TISAX Compliance

Any company in the automotive supply chain that handles sensitive information for OEMs such as Volkswagen, BMW, Mercedes-Benz, or Stellantis. This includes Tier 1 and Tier 2 suppliers, engineering and design firms, IT service providers, logistics companies handling automotive goods, and any organization working with pre-production vehicle data or prototypes. If an OEM contractually requires TISAX, you must obtain the appropriate assessment label before onboarding.

A typical TISAX journey takes 3-6 months from kickoff to receiving your label. This includes a gap assessment against the ISA questionnaire (2-4 weeks), a remediation phase to close identified control gaps (6-16 weeks depending on maturity), and the official accredited assessment (AL2 remote verification or AL3 on-site). Organizations with an existing ISO 27001 ISMS will generally move faster through the remediation phase.

TISAX has three assessment levels. AL1 is a self-assessment only and is not accepted as proof by automotive OEMs. AL2 is a remote plausibility check conducted by an accredited ENX audit provider, and it is the standard requirement for suppliers handling normal-sensitivity data. AL3 is a full on-site verification required for very high protection needs, including organizations handling prototype vehicles, pre-production designs, or highly confidential OEM technical data. Most suppliers need AL2 or AL3.

No. TISAX assessment labels have a 3-year validity period. After expiry, you must undergo a re-assessment to maintain your label and continue supplying to OEM partners. Additionally, significant changes to your IT environment, security controls, or business scope may trigger a requirement for an interim re-assessment before the 3-year cycle ends. Ongoing compliance monitoring helps avoid surprises at renewal.