Quality Management Systems
Sites assessed across 90+ countries
TISAX label validity period before reassessment
Minimum maturity required across all VDA ISA controls
Regulation Overview
TISAX is the automotive industry's standardized information security assessment and exchange mechanism and the cornerstone of OEM supplier qualification requirements. For supply chain teams, the primary obligation is demonstrating information security maturity across confidentiality, availability, prototype protection, and data privacy—validated through an ENX-approved audit provider.
Over 17,500 sites across 90+ countries hold active TISAX labels as of 2025. VDA ISA 6.0, effective April 2024, replaced the previous label structure with four distinct labels: Confidential, Strictly Confidential, High Availability, and Very High Availability. OEMs including Volkswagen, BMW, Stellantis, and PACCAR now mandate TISAX as a prerequisite for RFQ participation and ongoing supply chain engagement.
TISAX compliance requires documented evidence of a functioning ISMS—policies, risk assessments, access controls, and incident response—from every supplier site handling OEM data. When VDA updates the ISA catalog, your entire security management system requires reassessment against the new controls.
Tier 1, Tier 2, and Tier 3 suppliers handling confidential OEM information
Service providers processing automotive design, engineering, or production data
IT and software vendors integrated into automotive development environments
Logistics providers transporting prototypes or sensitive components
Non-European companies supplying into European OEM supply chains
Contract manufacturers and assembly partners with OEM data access
Key Thresholds
Your OEM requires AL3 across four manufacturing sites and two engineering centers. Each site needs its own VDA ISA self-assessment, but ISMS documentation lives in different systems, different languages, and different formats. Your team spends months reconciling policies across sites—only to discover that Site 3 never documented its access control procedures.
The auditor scores your incident response process at maturity level 2—documented but not consistently practiced. You need level 3 across every control question. Three controls at level 2 means no TISAX label. The corrective action plan adds four months. Your OEM's RFQ deadline is in six weeks.
TISAX requires you to assess and manage information security risks from your own suppliers. But you have 200 sub-tier suppliers, and only 40 have any TISAX label. Without centralized supplier security evidence, you cannot demonstrate multi-tier supply chain transparency to the auditor—or to the OEM demanding flowdown compliance.
VDA ISA 6.0 split the Information Security label into four separate objectives. Six new control questions target ransomware defense and business continuity. Your existing ISMS, built for ISA 5.1, has gaps in the new Availability controls. Manual cross-mapping between your old documentation and the new catalog is consuming weeks of your compliance team's capacity.
Certivo In Action
Certivo in Action — TISAX Workflow
Features Tabs
From Manual Chasing to Exception Management
CORA collects, parses, and validates supplier security evidence automatically through AI-native compliance automation. Your team focuses on maturity gaps that need human judgment—not chasing PDFs across email threads.
Assessment Evidence Acceleration
Generate complete, audit-ready ISMS evidence packages in hours—not the 4–6 weeks of manual compilation across disconnected systems and spreadsheets.
Proactive Audit Readiness
When supplier TISAX labels approach expiration or VDA updates the ISA catalog, Certivo reassesses your network instantly through regulatory intelligence and horizon scanning. Know which suppliers need attention before OEM audits begin.
Frequently Asked Questions
What companies are subject to TISAX requirements?
Any organization handling confidential information from automotive OEMs—including Tier 1 through Tier 3 suppliers, engineering service providers, IT vendors, and logistics companies transporting prototypes—can be required to hold a TISAX label. The requirement typically flows down from OEM contractual obligations. Non-European companies supplying into European automotive supply chains are equally subject. Certivo's automated supplier data collection and AI document parsing capabilities help organizations across all tiers establish and maintain the required evidence.
What are the consequences of failing a TISAX assessment?
While TISAX is not a legal regulation, failing to achieve the required label effectively blocks business with OEMs that mandate it. Suppliers without valid TISAX labels may be excluded from RFQ processes, lose existing contracts, or face restricted data access. Stellantis, for example, has set a September 2026 deadline for recertification. CORA's continuous compliance monitoring ensures your organization maintains audit readiness between assessment cycles.
How does VDA ISA 6.0 differ from previous versions?
ISA 6.0, effective April 2024, replaced the "Info High" and "Info Very High" labels with four distinct labels—Confidential, Strictly Confidential, High Availability, and Very High Availability. It introduced six new controls targeting ransomware defense and business continuity, added references to ISO 27001:2022 and NIST CSF, and switched the primary catalog language to English. Certivo's regulatory intelligence and horizon scanning capabilities ensure your evidence packages align with the current ISA catalog version.
What assessment formats does Certivo accept from suppliers?
Certivo accepts any format through its specialized substance reporting solutions approach: PDF certificates, Excel security questionnaires, ISO 27001 audit reports, TISAX label confirmations, XML exports, and freeform responses. CORA extracts security control evidence regardless of format or language, eliminating the need for standardized supplier inputs across your global supply chain and enabling true format-agnostic automated supplier data collection.
Does Certivo support TISAX alongside ISO 27001 and other security frameworks?
Yes. Certivo validates supplier security evidence against TISAX VDA ISA 6.0, ISO 27001, NIS 2, and CRA requirements simultaneously through BOM-level compliance intelligence and multi-framework mapping. The same supplier submission is validated against overlapping control requirements—eliminating duplicate collection campaigns and establishing a centralized compliance data backbone across information security frameworks.