Key takeaways
- What is TISAX? TISAX (Trusted Information Security Assessment Exchange) is the automotive industry's information security standard. It defines what protective measures suppliers must implement for sensitive vehicle, development and customer data.
- Who does TISAX affect? Every company that processes sensitive information from automotive manufacturers – regardless of company size. OEMs increasingly enforce the proof as a prerequisite for doing business.
- What do you need to do now? The first step is to understand which protection level applies to your data and where the gaps in your current IT documentation are – before the auditor finds them for you.
What Is TISAX?
TISAX stands for Trusted Information Security Assessment Exchange. What does TISAX mean? The TISAX meaning can be summarised as follows: it is the information security standard that the German automotive industry agreed on to enforce uniform requirements for handling sensitive data. As a TISAX definition: the standard covers both the requirements catalogue (VDA ISA) and the audit and exchange mechanism that connects OEMs and suppliers.
Developed by the German Association of the Automotive Industry (VDA), its foundation is the VDA ISA catalogue – a questionnaire built on ISO/IEC 27001, but specifically tailored to the requirements of the automotive sector. The ENX Association manages the programme and ensures that audit results can be shared across the industry.
The key difference from a pure ISO 27001 certification: TISAX is not a self-assessment. The audit is conducted by an accredited, independent service provider. The result is a proof of compliance visible in the ENX portal to your automotive partners – or not.
Why does this matter? Because OEMs such as BMW, Volkswagen and Mercedes-Benz are increasingly making the proof mandatory. Companies without a current certificate are excluded from tenders. Just like that.
You Supply an OEM – Why TISAX Is Now Your Business
Most automotive suppliers don't hear about the TISAX requirement from their IT department – they hear it from sales: an OEM partner sends a requirements list, and at the top is the TISAX certification.
This is no coincidence. OEMs process data every day that can cause significant economic damage if it falls into the wrong hands: design drawings, prototype information, production processes, customer data. Manufacturers cannot guarantee the security of this data as long as they have no reliable information about the IT security of their suppliers.
TISAX is the answer. It creates a common language with which suppliers can demonstrate their security posture – without every OEM having to develop its own questionnaires and audits. What does TISAX contain specifically? At its core: a requirements catalogue for information security, a standardised audit process, and an industry-wide exchange system for audit results.
When do I need TISAX? The rule of thumb: anyone who processes sensitive information from an OEM is affected. This includes:
- Tier-1 suppliers with direct OEM contact
- Tier-2 and Tier-3 suppliers integrated into the supply chain
- Software developers, engineering firms and service providers who receive development data
- Companies handling prototypes or confidential documents
Company size is irrelevant. A 20-person business developing control software for an OEM can be in scope just the same.
Tier-2 and Tier-3: Indirect Suppliers Are Affected Too
A common misconception: TISAX only applies to direct partners of the major automotive manufacturers. That is not correct. The requirement is increasingly passed down along the entire supply chain.
Here is how it works: a Tier-1 supplier receives the obligation from the OEM to be TISAX-compliant. It passes this requirement on to its own suppliers – the Tier-2 companies. These in turn can impose the same requirement on their sub-suppliers. The result: a mid-sized company that has never communicated directly with an OEM still finds itself in scope.
Who is affected in this case depends on what data flows. Three questions help to assess the situation:
- Do you receive design, development or production data from a client in the automotive sector?
- Do you process or store this data on your IT systems?
- Do you have contractual agreements that include information security requirements?
Anyone who answers all three questions with yes should assume that the TISAX requirement will reach them sooner or later – even without direct OEM contact.
TISAX Applies Worldwide – Not Just in Germany
TISAX was developed by the German automotive industry, but its reach is now global. Any company worldwide working with German OEMs or their direct Tier-1 suppliers may fall under the requirement – regardless of whether it is based in Germany, Poland, the Czech Republic, Mexico or Japan.
This is not a theoretical scenario. German automotive manufacturers operate global supply chains. BMW, Mercedes-Benz and Volkswagen source components and services from hundreds of international suppliers. TISAX is the uniform standard these companies use to ensure information security across that chain – regardless of a supplier's location.
International companies face the same requirements as German ones. The VDA ISA catalogue, the assessment levels and the ENX portal proof are identical. What may differ: the availability of accredited audit service providers in a given country. The ENX Association maintains a current list of accredited auditors active outside Germany.
What Auditors Will Check – and What That Means for Your IT
The TISAX audit follows a structured process. Accredited audit service providers verify whether a company's information security measures match the protection requirements of the data it processes. There are two levels of depth: a plausibility check (assessment level 1) and a full on-site review (assessment levels 2 and 3).
The VDA ISA catalogue divides the requirements into several subject areas. Particularly relevant for IT managers: information security management, IT systems and networks, identity and access management, and prototype protection (where applicable). For each requirement, the auditor evaluates a maturity level on a scale of 0 to 5 – with maturity level 3 as the minimum. This does not simply mean that a measure exists, but that it is lived in daily operations and verifiably tested.
Auditors do not expect complete documentation of every process. But they do expect evidence. An asset list from last quarter, a network diagram that only the senior admin holds in their head – neither will hold up. Most gaps are not in technical IT security, but in the documentation of existing measures.
Which Protection Level Applies to Your Company?
Not every supplier faces the same requirements. TISAX differentiates by the protection need of the data a company receives from its OEM partners.
- Normal – Standard information without special confidentiality requirements. Assessment level 1 (plausibility check).
- High – Confidential development data, supply chain plans. Assessment level 2 (on-site review).
- Very high – Prototype information, highly sensitive design data. Assessment level 3 (extended on-site check).
- Very high + prototype protection – Vehicles and components before series launch. Assessment level 3 with extended physical inspection.
Which protection level applies to you is not determined by your own company, but by the OEM partner. They classify the information they share with you and tell you which TISAX requirements you must meet.
In practice, this means: a company working for several OEMs may fall under different requirement profiles. The strictest requirement then sets the benchmark for the entire information security system.
A common misconception: the protection level refers to the data, not the company. Even a small engineering firm with five employees can fall under "Very high" if it processes prototype design drawings.
What VDA ISA 6.0 Changes – and Why It Applies to Everyone Starting Now
Since 1 April 2024, all new TISAX audits are conducted exclusively on the basis of VDA ISA catalogue version 6.0. Anyone starting their preparation today works on this foundation – there is no alternative.
The most important changes from the previous version:
- Clearer requirements structure: ISA 6.0 includes typical auditor questions and evidence examples directly alongside many control questions – making preparation more concrete.
- New label system: The previous categories were fundamentally revised. Four new labels now strictly separate confidentiality and availability; the central categories are now "Confidential" and "Availability".
- Stronger focus on verifiability: ISA 6.0 explicitly emphasises that measures must not only exist, but be demonstrably practised – a tightening compared to earlier versions.
- Updated references: The catalogue now explicitly references ISO 27001:2022 and the NIST Cyber Security Framework.
For companies that already hold a TISAX result based on ISA 5.x: existing proofs remain valid until their regular expiry. For new engagements, there is no transition option.
TISAX and Data Protection: An Often Overlooked Audit Area
TISAX is frequently seen as a pure IT security topic. Yet the VDA ISA catalogue also contains a dedicated audit objective for data protection – and this is not a minor point.
Anyone processing personal data in connection with their work for an OEM – such as employee data, customer contacts or vehicle owner information – must demonstrate that this data is handled in accordance with GDPR. This includes technical and organisational measures, but also documented processing records and clear responsibilities.
In practice, this means: the data protection officer and the information security manager must work closely together during TISAX preparation. Discovering the data protection dimension shortly before the audit date creates significant time pressure. The requirements are manageable – but they must be fully and verifiably met.
Existing Security Framework? That Counts
Anyone already operating an information security management system (ISMS) – such as one based on ISO 27001 – has a head start. The VDA ISA catalogue is built on the same principles as established international standards: risk analysis, protection needs assessment, defined responsibilities, regular reviews. Anyone already familiar with these structures does not need to reinvent them – they just need to align them with the specific requirements of the automotive industry.
What TISAX demands beyond that are industry-specific topics: prototype protection, physical security zones for test vehicles, the handling of OEM-owned vehicles on the premises. These are areas that do not appear in generic security standards – and that require separate preparation, regardless of how mature the existing ISMS is.
An existing framework is therefore not a free pass, but a genuine head start. How this plays out in practice is shown by the ABT Sportsline case study – an automotive supplier using Docusnap as the foundation for its TISAX preparation.
From Decision to Proof: the Typical Project Timeline
TISAX projects follow a recognisable pattern. The path from the first OEM requirement to the published audit proof can broadly be divided into six phases:
- Define scope and protection need – together with the OEM: which data, which sites, which protection level?
- Gap analysis – assess current state against the VDA ISA catalogue, create action list (2–6 weeks)
- Implement measures – documentation, processes, training, technical measures (3–9 months)
- Internal pre-audit – dry run against the ISA catalogue, close remaining gaps
- External audit – by an ENX Association-accredited audit service provider (½ to 2 days on-site)
- Proof in the ENX portal – result valid for three years, visible to OEM partners
Anyone starting today should plan for four to twelve months total – depending on their starting point. The detailed process including preparation, assessment levels and typical pitfalls will be covered in the TISAX audit article.
Where Most TISAX Projects Stall – and How to Avoid It
Companies going through a TISAX audit for the first time rarely encounter technical surprises. What surprises them is the documentation effort.
Typical stumbling blocks:
IT inventory is missing or out of date. Auditors expect a complete, current list of all information-processing systems: servers, clients, network devices, cloud services, mobile devices. An Excel list from last quarter does not reliably meet this requirement.
Permissions are not traceable. Who has access to which systems, which data, which applications? This question should be answerable with a single click for the auditor – not with a journey through five different systems.
Network documentation is patchwork. Segmentation concepts, interface descriptions, VLAN overviews – they often exist, but not as consistent, current documentation.
Policies are adopted but not lived. An IS policy sitting in the intranet is of little use when training records are missing or policies have not been reviewed in years.
The good news: all these gaps can be closed – if you start early enough. Typical TISAX preparations take between three and twelve months depending on the starting point. Starting six weeks before the planned audit means pressure.
A pragmatic first step: a gap analysis against the VDA ISA catalogue before engaging a service provider. This saves time and shows where the real effort lies – and where more is already in place than assumed.
For a compact introduction to how IT documentation for TISAX can be automated in three steps, watch this video: Preparing for TISAX: Automate IT Documentation in 3 Steps
Docusnap inventories IT environments automatically and generates the documentation auditors expect – without manual maintenance effort. What that means in practice, read on Docusnap's TISAX solution page.
What TISAX Costs – and How Long the Proof Is Valid
TISAX is not a one-time project. The external audit costs consist of ENX registration fees and the fees of the audit service provider – depending on the assessment level and company size, the pure audit costs range from around €3,500 (level 2, SME) to €30,000 (level 3, larger environments). Internal effort for gap analysis, documentation and training comes on top, and in many projects exceeds the external costs. The proof is valid for three years – after which a renewal audit is required, typically costing 60–70% of the initial effort.
Next steps
The first concrete step is not contacting an audit service provider, but an honest stocktaking: how complete is your current IT documentation – and how current? IT teams that can answer this question with a tool rather than manual lists start their preparation with a clear advantage. Try Docusnap for free and see what your IT actually looks like-
FAQs
No – but it is effectively mandatory. Most German automotive manufacturers (OEMs) require a TISAX label as a prerequisite for collaboration. No label, no contract.
TISAX is not a pure IT project. Typically involved are: IT, HR (onboarding/offboarding), Facility Management (physical security), Procurement (supplier evaluation), Executive Management (management commitment), and Legal (contracts, GDPR).
For minor non-conformities, a temporary label can be issued until the issues are resolved. For major non-conformities, no label is granted – the organization must remediate and be re-assessed. This costs time and money.
Yes – company size does not matter. What matters is the type of information being processed. Even sole proprietorships may need a TISAX label if they handle sensitive OEM data.
TISAX Automotive Industry describes the scope of the standard: It applies to all companies involved in the automotive industry supply chain that process sensitive information from OEMs or Tier 1 suppliers. For the German automotive industry, TISAX has become the de facto standard, ensuring that information security is consistently implemented throughout the entire supply chain – from development and production to series launch.
TISAX (Trusted Information Security Assessment Exchange) is an assessment and exchange process for information security in the automotive industry. It is based on the VDA ISA catalog, which in turn builds on ISO/IEC 27001. The process is managed by the ENX Association. The goal is to enable automotive manufacturers to assess the information security of their suppliers in a standardized way and share the results across the industry — without every OEM having to develop their own questionnaires.
There is no legal obligation. TISAX is an industry-wide requirement that OEMs impose as a prerequisite for business relationships. Any company processing development, engineering, or production data from an OEM should expect this requirement. In practice, TISAX is de facto mandatory for Tier-1 suppliers in the German automotive industry.
It depends on your starting point. Companies with an existing ISMS and solid IT documentation can achieve certification in three to six months. Those starting from scratch should plan for six to twelve months — realistic, not pessimistic.
Three years. After that, a re-assessment is required. In addition, annual self-monitoring is expected.
Costs consist of ENX registration fees and the fees charged by the audit service provider. Depending on audit depth and company size, total costs range between €5,000 and €30,000 — not including internal preparation efforts.
TISAX Ahead?
In a TISAX audit, assessors look for evidence – complete asset lists, current network documentation, traceable access controls. Docusnap creates these records automatically, based on the actual state of your IT.
Learn more