirements page.

Which Label Do You Need?

The answer depends on your specific contractual relationship with the OEM. Typically, your client will tell you which labels they expect. Common combinations:

• Standard supplier without prototype access: Info high (AL2) — the most common scenario
• Supplier with prototype access: Info high (AL2) + Prototype Protection high (AL3) — requires on-site audit
• IT service provider: Info high (AL2) + Data Protection (AL2), possibly Availability high (AL2)
• Development partner: Info very high (AL3) + possibly Prototype Protection — highest requirements