Who is legally or professionally required to comply with TISAX?

TISAX is a contractual requirement, not legal mandate, for automotive OEMs, Tier 1/Tier 2 suppliers, service providers, and logistics firms handling sensitive data. OEMs like Volkswagen and BMW enforce it in RFPs for IP access; non-compliance excludes suppliers from contracts, affecting SMEs to multinationals processing prototypes or ADAS software.

Does TISAX require an external audit or third-party certification?

Yes, TISAX requires assessments by ENX-accredited providers like DQS or TÜV for Significant and Very High levels. AL1 is self-assessment (no label); AL2 involves remote plausibility checks; AL3 mandates on-site audits with evidence review, interviews, and maturity scoring (minimum level 3 across 70+ VDA ISA controls), issuing labels valid for 3 years on the ENX portal.

How often should an assessment for TISAX be performed?

TISAX assessments must be fully repeated every 3 years, as labels expire after this period. No annual surveillance audits are required, but organizations conduct internal audits, tabletop exercises, and PDCA reviews quarterly/annually to maintain maturity; reassess scopes upon major changes like new OEM contracts or VDA ISA updates.

What are the consequences of non-compliance with TISAX?

Non-compliance results in contract termination, lost revenue, and exclusion from OEM portals. Penalties include severe contractual financial fines, €20,000-€100,000 re-audit costs, reputational damage from breaches, and production halts; e.g., Tier 2 suppliers risk €10-50M annual orders without mandated labels.

Can TISAX be mapped to other international frameworks?

Yes, TISAX maps extensively to ISO 27001/27002, sharing ISMS principles, Annex A controls, and PDCA cycles. VDA ISA adapts these with automotive specifics (e.g., prototype protection), enabling 20-30% efficiency in joint implementations; ENX notes high overlap with emerging regs like UNECE WP.29, streamlining multi-framework audits.

What is the first step to begin implementing TISAX?

The first step is registering on the ENX portal (tisax.org) and defining the Assessment Scope and Leadership Profile (ASLP). Classify protection needs (Normal/High/Very High) with OEMs, download VDA ISA Excel for gap analysis across 7 control groups, and assemble a cross-functional team for self-assessment.

What is the primary objective of EN 1090?

EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components for CE marking under the Construction Products Regulation (CPR). It comprises EN 1090-1 (conformity assessment via Factory Production Control, FPC), EN 1090-2 (steel execution requirements like welding, tolerances, traceability), and EN 1090-3 (aluminium equivalents). Risk-based Execution Classes (EXC1–EXC4) scale controls for consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2), enabling lawful market placement in the EEA.

Who is legally or professionally required to comply with EN 1090?

Manufacturers of load-bearing steel and aluminium structural components and kits for permanent construction works must comply with EN 1090 to affix CE marking. This includes fabricators, welding shops, and suppliers to EU/EEA markets, covering applications like buildings, bridges, and stadia. Non-structural or non-metallic products are excluded; scope aligns with CPR harmonized standards.

Does EN 1090 require an external audit or third-party certification?

Yes, EN 1090-1 mandates certification of the Factory Production Control (FPC) system by a Notified Body via AVCP systems. This involves initial inspection, type testing/calculation (ITT/ITC), and ongoing surveillance audits to verify constancy of performance, enabling Declaration of Performance (DoP) issuance and CE marking.

How often should an assessment for EN 1090 be performed?

EN 1090 requires initial Notified Body certification followed by continuous surveillance audits, typically annually. Frequency scales with Execution Class (EXC); first surveillance occurs ~1 year post-certification, with intervals per EN 1090-1 Table B.3 and Notified Body policy, plus audits for changes or non-conformities.

What are the consequences of non-compliance with EN 1090?

Non-compliance with EN 1090 prevents lawful CE marking, risking market exclusion, product recalls, fines, and certificate suspension/withdrawal by Notified Bodies. CPR enforcement may impose civil liability, contractual penalties, and reputational damage; surveillance failures trigger public notices and immediate CE mark cessation.

Can EN 1090 be mapped to other international frameworks?

Yes, EN 1090 integrates closely with other international standards. Compliance demands specific FPC and EXC-aligned execution (EN 1090-2/-3), which explicitly require alignment with ISO 3834 for welding quality and heavily leverage ISO 9001 principles for quality management, though ISO 9001 certification itself is not strictly mandatory.

What is the first step to begin implementing EN 1090?

The first step is to conduct a product scope assessment and determine Execution Classes (EXC1–EXC4) based on consequence, service, and production categories. Follow with FPC gap analysis, appointing a Responsible Welding Coordinator, and early Notified Body engagement for certification roadmap.

Standards Comparison

TISAX vs EN 1090

TISAX

Mandatory

2017

Automotive framework for standardized information security assessments

EN 1090

Mandatory

2009

EU standard for execution of steel and aluminium structures

Quick Verdict

TISAX ensures information security for automotive supply chains via assessments, while EN 1090 mandates CE marking for structural steel/aluminium through FPC. Automotive firms adopt TISAX for OEM trust; fabricators use EN 1090 for EU market access and legal compliance.

Cybersecurity

TISAX

Trusted Information Security Assessment Exchange (TISAX)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Centralized ENX portal enables result sharing across OEMs
Automotive-specific prototype protection and IP controls
Three risk-based assessment levels (AL1-AL3)
VDA ISA catalog with maturity scoring (0-5)
Three-year valid labels reduce duplicate audits

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4)
Factory Production Control (FPC) certification
CE marking and Declaration of Performance
Welding quality via ISO 3834 alignment
Material traceability and NDT requirements

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

TISAX Details

What It Is

TISAX (Trusted Information Security Assessment Exchange) is an industry framework developed by the ENX Association and VDA for the automotive sector. It standardizes assessments of information security, focusing on protecting sensitive data like prototypes and IP in global supply chains. The risk-based approach uses the VDA ISA catalog (version 6.0 and subsequent updates) with three assessment levels (AL1-AL3).

Key Components

Control groups: Policy, organization, personnel, physical security, access, cryptography, operations, supplier relationships (70+ controls).
Automotive modules: Prototype protection, data protection.
Built on ISO 27001 with maturity levels (0-5 scale).
Certification model: Labels valid 3 years, shared via ENX portal.

Why Organizations Use It

OEMs mandate TISAX contractually for suppliers, enabling market access and revenue. It mitigates risks like IP theft, reduces duplicate audits (70-90% efficiency), builds trust, and provides competitive edges in €2.5T automotive chain.

Implementation Overview

Phased: Preparation/gap analysis (1-3 months), remediation/tabletops (3-9 months), audit/certification (2-4 months), ongoing sustainment. Applies to OEMs, Tier 1/2 suppliers, service providers; scalable for SMEs to multinationals via self-assess or on-site audits.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) under the Construction Products Regulation (CPR). It governs the execution and conformity assessment of structural steel and aluminium components/kits for construction works. Primary purpose: ensure controlled fabrication, welding, inspection and CE marking via risk-based Execution Classes (EXC1-EXC4).

Key Components

EN 1090-1: Conformity assessment, Factory Production Control (FPC) certification.
EN 1090-2/-3: Technical rules for steel/aluminium (materials, welding per ISO 3834, tolerances, corrosion protection, NDT).
Risk-scaled requirements via consequence/service/production categories.
Certification model: Notified Body audits FPC, issues certificate for CE/DoP.

Why Organizations Use It

Mandatory for EU market access (CE marking required).
Reduces liability, rework; builds trust via traceability.
Enables high-risk projects (EXC3/EXC4), competitive bidding.

Implementation Overview

Phased: gap analysis, FPC build, welding quals, NB certification (3-12 months). Applies to fabricators in EU/UK; ongoing surveillance.

Key Differences

Aspect	TISAX	EN 1090
Scope	Information security in automotive supply chain	Execution of steel/aluminium structural components
Industry	Automotive suppliers, OEMs (mainly Europe)	Construction, fabrication (EU/EEA market)
Nature	Voluntary industry certification	Mandatory for CE marking under CPR
Testing	Maturity assessments AL1-3 by providers	FPC certification, surveillance by Notified Body
Penalties	Contract loss, no legal fines	Market exclusion, legal enforcement, fines

Scope

TISAX

Information security in automotive supply chain

EN 1090

Execution of steel/aluminium structural components

Industry

TISAX

Automotive suppliers, OEMs (mainly Europe)

EN 1090

Construction, fabrication (EU/EEA market)

Nature

TISAX

Voluntary industry certification

EN 1090

Mandatory for CE marking under CPR

Testing

TISAX

Maturity assessments AL1-3 by providers

EN 1090

FPC certification, surveillance by Notified Body

Penalties

TISAX

Contract loss, no legal fines

EN 1090

Market exclusion, legal enforcement, fines

Frequently Asked Questions

Common questions about TISAX and EN 1090

TISAX FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

The SOC Maturity Roadmap: A 5-Step Blueprint for Scaling from Ad-Hoc to Optimized Operations

Unlock SOC excellence with our 5-step maturity roadmap. Compare SOC-CMM, NIST CSF, and CMMC frameworks to scale from ad-hoc to automated operations. Start your

The Tool Landscape for Reaching and Maintaining ISO 27701 Compliance

Discover the top tools for ISO 27701 compliance. Compare functionality, complexity, costs, and benefits to choose the best solution for your privacy program. Ac

Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption

Bust 10 NIST CSF 2.0 myths like 'only for critical infrastructure' or 'Govern replaces Identify'. Plain-English breakdowns, evidence, and fixes for flexible ris

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how TISAX and EN 1090 compare against other standards

Other TISAX Comparisons

Other EN 1090 Comparisons

What It Is

Key Components

Control groups: Policy, organization, personnel, physical security, access, cryptography, operations, supplier relationships (70+ controls).

Automotive modules: Prototype protection, data protection.

Built on ISO 27001 with maturity levels (0-5 scale).

Certification model: Labels valid 3 years, shared via ENX portal.

What It Is

Key Components

EN 1090-1: Conformity assessment, Factory Production Control (FPC) certification.

EN 1090-2/-3: Technical rules for steel/aluminium (materials, welding per ISO 3834, tolerances, corrosion protection, NDT).

Risk-scaled requirements via consequence/service/production categories.

Certification model: Notified Body audits FPC, issues certificate for CE/DoP.

Aspect

TISAX

EN 1090

Scope

Information security in automotive supply chain

Execution of steel/aluminium structural components

Industry

Automotive suppliers, OEMs (mainly Europe)

Construction, fabrication (EU/EEA market)

Nature

Voluntary industry certification

Mandatory for CE marking under CPR

Testing

Maturity assessments AL1-3 by providers

FPC certification, surveillance by Notified Body

Penalties

Contract loss, no legal fines

Market exclusion, legal enforcement, fines

TISAX vs EN 1090

TISAX

EN 1090

Quick Verdict

TISAX

Key Features

EN 1090

Key Features

Detailed Analysis

TISAX Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

TISAX FAQ

What is the primary objective of TISAX?

Who is legally or professionally required to comply with TISAX?

Does TISAX require an external audit or third-party certification?

How often should an assessment for TISAX be performed?

What are the consequences of non-compliance with TISAX?

Can TISAX be mapped to other international frameworks?

What is the first step to begin implementing TISAX?

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Does EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

Can EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

You Might also be Interested in These Articles...

The SOC Maturity Roadmap: A 5-Step Blueprint for Scaling from Ad-Hoc to Optimized Operations

The Tool Landscape for Reaching and Maintaining ISO 27701 Compliance

Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption

Run Maturity Assessments with GRADUM

Explore More Comparisons

Other TISAX Comparisons

Other EN 1090 Comparisons

TISAX vs EN 1090

TISAX

EN 1090

Quick Verdict

TISAX

Key Features

EN 1090

Key Features

Detailed Analysis

TISAX Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

TISAX FAQ

What is the primary objective of TISAX?

Who is legally or professionally required to comply with TISAX?

Does TISAX require an external audit or third-party certification?