TISAX Label & Level: What Do AL1, AL2, AL3 Mean – and Which Label Do You Need?

Key Takeaways

• Only AL2 and AL3 result in a TISAX label that OEMs accept. AL1 is a pure self-assessment without external validation – no OEM accepts it as proof.
• Since April 2024, four new labels apply under VDA ISA 6.0: "Confidential", "Strictly Confidential", "High Availability" and "Very High Availability". The former labels "Info High" and "Info Very High" have been discontinued.
• Which label and which level you need is stated in your supply contract – not in the ISA catalogue. OEMs specify both contractually; choosing the wrong level means repeating the assessment.

b65 percent of all active TISAX labels sit at Assessment Level 2 – a clear signal of which standard the automotive industry has settled on. Since 1 April 2024, a new label system under VDA ISA 6.0 has applied, replacing the former "Info" labels entirely and separating the protection classes cleanly into confidentiality and availability for the first time. Anyone planning a TISAX assessment today needs to understand both dimensions and combine them correctly: what is being assessed, and how thoroughly.

What Is the Difference Between a TISAX Label and a TISAX Level?

The TISAX label describes the audit objective: it defines which protection goal – confidentiality, availability or prototype protection – must be demonstrated in an assessment. The TISAX level (Assessment Level, AL) describes the audit depth: it determines whether the assessment is conducted as a self-assessment (AL1), a remote interview (AL2) or an on-site assessment (AL3). Both dimensions together define the scope – and both are specified in the supply contract.

TISAX labels and TISAX levels are frequently confused in practice, because the term "TISAX level" is sometimes used colloquially to refer to the protection class of a label. In this article, "level" always refers to the Assessment Levels AL1 through AL3.

The TISAX label in detail: each label corresponds to a defined audit objective from the VDA ISA requirements catalogue published by the ENX Association – the binding framework for all TISAX assessments. Which label a supplier needs depends on the type of data it processes for the OEM.

Together, the two dimensions define the concrete scope. A supplier processing engineering data for an OEM typically needs the "Confidential" label at AL2 – what exactly is required will be stated in the supply contract.

Which TISAX Labels Exist Since VDA ISA 6.0?

With VDA ISA 6.0, mandatory since 1 April 2024, the label system changed fundamentally. The former labels "Info High" and "Info Very High" no longer exist. Four new labels have replaced them – separated by protection objective: confidentiality on one side, availability on the other.

Confidential: The baseline level for companies that process confidential OEM information. The label carries the abbreviation "C" and is the most widely used. It covers protection against unauthorised access, data disclosure and information loss – the default for engineering service providers, IT suppliers and marketing agencies working under OEM contracts.

Strictly Confidential: For companies that process highly sensitive data – unpublished development data, trade secrets, advance information on vehicle models. The requirements are significantly more demanding than the "Confidential" level and require AL3 with an on-site assessment.

High Availability: Abbreviation "A". This label targets not companies with particularly sensitive data, but those whose IT failure would threaten the OEM's supply chain. Resilience rather than data protection: redundancy concepts, contingency plans, BCM. A direct response to ransomware attacks targeting just-in-time supply chains.

Very High Availability: The more stringent variant for suppliers whose outage would trigger immediate production stoppages at the OEM. Stricter BCM requirements, OT security to ISA/IEC 62443 and disaster recovery evidence are mandatory.

Which Optional Assessment Modules Are There?

Alongside the four labels, TISAX offers two optional modules that OEMs can additionally require.

The data protection module applies to companies processing personal data on behalf of an OEM – HR service providers or marketing agencies, for example. It covers GDPR-compliant records of processing activities, data protection impact assessments and data processing agreements.

The prototype protection module applies to companies with physical access to test vehicles or pre-production models. Physical security measures, confidentiality at press events and protection against unintended photography are the central audit points. In practice this means: screened parking areas for test vehicles, access controls for development zones, and rules governing photography and video on the premises.

In practice, many automotive development suppliers combine the base "Confidential" label directly with the prototype protection module – because the OEM requires both simultaneously.

What Changed in the TISAX Label System in 2024?

VDA ISA 6.0 is the most comprehensive overhaul of the TISAX standard in years. It affects not only the label structure, but also the depth of IT requirements.

Anyone commissioning a new assessment today will be assessed exclusively under ISA 6.0. Existing "Info High" and "Info Very High" labels from earlier assessments remain valid until they expire, at which point a follow-up assessment under the new standard becomes due.

New in terms of content: ISA 6.0 introduces explicit OT security requirements for the first time, aligned with ISA/IEC 62443-2-1 for Operational Technology. For suppliers with production environments this means: network segmentation, an asset inventory of the OT environment and patch management for control systems are now audit-relevant. Suppliers who have previously only documented their conventional IT will need to expand their scope.

Five new controls for incident management and business continuity have also been added – ransomware attacks on suppliers have demonstrated how quickly a single outage can bring an entire supply chain to a halt.

Which Assessment Levels Exist – and What Distinguishes Them?

The three assessment levels do not differ in what is assessed, but in how thoroughly the assessment is conducted.

Assessment Level 1 (AL1) is a pure self-assessment. The external assessor only checks whether the VDA ISA questionnaire has been completed in full – not whether the answers are accurate. AL1 does not result in a TISAX label in the ENX portal. No OEM accepts AL1 as proof. Anyone seriously planning for AL1 is underestimating what OEMs require.

Assessment Level 2 (AL2) is the industry standard. The assessment is conducted remotely: documents are submitted and the assessor conducts interviews by video or telephone. Around 65 percent of all active TISAX labels run on AL2. Assessment costs typically range between €8,000 and €15,000 – preparation costs not included.

What the assessor needs to see at AL2: a complete IT asset inventory, network documentation with segmentation evidence, an access rights concept with traceable permission assignments, current patch levels, and an IT emergency manual. Suppliers who cannot provide these documents on demand will either prolong the assessment – or fail it. And a failed assessment can mean a broken supply contract: OEMs set the label as a prerequisite for contract award, not as an afterthought.

Assessment Level 3 (AL3) is the highest level. The assessor visits on site: IT infrastructure, physical security measures, staff interviews. AL3 is mandatory for "Strictly Confidential" or "Very High Availability". Costs range from €18,000 to €35,000 plus travel expenses – significantly more for multi-site organisations.

What sets AL3 apart from AL2: the assessor does not just review documents, but walks through server rooms, access zones and workplaces. Employees are interviewed individually – whether documented procedures are actually being followed. A well-maintained asset inventory and clean network documentation are not optional extras at AL3; they are the prerequisite for the interviews to go well at all.

All issued TISAX labels – AL2 and AL3 alike – are valid for exactly three years. A follow-up assessment is due after that.

How Do You Choose the Right Label and Level?

The OEM decides, not the supplier. The standard clause in supply contracts reads along the lines of: "The supplier must hold a valid TISAX label at Assessment Level [X] with the audit objectives [label] and maintain it for the duration of the contract." Choosing the wrong level or the wrong label means repeating the assessment – at the supplier's own expense.

As a guide for organisations defining their scope for the first time:

• Confidential (AL2): The default for suppliers that process confidential engineering or project data digitally for an OEM.
• Strictly Confidential (AL3): For organisations with access to unpublished vehicle information, prototype data or sensitive development secrets.
• High Availability (AL2 or AL3): For suppliers whose IT outage would directly threaten the OEM's production continuity – just-in-time parts suppliers or control system service providers.
• Data protection module additionally: As soon as personal data is processed on behalf of the OEM.
• Prototype protection module additionally: As soon as physical contact with test vehicles or pre-production components is involved.

Upgrading from AL2 to AL3 is possible, but requires a fully new assessment – not an extension of the existing label. Suppliers who anticipate being involved in prototype development should factor this in from the outset.

How Many Companies Use Each Level?

Of the more than 9,500 active TISAX labels in the ENX portal (as of 2025), around 65 percent are at AL2, 25 percent at AL3 and 10 percent at AL1. The shift towards AL3 is noticeable: OEMs are increasingly requiring the higher level wherever particularly sensitive data is processed in the supply chain.

What Changed in the TISAX Label Allocation Process in 2025?

TISAX is growing: more than 9,500 labels are registered in the ENX portal, up around 18 percent year-on-year. The primary driver is increasing pressure from OEMs, who no longer treat TISAX as an optional quality statement but as a hard contractual prerequisite – often with a deadline attached.

Organisations working with vehicle development data or business-critical IT systems are now more frequently finding AL3 written into their contracts as a minimum requirement than they were two years ago. For IT managers this means: the difference between AL2 and AL3 is not academic – it determines whether an on-site assessment is required, how long preparation takes and what the budget needs to be. Discovering this at the assessment kick-off is too late.

Why IT Documentation Determines Whether You Get the Label

Choosing the right label and level is one thing. Being able to demonstrate it during the assessment – that is the more demanding challenge.

Around 60 percent of a TISAX project falls on the IT side. Asset inventory, network segmentation, access rights concept, patch status, IT emergency manual: none of this merely needs to exist – it needs to be current, complete and traceable.

Many organisations do not fail because the VDA ISA controls are too complex. They fail because their IT documentation is out of date by the time the assessment takes place. An assessor who finds that the documented systems do not match the actual infrastructure will not issue the label – and the appointment was billable regardless. This gap builds up gradually: systems are added, permissions change, the documentation stays put.

Docusnap scans Windows, Linux and VMware environments agentlessly and keeps the IT inventory current. Network diagrams, access rights analyses and patch reports are generated directly from the inventory data – in the format auditors want to see. The difference from a pure ISMS or GRC platform: those guide users through the VDA ISA questionnaire but do not deliver reliable IT inventory data. Docusnap does exactly that – and integrates with existing GRC environments via REST API.

ABT Sportsline is a concrete example: the company deployed Docusnap as part of its TISAX certification because manual IT documentation was no longer sufficient for the audit requirements. The result: the infrastructure across three buildings was fully captured and audit-ready – in time for the assessment date.