TISAX for Automotive Suppliers

Why OEMs Require TISAX

In the automotive industry, information security is not an optional add-on but a contractual prerequisite. Every major OEM, whether Volkswagen, BMW, Mercedes-Benz, Stellantis, or Toyota, requires its suppliers to hold a valid TISAX label. The reasoning is straightforward: engineering data, prototype information, price schedules, and production plans flow across company boundaries on a daily basis. A single data breach can cause millions in damages, delay product launches, and undermine trust across an entire supply chain.

TISAX (Trusted Information Security Assessment Exchange) was created precisely for this problem. Developed by the German Association of the Automotive Industry (VDA) and operated by the ENX Association, TISAX is the industry-specific standard for information security assessments in the automotive sector. Unlike generic certifications such as ISO 27001, TISAX addresses industry-specific requirements like prototype protection and the secure handling of vehicle development data.

For suppliers across all tiers, this means one thing: no valid TISAX label, no OEM contract. This requirement is non-negotiable. In practice, OEMs use TISAX labels as a knockout criterion in tenders and supplier qualifications. Even existing supplier relationships are jeopardized if a label expires and is not renewed in time. The consequence: suppliers who treat TISAX as a strategic project and invest early secure a clear competitive advantage.

TISAX goes beyond a mere document review. OEMs expect that you don't just have policies on paper, but that information security is truly lived within your organization. This applies to technical measures such as access controls and encryption just as much as organizational processes like training, incident response, or supplier risk management. TISAX assesses the maturity level of your entire information security management system (ISMS) along the VDA ISA questionnaire.

AL1, AL2, or AL3: Which Assessment Level Do You Need?

TISAX defines three assessment levels (AL) that differ in audit depth and visibility. Which level is relevant for you is not determined by your own company but by the requesting OEM through so-called scope labels.

• AL1 (Self-Assessment): A pure self-assessment without external verification. Not accepted by any OEM in practice and only useful for internal site preparation.
• AL2 (Remote Plausibility Check): Assessment by an accredited audit provider, typically conducted remotely via video conference. The result is visible on the ENX portal and is the standard level for most Tier 2 and Tier 3 suppliers.
• AL3 (On-Site Audit): A full on-site audit with physical inspection. Required by most OEMs for Tier 1 suppliers, especially when prototype data or very high confidentiality levels are involved.

The decision between AL2 and AL3 depends on several factors: Which scope labels does your OEM require? Do you handle prototype data? Do you have physical sites with sensitive areas (e.g., prototype workshops, test tracks)? As a rule: the more sensitive the information, the higher the assessment level. When in doubt, always clarify with your OEM which level is expected before registering with ENX.

Scoping for Tier 1 vs. Tier 2 vs. Tier 3

Your position in the supply chain significantly determines the scope of your TISAX assessment. TISAX distinguishes three core scope areas, each with its own labels:

• Information Security (Info High / Info Very High): Covers the protection of confidential business information. Nearly every supplier needs at least this label.
• Prototype Protection: Relevant for companies that handle physical or digital prototype information. Typically required for Tier 1 and specialized Tier 2 suppliers with development contracts.
• Data Protection (GDPR): Required when personal data is processed on behalf of the OEM, for example in connected car services or fleet management.

Tier 1 suppliers typically have the broadest scope: information security at very high level, prototype protection, and often data protection as well. The assessment level is almost always AL3. Tier 2 suppliers often only need information security (high or very high) and can manage with AL2. Tier 3 suppliers have the leanest scope but still need to demonstrate an ISMS that meets VDA ISA requirements. Getting the scope right at the outset saves significant time and budget.

Common Pitfalls in the Initial Assessment

Many suppliers underestimate the effort involved in a first TISAX assessment. From practical experience, we know the following recurring mistakes that delay assessments or lead to negative outcomes:

• Unclear Scoping: Without a precise definition of the assessment scope (which sites, which processes, which IT systems), the effort becomes uncontrollable. The auditor can only evaluate what is clearly delineated. Many companies define the scope too broadly, involving unnecessary departments, or too narrowly, forgetting critical systems.
• Missing Asset Inventory: TISAX requires a complete overview of all information-processing assets. This includes servers, laptops, mobile devices, cloud services, and even physical records. Without proper IT asset management, you will face significant catch-up work during the assessment.
• Incomplete ISMS Documentation: Policies that exist only as drafts or were never approved by management do not count. The auditor checks whether policies are current, approved, and accessible to employees. Missing documents such as an information security policy, risk treatment plan, or incident response plan are frequent major findings.
• Insufficient Employee Awareness: TISAX does not only assess technology and documents but also employee awareness. Regular training and documented awareness measures are mandatory. If employees cannot explain what the information security policy contains during an interview, that is a clear finding.
• Underestimated Physical Security: Especially in AL3 audits, the auditor inspects physical security on-site. Access controls, lockable cabinets, clean desk policies, and visitor management must not only be documented but implemented in daily operations.

Costs and Timeline

The total cost of a TISAX assessment is composed of several items. For realistic budget planning, you should consider the following factors:

• ENX Registration: Registration on the ENX portal costs approximately EUR 4,500 and is the first formal step. Here you select the assessment scope and audit provider.
• Audit Costs: Audit provider fees range from EUR 5,000 to 15,000 depending on the assessment level and company size. AL3 audits with on-site inspections are naturally more expensive than AL2 remote audits.
• Internal Effort: The largest cost block is often internal effort. Plan for 3 to 6 months of preparation time during which your ISMS is built or overhauled. Depending on your starting point, this ties up 0.5 to 2 FTE.
• Tool Costs: A GRC platform like Kopexa (starting at EUR 249/month) reduces internal effort by 40 to 60% and significantly shortens preparation time. Compared to external consultants (EUR 50,000 to 100,000+), this is a cost-effective alternative.

The typical timeline from decision to label is 4 to 8 months: 3 to 6 months of preparation, 1 to 2 months for the actual assessment and result release. With structured preparation and the right tool support, the lower end of this timeline is realistically achievable.

No Label = No OEM Contract

The business consequences of a missing TISAX label are immediate and severe. OEMs set a valid label as a mandatory requirement in their procurement terms. Without a label, you will not be considered in tenders, and existing contracts cannot be renewed when the label expires. In a market where the number of TISAX-certified suppliers continues to grow, a missing label is a clear competitive disadvantage.

Furthermore, TISAX increasingly affects the entire supply chain: Tier 1 suppliers are obligated by OEMs to verify and demonstrate the TISAX compliance of their own sub-suppliers. The pressure comes not only from above but also from direct business partners. Those who invest early position themselves as reliable partners in an increasingly security-conscious industry.

Next Steps

Want to dive deeper into specific TISAX topics? Here are further resources:

• TISAX Content Hub with detailed guides on assessment levels, VDA ISA, and checklists
• Supplier Compliance in the Supply Chain focusing on multi-tier monitoring and label lifecycle
• TISAX Software Comparison with TCO analysis and feature matrix