TISAX Compliance: Complete Guide for Automotive Suppliers (2026)
Complete guide to TISAX compliance in 2026 — assessment levels AL1/AL2/AL3, VDA ISA 6.0, ENX portal, costs, timeline, ISO 27001 overlap, and step-by-step process for automotive suppliers.
TISAX Compliance: Complete Guide for Automotive Suppliers (2026)
If you supply components, software, engineering services, or data processing to automotive OEMs or Tier-1 manufacturers, you have almost certainly received a TISAX assessment request. As the automotive supply chain digitizes — connected vehicles, over-the-air updates, shared design data, prototype vehicle programs — OEMs have formalized information security requirements for every link in the chain.
TISAX (Trusted Information Security Assessment Exchange) is that formalization. Developed by the VDA (German Association of the Automotive Industry) and managed by the ENX Association, TISAX has become the de facto information security standard for automotive suppliers in Germany and across the European supply chain. This guide covers everything you need to know: what TISAX is, how assessment levels work, what the VDA ISA 6.0 questionnaire requires, how the ENX portal functions, how to calculate realistic costs and timelines, and how to leverage an existing ISO 27001 program to accelerate compliance.
What Is TISAX?
TISAX stands for Trusted Information Security Assessment Exchange. It is an industry-wide information security assessment and exchange mechanism for the automotive supply chain, developed by the VDA (Verband der Automobilindustrie) and operated by the ENX Association.
The core purpose of TISAX is to allow automotive suppliers to undergo a single standardized information security assessment and share the results with multiple customers — rather than each OEM running its own supplier audit program. Before TISAX, large automotive suppliers might receive dozens of different security questionnaires and audit requests from different customers annually. TISAX consolidates this into one recognized framework with a reusable result.
VDA ISA: The Assessment Questionnaire
The assessment itself is based on the VDA ISA (Information Security Assessment) questionnaire, now in version 6.0. VDA ISA 6.0 was introduced in 2022 and became mandatory for all new TISAX assessments from April 1, 2024. The questionnaire covers:
- Information security management (policies, roles, risk management)
- Human resources security (onboarding, awareness, offboarding)
- Physical and environmental security (site access, clean desk, server room controls)
- Identity and access management (user provisioning, privileged access, MFA)
- Cryptography (data at rest and in transit)
- Operations security (patch management, malware protection, logging)
- Communications security (network segmentation, remote access)
- Supplier relationships (third-party security assessments)
- Incident management (detection, response, notification)
- Business continuity (DR/BCP, recovery testing)
- Prototype protection (physical and logical protection of pre-production vehicle data)
- Connected vehicles / high protection requirements (applies to AL3 scopes)
VDA ISA 6.0 uses a maturity scoring model (0–5 scale, aligned to CMMI) for each control, and TISAX requires achieving a minimum maturity level across all applicable controls.
TISAX Assessment Levels Explained
TISAX defines three assessment levels (AL), each with different rigor, audit methods, and outputs:
| Assessment Level | Method | TISAX Label Issued? | Typical Use Case |
|---|---|---|---|
| AL1 | Self-assessment (plausibility check) | No | Suppliers with low-sensitivity data only |
| AL2 | Remote audit by accredited provider | Yes | Standard requirement for most Tier-1/2 suppliers |
| AL3 | On-site audit by accredited provider | Yes | Prototype vehicles, classified data, highest protection |
AL1 — Self-Assessment
AL1 is a plausibility check: the supplier completes the VDA ISA questionnaire and confirms their answers without an independent audit. No TISAX label is issued at AL1. Customers rarely accept AL1 alone for anything beyond the lowest-sensitivity data sharing. AL1 results are visible only within the ENX portal and cannot be shared externally as a validated label.
AL2 — Remote Audit
AL2 is the standard TISAX assessment level. An accredited audit service provider (listed on enx.com) conducts a remote review of your VDA ISA responses, documentation, and evidence. The auditor verifies that your claimed controls are actually implemented. Upon successful completion (with any corrective actions closed within the 9-month window), a TISAX label is issued and registered in the ENX portal.
AL2 is required by default for most supply chain relationships involving ordinary confidential information (designs, specifications, contracts, personal data).
AL3 — On-Site Audit
AL3 applies to the most sensitive data categories: pre-production vehicles (prototypes), classified vehicle information, and connected vehicle data. The audit is conducted on-site by an accredited provider and covers both information security controls and physical security measures at the relevant locations.
AL3 is required for suppliers handling:
- Physical prototype vehicles
- Highly classified technical data (e.g., unreleased powertrain specifications)
- Vehicle cybersecurity-relevant data
TISAX Labels
Upon successful AL2 or AL3 assessment, the ENX portal registers a TISAX label for the assessed scope. Key properties of TISAX labels:
| Property | Detail |
|---|---|
| Validity | 3 years from assessment date |
| Scope | Defined per assessment (site, business unit, or company-wide) |
| Sharing | Confidential — shared only with authorized OEM/customer contacts via ENX |
| Public display | Not publicly displayed; ENX results are need-to-know only |
| Re-assessment | Required every 3 years; or earlier if significant scope changes occur |
| Corrective actions | Up to 9 months post-audit to close open findings before label expires |
The label itself indicates the assessment level (AL2 or AL3) and the protection class assessed. Customers you authorize in the ENX portal can view your label status but cannot access the underlying audit findings — only the label outcome is shared.
TISAX Protection Classes
TISAX uses protection classes to align assessment scope with data sensitivity:
| Protection Class | Description | AL Required |
|---|---|---|
| PC1 | Normal protection (standard business data) | AL1 |
| PC2 | High protection (confidential supplier/OEM data) | AL2 |
| PC3 | Very high protection (prototype, classified vehicle data) | AL3 |
| "Prototype protection" | Physical and logical prototype vehicle security | AL3 |
| "Connected vehicles" | Cybersecurity for connected vehicle data | AL3 |
Your customer specifies which protection class applies to the data or project involved in your relationship.
TISAX vs ISO 27001: Key Differences
Both TISAX and ISO 27001 address information security management, and there is significant overlap — approximately 80–90% of TISAX controls map to ISO 27001 requirements. However, key differences exist:
| Dimension | TISAX | ISO 27001 |
|---|---|---|
| Scope | Automotive supply chain | Any industry |
| Standard | VDA ISA 6.0 (based on ISO 27001) | ISO/IEC 27001:2022 |
| Certification body | ENX-accredited audit providers | ISO-accredited certification bodies |
| Result | TISAX label (AL2/AL3) | ISO 27001 certificate |
| Validity | 3 years | 3 years (annual surveillance audits) |
| Automotive-specific | Yes (prototypes, connected vehicles) | No |
| Result sharing | Via ENX portal (confidential) | Certificate publicly shareable |
| Self-assessment | AL1 available | Not applicable |
If you already have ISO 27001: Your existing ISMS documentation, policies, risk register, and evidence base can directly support a TISAX assessment. Gaps are typically in automotive-specific areas (prototype protection, supplier-specific controls). Many suppliers achieve TISAX AL2 within 3–6 months of starting from an ISO 27001 baseline, versus 9–12 months from scratch.
If you are starting fresh: Consider pursuing ISO 27001 and TISAX in parallel. The effort overlap is significant, and a combined approach often reduces total cost and timeline versus sequential certifications.
The TISAX Process: Step by Step
Step 1: Determine Your Scope and Assessment Level
Define which organizational units, sites, and systems are in scope. Your customer will specify the protection class and assessment level required. Scope definition is a strategic decision — too narrow and you may not satisfy customer requirements; too broad and costs increase significantly.
Step 2: Register on the ENX Portal
Create your company account at enx.com. Registration requires basic company information and costs approximately €400 (ENX registration fee per assessment scope). Once registered, you receive an ENX ID used throughout the assessment.
Step 3: Conduct a Gap Analysis
Complete the VDA ISA 6.0 self-assessment questionnaire honestly. Identify gaps between your current controls and required maturity levels. For AL2, you need maturity level ≥3 ("defined process") for most controls. The gap analysis reveals your preparation workload.
Step 4: Implement Remediation
Address identified gaps. Common remediation areas include:
- Formal information security policies and procedures
- Risk assessment documentation
- Access control and IAM policies
- Supplier assessment processes
- Incident response procedures
- Security awareness training records
- Physical security documentation
If you have an existing ISO 27001 ISMS, focus remediation on automotive-specific gaps.
Step 5: Select an Accredited Audit Service Provider
Choose from ENX-listed accredited providers. Major providers include TÜV SÜD, TÜV Rheinland, DEKRA, DQS, Bureau Veritas, and BSI Group. Get quotes from 2–3 providers — prices vary significantly. Auditor availability affects timeline; book 8–12 weeks in advance.
Step 6: Undergo the Assessment
For AL2: The auditor reviews your VDA ISA responses, documentation, and evidence remotely over 1–3 days. For AL3: On-site audit visits your relevant locations (1–3 days per site). The auditor documents findings, distinguishing between conformities and non-conformities.
Step 7: Close Corrective Actions
For any non-conformities identified, you have up to 9 months to implement corrective actions and provide evidence of closure. Major non-conformities must be closed before the label is issued; minor ones may be tracked with a defined closure plan.
Step 8: Receive Your TISAX Label
Once all required corrective actions are closed, the accredited provider registers your TISAX label in the ENX portal. You can then authorize your customers to view your label status through the portal.
TISAX Costs: Realistic Budget
| Cost Component | Typical Range |
|---|---|
| ENX registration fee | ~€400 |
| Accredited audit provider (AL2, SME) | €5,000–€12,000 |
| Accredited audit provider (AL2, enterprise) | €10,000–€25,000+ |
| AL3 premium over AL2 | +30–50% |
| Gap analysis / consultant | €5,000–€20,000 |
| Internal preparation (staff time, tools) | €10,000–€50,000+ |
| ISO 27001 overlap savings | -20% to -50% of preparation costs |
Total typical range:
- Small supplier (AL2, ISO 27001 baseline): €15,000–€40,000
- Mid-size supplier (AL2, from scratch): €30,000–€80,000
- Large supplier (AL3, multiple sites): €80,000–€200,000+
These are one-time preparation costs. Annual ongoing costs (continuous monitoring, annual reviews, training) are substantially lower.
TISAX Renewal and Maintenance
TISAX labels are valid for 3 years. Before expiry, you must undergo a re-assessment to maintain your label. Planning for re-assessment should begin at least 6–9 months before expiry to avoid a gap in label validity.
Between assessments, maintain your ISMS through:
- Annual management reviews
- Internal audits
- Continuous control monitoring
- Supplier re-assessments
- Updating documentation for process changes
Significant organizational changes (mergers, new sites, major system changes) may require updating your TISAX scope or triggering a new assessment.
How Orbiq Supports TISAX Compliance
TISAX preparation and maintenance is documentation-intensive. Orbiq's compliance platform is built for exactly this workload:
Continuous monitoring. Continuous monitoring automatically collects technical evidence from your systems — access logs, patch records, configuration baselines — eliminating manual evidence gathering for each assessment cycle.
Supplier risk management. AI-powered questionnaire automation and supplier risk management are built-in, not bolt-on — addressing TISAX's third-party requirements directly.
Trust Center for customer communication. The Trust Center Platform provides a secure channel for sharing compliance status with authorized OEM contacts, complementing the ENX portal for broader customer communication.
EU data residency. Orbiq is established in the EU and processes all data exclusively in European infrastructure — eliminating CLOUD Act exposure for your compliance data.
TISAX and the Broader EU Regulatory Context
TISAX sits within a broader EU regulatory environment that automotive suppliers must navigate:
- NIS2 Directive: If your organization qualifies as an essential or important entity under NIS2, you face parallel cybersecurity requirements. TISAX controls map well to NIS2 Article 21, reducing duplication.
- GDPR: Vehicle data and connected services data often involves personal data (driver behavior, location). TISAX's data protection controls complement GDPR requirements.
- EU Cyber Resilience Act: From 2027, products with digital elements (including automotive components with embedded software) will face mandatory security requirements. TISAX's cybersecurity controls provide a strong foundation.
- UNECE WP.29 / ISO/SAE 21434: For connected vehicle cybersecurity specifically, TISAX works alongside automotive cybersecurity standards (CSMS requirements under WP.29).
Key Takeaways
- TISAX is the de facto information security standard for the automotive supply chain, required by virtually all major European OEMs
- VDA ISA 6.0 is the current assessment questionnaire (mandatory from April 1, 2024)
- AL2 (remote audit, TISAX label issued) is the standard requirement; AL3 applies to prototype and highly classified data
- TISAX labels are valid for 3 years; results are shared confidentially via the ENX portal
- Companies with ISO 27001 certification can reduce TISAX preparation effort by 20–50% due to 80–90% control overlap
- Realistic total costs range from €15,000 (AL2, ISO 27001 baseline) to €200,000+ (AL3, multiple sites, enterprise)
- The end-to-end process takes 6–12 months; planning ahead is essential
Related Reading
- EU Compliance Software: Complete Buyer's Guide
- ISO 27001 Certification Guide
- What Is an ISMS?
- NIS2 Compliance Guide
Sources
- ENX Association — TISAX Overview — Official TISAX program documentation, ENX portal, accredited provider list
- VDA ISA 6.0 — Information Security Assessment Questionnaire — VDA official documentation; VDA ISA 6.0 mandatory from April 1, 2024
- ENX Price List 2025 — ENX registration fee approximately €400 per assessment scope
- ISO/IEC 27001:2022 — Information Security Management Systems — ISO 27001:2022, 93 controls across 4 themes
- TISAX Assessment Levels — ENX Documentation — AL1, AL2, AL3 definitions and requirements
- VDA Automotive ISAC — VDA automotive industry standards and TISAX governance
- ENX Association — Accredited Audit Providers — Directory of accredited TISAX audit service providers
- ISO/SAE 21434:2021 — Road Vehicles Cybersecurity — Automotive cybersecurity standard complementing TISAX
- UNECE WP.29 Cybersecurity Regulation (UN R155) — UN regulation on vehicle cybersecurity, CSMS requirements
- NIS2 Directive — Official Text (EU) 2022/2555 — Article 21 security requirements; NIS2 and TISAX overlap
This guide is maintained by the Orbiq team. Last updated: March 2026.