What Is TISAX and Why Automotive OEMs Mandate It
TISAX — Trusted Information Security Assessment Exchange — was created by the VDA (Verband der Automobilindustrie, the German automotive industry association) to solve a specific problem: every major OEM was running its own supplier security assessment programme, and every supplier was completing dozens of overlapping questionnaires in slightly different formats.
TISAX solved this by creating a standardised framework built on the VDA Information Security Assessment (VDA ISA) and a shared exchange platform managed by the ENX Association. A supplier completes one TISAX assessment and shares the result with every OEM that requires it — once, on the ENX platform, under controlled access. No more answering the same questions twelve times for twelve customers.
What began as a German automotive standard has become the de facto security certification requirement for automotive supply chains across Europe. In the Netherlands, this directly affects Dutch suppliers to OEMs and to Tier 1 integrators including VDL, DAF, and ASML subcontractors working on automotive-adjacent programmes.
The TISAX result is not a public certificate — it is a controlled exchange.
Unlike ISO 27001, TISAX assessment results are not public. They are shared confidentially on the ENX platform, accessible only to OEMs you explicitly authorise. Missing a TISAX requirement can delay or disqualify a contract award — even when your product quality and pricing are ideal.
The Three TISAX Assessment Levels
Your required assessment level is set by your OEM customer based on the sensitivity of information you handle and your access to their environments. Understanding this upfront determines whether your budget and timeline estimates are realistic.
Self-Assessment
4–8 weeksTarget
Suppliers handling standard business information with limited sensitivity
Process
Complete the VDA ISA questionnaire internally and publish results to the ENX platform — no external auditor required
Rarely mandated by major OEMs for direct suppliers — BMW, VW Group and Mercedes typically require AL2 or AL3.
Plausibility Check
2–4 monthsTarget
Suppliers handling sensitive information: prototype data, personal data, confidential technical specifications
Process
Detailed self-assessment plus remote verification sessions with an accredited ENX auditor who tests your answers
The most common requirement for Tier 2 and most Tier 1 suppliers with access to OEM data.
On-Site Audit
3–6 monthsTarget
Suppliers handling highly sensitive data: prototype components, secret production systems, direct access to OEM engineering environments
Process
Full on-site inspection by accredited auditors with comprehensive documentation review and physical control testing
Required for prototype handling, R&D partners, and suppliers with direct system access to OEM production or engineering platforms.
The Six Steps of a TISAX Assessment
TISAX follows a defined process managed through the ENX Association. Understanding each step before you begin prevents the most common cause of timeline overruns: discovering major remediation requirements mid-assessment that should have been addressed upfront.
Scope Definition
Determine which organisational units, physical locations, and data types are in scope. Your OEM contract specifies the required scope — incorrect scoping leads to assessment failure or partial results that do not satisfy your customer's requirements.
ENX Registration
Register with the ENX Association and specify your assessment scope, required level, and applicable modules. Registration fees apply. Your registration locks in the scope that will be formally assessed.
Gap Assessment
Evaluate your current controls against VDA ISA requirements for your level and applicable modules: Information Security (always required), Prototype Protection (if applicable), and Data Protection (if personal data is involved). Complete this before engaging your auditor — gaps found mid-audit extend your timeline significantly.
Auditor Engagement
Select an accredited ENX audit provider and schedule your assessment. For AL2, this involves remote verification sessions. For AL3, plan for on-site visits over one to three days. The auditor reviews your VDA ISA self-assessment and tests your documented controls against actual practice.
Gap Remediation
Address findings identified during or before the assessment. Minor deviations can often be remediated within the assessment window. Major gaps require a separate re-assessment cycle. This is where most timelines slip — internal remediation is consistently slower than planned.
Label Issuance & Sharing
Once the assessment is accepted, your TISAX label is published on the ENX platform. You control which OEMs can access it. Labels are valid for three years, after which a full re-assessment is required — not a surveillance audit.
TISAX vs. ISO 27001: Key Differences
Many automotive suppliers already hold or are pursuing ISO 27001. The two frameworks overlap significantly in controls — but they are not equivalent, and no major OEM will accept ISO 27001 as a substitute for TISAX.
| Feature | TISAX | ISO 27001 |
|---|---|---|
| Industry scope | Automotive-specific (VDA ISA framework) | Cross-industry generic control framework |
| Mandate | Contractual OEM requirement — non-negotiable for in-scope suppliers | Voluntary — OEMs do not accept it as a TISAX substitute |
| Result exchange | ENX platform — one result shared with multiple OEMs under access control | Manual certificate sharing per customer relationship |
| Assessment model | Maturity-based scoring (1–5 per control area) | Binary: conformant or non-conformant per clause |
| Prototype protection | Dedicated VDA ISA module — physical and logical prototype controls | Not addressed — physical prototype security is outside ISO scope |
| Validity | 3-year label — full re-assessment at renewal | Annual surveillance audits, recertification every 3 years |
Is Your TISAX Timeline Realistic?
We offer a free TISAX readiness call: 30 minutes to assess your current security posture against VDA ISA requirements for your target assessment level, and tell you honestly whether your planned timeline is achievable.
Book a Free TISAX Readiness CallThe Three Areas Where Automotive Suppliers Most Often Fail
These three control areas account for the majority of findings in TISAX assessments at AL2 and AL3. Addressing them before your formal assessment — not during — is the most reliable way to avoid remediation loops that extend certification by three to six months.
Prototype Protection Controls
The VDA ISA Prototype Protection module requires documented physical and logical controls for handling pre-series components, CAD files, and development data. Most suppliers handle prototypes under informal arrangements — no documented access control process, no clean-desk procedures, no formal visitor management for prototype areas. Auditors consistently flag the absence of documented protocols rather than the absence of physical controls.
Supplier Relationship Documentation
TISAX requires evidence that you assess and manage the security posture of your own sub-suppliers that have access to OEM data. Most SME suppliers have no formal supplier security assessment process. They sign contracts but do not assess their suppliers' security practices. Auditors consistently flag missing sub-supplier registers and absent due diligence processes for vendors with access to sensitive data.
Access Control Evidence
TISAX assesses whether access rights are formally managed: user provisioning and de-provisioning, privileged access management, and periodic access reviews with documented outcomes. Most suppliers have functioning technical access controls — but lack the documented processes and audit evidence trails that TISAX requires. Functioning controls without documentation do not satisfy a TISAX auditor at AL2 or AL3.
How New Paradigm Security Accelerates Your TISAX Certification
Automotive suppliers are not typically information security specialists. Their core expertise is manufacturing, engineering, or logistics — and TISAX asks them to demonstrate sophisticated security governance against a detailed automotive-specific framework. Most suppliers underestimate remediation effort and overestimate the speed of internal execution by a factor of two to three.
Our GRC practice has guided suppliers through TISAX assessments at all three levels. We know where the gaps are before the auditor arrives — because we have seen those gaps across assessments consistently.
VDA ISA Gap Assessment
Full assessment of your controls against VDA ISA requirements for your specific level and applicable modules. We deliver a prioritised remediation plan with realistic timelines — not a generic maturity report that leaves your team guessing where to start.
Remediation Programme Management
End-to-end management of gap remediation: policy development, process design, control implementation, and audit evidence collection. We build the documentation architecture that satisfies TISAX auditors and remains maintainable after your label is issued.
Prototype Protection Module
Dedicated support for the VDA ISA Prototype Protection module — physical security assessment, access control design for prototype areas, visitor management procedures, and CAD/engineering data handling controls. Built for Tier 1 and Tier 2 suppliers handling pre-series components.
Sub-Supplier Assessment Programme
Design and implementation of your supplier security management process: questionnaire development, criticality classification, and sub-supplier register satisfying both VDA ISA and GDPR Art. 28 requirements simultaneously.
Re-Assessment Preparation
TISAX labels expire after three years. We provide continuous compliance monitoring, annual control testing, and re-assessment preparation so your renewal does not become a twelve-month crisis. Clients who engage us post-certification maintain consistently higher maturity scores.
TISAX Is a Supply Chain Access Decision, Not an IT Project
The automotive supply chain is tightening. OEMs are reducing supplier bases and concentrating contracts with vendors that can demonstrate systematic security governance. TISAX certification has become a threshold requirement — not a differentiator, but a prerequisite for appearing on the short list.
The suppliers that complete TISAX efficiently are not the ones with the largest IT teams. They are the ones that engaged external expertise early, addressed prototype protection and supplier management proactively, and avoided the remediation loops that stretch timelines from four months to twelve.
If you have received a TISAX requirement from an OEM or Tier 1 partner, the assessment clock has started. The question is whether you close the gaps before the auditor finds them.
Enterprise GRC & Regulatory Compliance
TISAX gap assessments, ISO 27001 implementation, NIS2 and DORA compliance, and ongoing GRC management for European enterprises and automotive supply chain participants.
View GRC ServicesvCISO (Fractional CISO)
SME automotive suppliers often lack an internal security function. A fractional CISO provides the governance leadership — ISMS design, policy framework, audit readiness — that TISAX assessors expect at AL2 and AL3.
Explore vCISO Services