TISAX Compliance
The standard for the automotive supply chain. Secure your place with internationally recognized TISAX labels. Major OEMs like Volkswagen, BMW, and Daimler require TISAX from all suppliers.
Quick Facts
What is TISAX?
TISAX (Trusted Information Security Assessment Exchange) is the common assessment and exchange mechanism for information security in the automotive industry. Governed by the ENX Association, it ensures mutual recognition of security assessments across the supply chain.
ISO 27001 Foundation
TISAX is based on the ISA (Information Security Assessment) questionnaire, which builds on ISO 27001 with automotive-specific additions for prototype protection.
Mutual Recognition
One TISAX assessment is recognized by all participating OEMs - no need for multiple redundant audits from different manufacturers.
ENX Exchange Portal
Results are shared through the ENX portal, allowing partners to verify your security labels without sharing full audit details.
Why TISAX Matters
Who Needs TISAX?
Any company in the automotive ecosystem that handles sensitive information or works with OEM partners.
Companies Requiring TISAX
- •Tier 1 and Tier 2 automotive suppliers
- •Engineering and design service providers
- •IT service providers to automotive companies
- •Logistics and transport providers handling automotive goods
- •Any company in the automotive supply chain handling sensitive data
- •Companies working with prototypes or pre-production vehicles
Assessment Objectives
Information Security
Core information security management based on ISA questionnaire
Prototype Protection
Physical and digital protection of pre-production vehicles and components
Data Protection
GDPR-compliant processing of personal data
Assessment Levels
AL 1: Self-Assessment
Based on self-assessment only. Not accepted for external proof in the automotive industry. Suitable only for internal use.
AL 2: Remote Verification
Plausibility check of your self-assessment conducted remotely by an accredited audit provider. Standard for normal protection needs.
AL 3: On-Site Verification
Full on-site verification of evidence by an accredited provider. Required for very high protection needs and prototype protection.
What You Get
Our TISAX program delivers ISA-aligned controls and evidence for your assessment level.
ISA Questionnaire Mapping
Complete control mapping to ISA requirements with implementation guidance
ISMS Documentation
ISO 27001-based policies and procedures tailored for automotive sector
Prototype Protection Controls
Physical and digital security measures for pre-production vehicles and components
Assessment Preparation
Evidence collection and audit preparation for AL2 or AL3 assessment
ENX Portal Registration
Support for ENX participant registration and label publication
How D3 Cyber Helps
We prepare you for TISAX assessment success. Our services address specific needs, while our solutions deliver complete compliance journeys.
Compliance Gap Assessment
Evaluate your current controls against ISA questionnaire requirements and identify gaps before your TISAX assessment.
Learn more →Security Testing
Penetration testing and vulnerability assessments to validate the technical controls TISAX requires.
Learn more →Security Awareness Training
Train your staff on automotive security requirements and handling sensitive prototype data securely.
Learn more →Regulatory Services
End-to-end TISAX preparation from gap analysis through ISMS implementation, documentation, and assessment readiness.
Learn more →Cyber Defense & Operations
Implement the monitoring, testing, and vulnerability management capabilities TISAX assessments evaluate.
Learn more →vCISO (Fractional CISO)
Expert guidance for ISMS implementation, policy creation, and prototype protection controls required by TISAX.
Learn more →TISAX Frequently Asked Questions
Who needs TISAX certification?
Any company in the automotive supply chain that handles sensitive information for OEMs such as Volkswagen, BMW, Mercedes-Benz, or Stellantis. This includes Tier 1 and Tier 2 suppliers, engineering and design firms, IT service providers, logistics companies handling automotive goods, and any organization working with pre-production vehicle data or prototypes. If an OEM contractually requires TISAX, you must obtain the appropriate assessment label before onboarding.
How long does a TISAX assessment take?
A typical TISAX journey takes 3-6 months from kickoff to receiving your label. This includes a gap assessment against the ISA questionnaire (2-4 weeks), a remediation phase to close identified control gaps (6-16 weeks depending on maturity), and the official accredited assessment (AL2 remote verification or AL3 on-site). Organizations with an existing ISO 27001 ISMS will generally move faster through the remediation phase.
What are the TISAX assessment levels?
TISAX has three assessment levels. AL1 is a self-assessment only and is not accepted as proof by automotive OEMs. AL2 is a remote plausibility check conducted by an accredited ENX audit provider, and it is the standard requirement for suppliers handling normal-sensitivity data. AL3 is a full on-site verification required for very high protection needs, including organizations handling prototype vehicles, pre-production designs, or highly confidential OEM technical data. Most suppliers need AL2 or AL3.
Is TISAX certification permanent?
No. TISAX assessment labels have a 3-year validity period. After expiry, you must undergo a re-assessment to maintain your label and continue supplying to OEM partners. Additionally, significant changes to your IT environment, security controls, or business scope may trigger a requirement for an interim re-assessment before the 3-year cycle ends. Ongoing compliance monitoring helps avoid surprises at renewal.
Ready for TISAX?
Ensure your automotive partnerships are secure. Book your TISAX readiness assessment today.