What is the primary objective of TISAX?

TISAX's primary objective is to standardize information security assessments and enable secure exchange of results across the automotive supply chain. Developed by the ENX Association using the VDA ISA catalog version 5.0.4 (with updates to 6.0), it verifies protection of sensitive data like IP, prototypes, and personal information against cyber threats, ensuring CIA triad compliance at Basic, Significant, or Very High levels via the ENX portal.

Who is legally or professionally required to comply with TISAX?

TISAX is a contractual requirement, not legal mandate, for automotive OEMs, Tier 1/Tier 2 suppliers, service providers, and logistics firms handling sensitive data. OEMs like Volkswagen and BMW enforce it in RFPs for IP access; non-compliance excludes suppliers from contracts, affecting SMEs to multinationals processing prototypes or ADAS software.

Does TISAX require an external audit or third-party certification?

Yes, TISAX requires assessments by ENX-accredited providers like DQS or TÜV for Significant and Very High levels. AL1 is self-assessment (no label); AL2 involves remote plausibility checks; AL3 mandates on-site audits with evidence review, interviews, and maturity scoring (minimum level 3 across 70+ VDA ISA controls), issuing labels valid for 3 years on the ENX portal.

How often should an assessment for TISAX be performed?

TISAX assessments must be fully repeated every 3 years, as labels expire after this period. No annual surveillance audits are required, but organizations conduct internal audits, tabletop exercises, and PDCA reviews quarterly/annually to maintain maturity; reassess scopes upon major changes like new OEM contracts or VDA ISA updates.

What are the consequences of non-compliance with TISAX?

Non-compliance results in contract termination, lost revenue, and exclusion from OEM portals. Penalties include 5% of contract value fines, €20,000-€100,000 re-audit costs, reputational damage from breaches, and production halts; e.g., Tier 2 suppliers risk €10-50M annual orders without mandated labels.

Can TISAX be mapped to other international frameworks?

Yes, TISAX maps extensively to ISO 27001/27002, sharing ISMS principles, Annex A controls, and PDCA cycles. VDA ISA adapts these with automotive specifics (e.g., prototype protection), enabling 20-30% efficiency in joint implementations; ENX notes high overlap with emerging regs like UNECE WP.29, streamlining multi-framework audits.

What is the first step to begin implementing TISAX?

The first step is registering on the ENX portal (tisax.org) and defining the Assessment Scope and Leadership Profile (ASLP). Classify protection needs (Normal/High/Very High) with OEMs, download VDA ISA Excel for gap analysis across 7 control groups, and assemble a cross-functional team for self-assessment.

What is the primary objective of EN 1090?

EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR). It comprises EN 1090-1 (conformity assessment via Factory Production Control, FPC), EN 1090-2 (steel execution requirements like welding, tolerances, traceability), and EN 1090-3 (aluminium equivalents). Risk-based Execution Classes (EXC1–EXC4) scale controls for consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2), enabling lawful market placement in the EEA.

Who is legally or professionally required to comply with EN 1090?

Manufacturers of load-bearing steel and aluminium structural components and kits for permanent construction works must comply with EN 1090 to affix CE marking. This includes fabricators, welding shops, and suppliers to EU/EEA markets, covering applications like buildings, bridges, and stadia. Non-structural or non-metallic products are excluded; scope aligns with CPR harmonized standards.

Does EN 1090 require an external audit or third-party certification?

Yes, EN 1090-1 mandates certification of the Factory Production Control (FPC) system by a Notified Body via AVCP systems. This involves initial inspection, type testing/calculation (ITT/ITC), and ongoing surveillance audits to verify constancy of performance, enabling Declaration of Performance (DoP) issuance and CE marking.

How often should an assessment for EN 1090 be performed?

EN 1090 requires initial Notified Body certification followed by continuous surveillance audits, typically annually. Frequency scales with Execution Class (EXC); first surveillance occurs ~1 year post-certification, with intervals per EN 1090-1 Table B.3 and Notified Body policy, plus audits for changes or non-conformities.

What are the consequences of non-compliance with EN 1090?

Non-compliance with EN 1090 prevents lawful CE marking, risking market exclusion, product recalls, fines, and certificate suspension/withdrawal by Notified Bodies. CPR enforcement may impose civil liability, contractual penalties, and reputational damage; surveillance failures trigger public notices and immediate CE mark cessation.

Can EN 1090 be mapped to other international frameworks?

No, EN 1090 FAQs focus solely on its standalone requirements under CPR; mappings to other frameworks are outside scope. Compliance demands specific FPC, EXC-aligned execution (EN 1090-2/-3), and Notified Body certification without cross-references.

What is the first step to begin implementing EN 1090?

The first step is to conduct a product scope assessment and determine Execution Classes (EXC1–EXC4) based on consequence, service, and production categories. Follow with FPC gap analysis, appointing a Responsible Welding Coordinator, and early Notified Body engagement for certification roadmap.

Standards Comparison

TISAX vs EN 1090

TISAX

Mandatory

2017

Automotive framework for standardized information security assessments

EN 1090

Mandatory

2009

EU standard for execution of steel and aluminium structures

Quick Verdict

TISAX ensures information security for automotive supply chains via assessments, while EN 1090 mandates CE marking for structural steel/aluminium through FPC. Automotive firms adopt TISAX for OEM trust; fabricators use EN 1090 for EU market access and legal compliance.

Cybersecurity

TISAX

Trusted Information Security Assessment Exchange (TISAX)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Centralized ENX portal enables result sharing across OEMs
Automotive-specific prototype protection and IP controls
Three risk-based assessment levels (AL1-AL3)
VDA ISA catalog with maturity scoring (0-5)
Three-year valid labels reduce duplicate audits

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4)
Factory Production Control (FPC) certification
CE marking and Declaration of Performance
Welding quality via ISO 3834 alignment
Material traceability and NDT requirements

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

TISAX Details

What It Is

TISAX (Trusted Information Security Assessment Exchange) is an industry framework developed by the ENX Association and VDA for the automotive sector. It standardizes assessments of information security, focusing on protecting sensitive data like prototypes and IP in global supply chains. The risk-based approach uses the VDA ISA catalog (version 5.0.4/6.0) with three assessment levels (AL1-AL3).

Key Components

**Control groupsPolicy, organization, personnel, physical security, access, cryptography, operations, supplier relationships (70+ controls).
**Automotive modulesPrototype protection, data protection.
Built on ISO 27001 with maturity levels (0-5 scale).
**Certification modelLabels valid 3 years, shared via ENX portal.

Why Organizations Use It

OEMs mandate TISAX contractually for suppliers, enabling market access and revenue. It mitigates risks like IP theft, reduces duplicate audits (70-90% efficiency), builds trust, and provides competitive edges in €2.5T automotive chain.

Implementation Overview

Phased: Preparation/gap analysis (1-3 months), remediation/tabletops (3-9 months), audit/certification (2-4 months), ongoing sustainment. Applies to OEMs, Tier 1/2 suppliers, service providers; scalable for SMEs to multinationals via self-assess or on-site audits.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) under the Construction Products Regulation (CPR). It governs the execution and conformity assessment of structural steel and aluminium components/kits for construction works. Primary purpose: ensure controlled fabrication, welding, inspection and CE marking via risk-based Execution Classes (EXC1-EXC4).

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC) certification.
**EN 1090-2/-3Technical rules for steel/aluminium (materials, welding per ISO 3834, tolerances, corrosion protection, NDT).
Risk-scaled requirements via consequence/service/production categories.
Certification model: Notified Body audits FPC, issues certificate for CE/DoP.

Why Organizations Use It

Mandatory for EU market access (CE marking required).
Reduces liability, rework; builds trust via traceability.
Enables high-risk projects (EXC3/EXC4), competitive bidding.

Implementation Overview

Phased: gap analysis, FPC build, welding quals, NB certification (3-12 months). Applies to fabricators in EU/UK; ongoing surveillance.

Key Differences

Aspect	TISAX	EN 1090
Scope	Information security in automotive supply chain	Execution of steel/aluminium structural components
Industry	Automotive suppliers, OEMs (mainly Europe)	Construction, fabrication (EU/EEA market)
Nature	Voluntary industry certification	Mandatory for CE marking under CPR
Testing	Maturity assessments AL1-3 by providers	FPC certification, surveillance by Notified Body
Penalties	Contract loss, no legal fines	Market exclusion, legal enforcement, fines

Scope

TISAX

Information security in automotive supply chain

EN 1090

Execution of steel/aluminium structural components

Industry

TISAX

Automotive suppliers, OEMs (mainly Europe)

EN 1090

Construction, fabrication (EU/EEA market)

Nature

TISAX

Voluntary industry certification

EN 1090

Mandatory for CE marking under CPR

Testing

TISAX

Maturity assessments AL1-3 by providers

EN 1090

FPC certification, surveillance by Notified Body

Penalties

TISAX

Contract loss, no legal fines

EN 1090

Market exclusion, legal enforcement, fines

Frequently Asked Questions

Common questions about TISAX and EN 1090

TISAX FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

Step-by-Step Implementation Guide to ISO 27701: Building a Privacy Information Management System (PIMS) on Your ISO 27001 Foundation

Implement ISO 27701 on your ISO 27001 foundation with this actionable guide. Tackle PII controls, audit evidence, GDPR integration. Templates, checklists for 20

CIS Controls v8.1 IG1 Ransomware-Resilience Sprint: A 30-60-90 Day Action Plan (With Evidence Checklist)

Tactical CIS Controls v8.1 IG1 playbook for ransomware resilience. 30-60-90 day sprint with tool-agnostic tasks, ownership & evidence checklists to prove progre

Top 10 Cost-Saving Hacks for CMMC Compliance: Budgeting Blueprints for Small DIB Suppliers

Slash CMMC costs 30-50% with top 10 hacks for small DIB suppliers. Enclave scoping, FedRAMP clouds, automation, POA&M tips & budgeting blueprints for Level 2 co

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how TISAX and EN 1090 compare against other standards

Other TISAX Comparisons

Other EN 1090 Comparisons

What It Is

Key Components

**Control groupsPolicy, organization, personnel, physical security, access, cryptography, operations, supplier relationships (70+ controls).

**Automotive modulesPrototype protection, data protection.

Built on ISO 27001 with maturity levels (0-5 scale).

**Certification modelLabels valid 3 years, shared via ENX portal.

What It Is

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC) certification.

**EN 1090-2/-3Technical rules for steel/aluminium (materials, welding per ISO 3834, tolerances, corrosion protection, NDT).

Risk-scaled requirements via consequence/service/production categories.

Certification model: Notified Body audits FPC, issues certificate for CE/DoP.

Aspect

TISAX

EN 1090

Scope

Information security in automotive supply chain

Execution of steel/aluminium structural components

Industry

Automotive suppliers, OEMs (mainly Europe)

Construction, fabrication (EU/EEA market)

Nature

Voluntary industry certification

Mandatory for CE marking under CPR

Testing

Maturity assessments AL1-3 by providers

FPC certification, surveillance by Notified Body

Penalties

Contract loss, no legal fines

Market exclusion, legal enforcement, fines