Automotive Supplier TISAX Requirements: What BMW, VW Group, and Mercedes Procurement Actually Ask For

TL;DR: When BMW, Volkswagen Group, or Mercedes-Benz procurement asks a supplier for TISAX®, they are not asking for a generic certificate. They are asking for a specific assessment level (usually AL2 or AL3), against a specific set of information security labels, published to the ENX portal where the OEM can verify it. The assessment level you need is driven by the type of data the OEM shares with you, not by your company size or by what feels proportionate. This piece walks through what the requirement actually is, how it reaches you, what determines your level, and where suppliers most often misread the ask.

A TISAX requirement rarely arrives with much explanation. It shows up as a line in a contract, a field in a procurement portal, or a sentence in an onboarding pack: active TISAX label required, AL2, or TISAX participant status, very high protection needs. For a supplier seeing it for the first time, the wording raises more questions than it answers, which label, which level, by when, and what happens to the contract if the date slips.

Across the automotive suppliers our team prepares, the same misunderstandings recur at this first-contact stage. Suppliers treat TISAX as interchangeable with ISO 27001. They assume the level is theirs to choose. They underestimate how directly the assessment level is dictated by the data the OEM intends to share. This post is the practitioner-level reading of what the requirement means before any preparation work begins, because getting the interpretation wrong at the start is the most expensive mistake in the whole programme.

What is a TISAX requirement, in one paragraph? TISAX (Trusted Information Security Assessment Exchange) is the automotive industry's mechanism for assessing and sharing a supplier's information security maturity. It is operated by ENX Association on behalf of the VDA® (the German automotive industry association) and built on the VDA ISA catalogue, currently version 6.0.3. A supplier is assessed by an ENX-approved audit provider, receives one or more labels, and publishes the result to the ENX portal. OEMs and partners with permission view it there. TISAX is a contractual and commercial requirement set by the OEM — not a legal obligation — but for a supplier handling sensitive OEM data, "contractual" and "mandatory" amount to the same thing.

TISAX is a label, not a certificate and this distinction shapes everything

The first thing to internalise: TISAX does not produce a certificate you can email to a customer. It produces a label (or a set of labels) held in the ENX exchange, visible to partners you grant access to. You cannot share a TISAX result bilaterally the way you would an ISO 27001 certificate PDF. The OEM checks the portal; that is the system working as designed.

This matters operationally because the OEM's requirement is almost never "be secure" in the abstract. It is "hold this specific label at this assessment level and grant us visibility in the portal." When a supplier reads the requirement as a general call for an information security management system, they prepare for the wrong target. The label and level are the target.

TISAX is built on ISO/IEC 27001 concepts, the VDA ISA catalogue maps closely to ISO 27001 and ISO 27002 controls, but it is a different mechanism with automotive-specific additions. An existing ISO 27001:2022 certification is a meaningful head start (often 60–70% of the control substance is already in place in our experience), but it does not satisfy a TISAX requirement on its own. The assessment, the catalogue, and the prototype-protection requirements are distinct.

How the requirement reaches you and why the cascade is widening

TISAX requirements move down the supply chain, not just from OEM to Tier 1. A Tier 1 supplier required to hold AL3 will, in turn, push assessment requirements onto the Tier 2 and Tier 3 suppliers who touch the same protected data. This is why suppliers increasingly learn about TISAX from their customer rather than from any industry communication the obligation arrives as a flow-down clause.

The cascade has been accelerating. As OEMs tighten supplier security expectations and set portfolio-wide deadlines for assessment and recertification, large tranches of suppliers get pulled into assessment cycles at the same time. When that happens, the practical effect on suppliers is a capacity squeeze: audit-provider calendars fill, and the suppliers who started late find the only available assessment slots fall after their contractual date. In practice, the constraint that bites first is rarely the controls, it is the audit-provider booking lead time.

What actually determines your assessment level

Three assessment levels exist, but for OEM supply chains the real decision is between two of them:

• AL1: a self-assessment with no third-party verification. Rare in OEM supply chains; most OEMs do not accept it for any supplier touching their data.
• AL2: a remote assessment by an ENX-approved provider: the completed VDA ISA questionnaire, a documentation review, and interviews. Applies to high protection needs, sensitive information such as technical documentation, blueprints, and strategic project data.
• AL3: a comprehensive on-site assessment with physical verification of controls. Applies to very high protection needs, including prototype parts and vehicles, crash-test data, and increasingly AI-related and connected-vehicle data.

The level is not a choice the supplier makes for convenience. It is a function of the data the OEM shares with you. If your engagement involves prototype protection, physical prototypes, pre-series parts, camouflaged test vehicles, or the data describing them - AL3 with the prototype-protection scope is effectively non-negotiable. If you handle confidential-but-not-prototype information, AL2 is usually the floor.

A practitioner rule worth stating plainly, because it saves suppliers from a costly wrong turn: assume AL3 unless the OEM has explicitly told you AL2 is sufficient. We see suppliers prepare for AL2, pass it, and then discover the contract required AL3 prototype protection all along, at which point the remote assessment they completed does not satisfy the requirement and the on-site assessment has to be scheduled from scratch. Confirming the exact level and scope in writing with the customer before any preparation begins is the single cheapest risk-reduction step in the entire programme.

The labels: confidentiality, availability, and the ISA 6 change suppliers miss

Since VDA ISA 6 (the catalogue is currently at version 6.0.3), TISAX assessments produce labels across more than one dimension. The long-standing confidentiality label (high / very high) is now joined by an availability label, and data-protection labels exist where personal data is in scope. ISA 6 also introduced new controls focused on IT availability, operational resilience, OT environments, and ransomware response.

The reason this matters for reading a procurement requirement: an OEM may ask for a specific combination of labels, not just a level. "AL2, confidentiality high" is a different scope of work from "AL3, confidentiality very high + availability high." Suppliers who scoped their preparation against confidentiality alone — because that is what TISAX historically meant — can find an availability requirement bolted onto the ask that their ISMS evidence does not yet cover. The availability label is the most common scope element to be overlooked in our gap analyses for suppliers preparing under ISA 6 for the first time.

What OEM procurement actually checks and where suppliers fall short

OEM procurement does not re-audit you; the ENX-approved provider does that. What procurement verifies is narrower and more literal than suppliers expect:

• That the label exists, at the required level, and is current. Labels are valid for three years. A label that has lapsed, or that sits one level below what the contract specifies, reads as non-compliant regardless of how mature your security actually is.
• That the scope matches. A TISAX label is tied to specific locations and specific assessment objectives. A label scoped to your headquarters does not cover the plant where the OEM's work is actually performed. Scope mismatches between the label and the contracted site are a recurring procurement-side rejection in our experience.
• That visibility is granted in the portal. The OEM has to be able to see the result. A correctly obtained label that has not been shared with the customer in the ENX exchange is, from procurement's side, the same as no label.

The pattern underneath all three: suppliers focus on passing the assessment and underplan the administrative correctness of the result, the level, the scope-to-site mapping, the validity window, and the portal sharing. The security work is the hard part; the bookkeeping around the label is where avoidable contract friction comes from.

The timeline reality

A realistic TISAX preparation for a supplier starting from a modest security baseline runs several months. Industry estimates commonly put the full path at six to twelve months; our own preparations are built around a tighter, structured cadence (the 95-day programme) for organisations that already have a working baseline to uplift. The variable that most often determines the real timeline is not the control work — it is two external constraints: the audit provider's available assessment dates, and, for AL3, the lead time to stand up genuine on-site evidence (physical security, prototype-area controls, OT segregation) that an assessor can verify in person rather than on paper.

When an OEM-driven recertification date sits inside the typical preparation window, suppliers who have not booked an assessment slot are already in the zone where the calendar, not the controls, is the binding constraint. If a contractual TISAX date sits in your near future and the assessment is not yet booked, that booking is the first action, ahead of any control work.

Reading the requirement correctly is the cheapest step in a TISAX programme and the one most often skipped. Book a free gap assessment and we will confirm the assessment level and label scope your OEM is actually asking for, map it against where your information security stands today, and give you a realistic timeline to a published label.

Common questions about automotive supplier TISAX requirements

Q: Does an ISO 27001 certificate satisfy a TISAX requirement? No. They share a control foundation - the VDA ISA catalogue is built on ISO/IEC 27001 and 27002 - and an existing ISO 27001:2022 certification is a substantial head start. But TISAX requires its own assessment by an ENX-approved provider, against the VDA ISA catalogue including automotive-specific prototype and availability requirements, with the result published to the ENX portal. The certificate alone does not meet the ask.

Q: How do I know whether I need AL2 or AL3? The level is determined by the data the OEM shares with you, not by your preference. Confidential information generally lands at AL2; prototype data, pre-series parts, crash-test data, and similarly very-high-protection information require AL3 with the prototype-protection scope. The safe default is to assume AL3 until the customer confirms in writing that AL2 is sufficient.

Q: Is TISAX legally mandatory? No. TISAX is a contractual and commercial requirement imposed by OEMs, not a legal regulation. For a supplier that wants to keep or win OEM business involving protected data, however, it functions as mandatory - no label, no contract for that scope.

Q: How long is a TISAX label valid? Three years. Recertification has to be planned before expiry, which is why OEM-wide recertification deadlines trigger large waves of reassessment activity across supplier portfolios at once.

Q: We hold a TISAX label already — why is our customer saying we're non-compliant? The three usual causes are a level mismatch (you hold AL2, the contract specifies AL3), a scope mismatch (your label covers a different site than the one doing the OEM's work), or a sharing gap (the label is valid but has not been granted to that customer in the ENX portal). All three are fixable, but each is checked literally by procurement.

Q: What is the first thing we should do when a TISAX requirement lands? Confirm the exact assessment level, label combination, and scope with the customer in writing, then check audit-provider availability against your contractual date. Those two facts determine the entire shape of the programme — and both are external to your control work, so they should be pinned down before any internal preparation starts.

How ITIS-Secure helps automotive suppliers meet OEM TISAX requirements

Our preparation methodology is built specifically for suppliers facing an OEM-driven TISAX deadline. We start by confirming what the requirement actually is - level, labels, scope, and target site - because that interpretation determines everything downstream. We then run a gap analysis against the VDA ISA 6.0.3 catalogue, build the documentation and evidence the assessment expects, prepare AL3 on-site and prototype-protection controls where the scope requires them, and stand alongside our clients through the assessment itself.

The ENX-approved audit provider performs the assessment and issues the label; our role is to get you ready so the assessment goes cleanly on the first attempt, and to make sure the resulting label is scoped and shared correctly for your customer to verify.

If a TISAX requirement has landed from BMW, Volkswagen Group, Mercedes-Benz, or any OEM in your supply chain, the gap assessment is the place to start. It is free, takes less than a day, and gives you a clear read on the level you actually need and the timeline that is realistic from where you stand.

Book Free Gap Assessment →

No commitment required · GDPR compliant · Strategy confirmed via secure link

TISAX® is a registered trademark of ENX Association. VDA® is a registered trademark of Verband der Automobilindustrie e.V. ITIS-Secure is an independent preparation firm; TISAX assessments are conducted and labels issued by ENX-approved audit providers.