What is the primary objective of **TISAX**?

**TISAX's primary objective is to standardize information security assessments and enable secure exchange of results across the automotive supply chain via the ENX Portal.** Developed by the ENX Association using the VDA ISA catalog (version 5.0.4+), it verifies protection of sensitive data like IP, prototypes, and personal information against cyber threats, emphasizing CIA triad at Basic, Significant, and Very High levels tailored to automotive needs such as prototype handling.

Who is legally or professionally required to comply with **TISAX**?

**TISAX is a contractual requirement, not legal mandate, for automotive OEMs, Tier 1/Tier 2 suppliers, service providers, and logistics firms handling sensitive automotive data.** OEMs like Volkswagen and BMW mandate it in RFPs for IP access; non-compliance risks contract termination. Scalable for SMEs (self-assessments) to multinationals, it applies to any entity processing OEM prototypes, ADAS software, or cloud services in the €2.5T supply chain.

Does **TISAX** require an external audit or third-party certification?

**Yes, TISAX requires external audits by ENX-accredited providers (e.g., DQS, TÜV) for Significant and Very High levels, issuing labels valid for 3 years.** AL1 is self-assessment only (no label); AL2 involves remote plausibility checks; AL3 mandates on-site audits with interviews and facility inspections. Results are uploaded to the ENX Portal for controlled sharing among 2,000+ participants.

How often should an assessment for **TISAX** be performed?

**TISAX assessments must be performed every 3 years to renew labels, with no interim surveillance audits required.** Continuous internal monitoring via PDCA, quarterly reviews, and annual tabletop exercises sustain maturity (level 3+ on VDA ISA's 0-5 scale). Reassess scopes upon major changes like new OEM contracts or VDA ISA updates (e.g., v6.0 for AI risks).

What are the consequences of non-compliance with **TISAX**?

**Non-compliance with TISAX results in contractual termination, lost OEM portal access, and penalties up to 5% of contract value.** Suppliers forfeit €10-50M annual orders; remediation audits cost €20K-€100K. Reputational damage from breaches (e.g., 2021 hacks) cascades disruptions; no label excludes bidding on ADAS/EV projects.

Can **TISAX** be mapped to other international frameworks?

**Yes, TISAX maps extensively to frameworks like ISO 27001 via VDA ISA's 70+ controls across 7 groups (Policy, Access, Operations).** It reuses Annex A elements for ISMS, enabling 20-30% efficiency in integrated audits. ENX notes high overlap with NIS2 cybersecurity requirements, streamlining multi-framework compliance without recertification.

What is the first step to begin implementing **TISAX**?

**The first step is registering on the ENX Portal (enx.com) and defining ASLP (Assessment Scope and Leadership Profile).** Download VDA ISA catalog for gap analysis against 70+ controls; classify data needs (Normal/High/Very High). Assemble cross-functional team (CISO, IT, Legal) for risk-based scoping before selecting an accredited auditor.

What is the primary objective of **MLPS 2.0 (Multi-Level Protection Scheme)**?

**MLPS 2.0 (Multi-Level Protection Scheme) establishes a graded cybersecurity framework to protect information systems based on potential harm to national security, social order, and public interests.** It classifies systems into five levels (1-5), mandating commensurate technical, management, physical, and personnel controls per GB/T 22239-2020 standards. Objectives include preventing attacks, ensuring data confidentiality/integrity/availability, and enabling law enforcement oversight via Public Security Bureaus (PSBs).

Who is legally or professionally required to comply with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**All network operators in mainland China must comply with MLPS 2.0 (Multi-Level Protection Scheme), including domestic firms, foreign enterprises, and multinationals operating systems there.** This covers virtually any entity managing IT networks, cloud platforms, IoT, big data, or industrial controls under Article 21 of the 2017 Cybersecurity Law. Critical sectors (energy, finance, telecom) often classify at Level 3+.

Does **MLPS 2.0 (Multi-Level Protection Scheme)** require an external audit or third-party certification?

**Yes, MLPS 2.0 (Multi-Level Protection Scheme) mandates external security reviews by licensed Chinese firms for Level 2+ systems.** Reviews score controls (minimum 75/100 pass) across technical/management domains per GB/T 28448-2019, followed by PSB approval and certification. Level 1 requires only self-assessment; higher levels demand periodic re-evaluations.

How often should an assessment for **MLPS 2.0 (Multi-Level Protection Scheme)** be performed?

**MLPS 2.0 (Multi-Level Protection Scheme) requires periodic re-evaluations scaling by level: biennial for Level 2, annual for Level 3, semi-annual for Level 4, and as mandated for Level 5.** Re-assessments are also triggered by major changes (e.g., cloud migration). Self-inspections apply to all levels.

What are the consequences of non-compliance with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**Non-compliance with MLPS 2.0 (Multi-Level Protection Scheme) results in fines up to 100,000 RMB, operational suspensions, system shutdowns, and intensified PSB inspections.** Enforcement links to business license renewals; severe cases (e.g., post-breach failures) have yielded fines like RMB 223 million in banking incidents.

Can **MLPS 2.0 (Multi-Level Protection Scheme)** be mapped to other international frameworks?

**Yes, MLPS 2.0 (Multi-Level Protection Scheme) maps to frameworks like ISO 27001 and NIST CSF via aligned control domains (organizational, physical, technical).** Common controls (governance, access, monitoring) overlap; organizations extend Statements of Applicability for MLPS-specific grading, cloud localization, and PSB oversight.

What is the first step to begin implementing **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The first step for MLPS 2.0 (Multi-Level Protection Scheme) implementation is conducting a provisional self-assessment to classify systems into Levels 1-5 based on impact to national security/social order.** Inventory assets, evaluate harm severity per GB/T 22240-2020, document rationale, then file with local PSB within 30 days for Level 2+.

TISAX vs MLPS 2.0 (Multi-Level Protection Scheme)

Standards Comparison

TISAX

Mandatory

2017

Automotive standard for information security assessments and exchange

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

2019

China's mandatory graded cybersecurity protection framework.

Quick Verdict

TISAX provides voluntary automotive supply chain security certification via ENX audits, while MLPS 2.0 mandates graded network protection in China enforced by PSBs. Companies adopt TISAX for OEM contracts; MLPS for legal compliance and operations.

Cybersecurity

TISAX

Trusted Information Security Assessment Exchange (TISAX)

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Shareable labels via ENX Portal eliminate duplicate audits
Automotive-specific prototype protection for parts and vehicles
Three risk-based assessment levels AL1 to AL3
VDA ISA catalog extends ISO 27001 controls
Three-year validity with maturity-based evaluations

Cybersecurity

MLPS 2.0 (Multi-Level Protection Scheme)

Multi-Level Protection Scheme 2.0 (MLPS 2.0)

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five-level impact-based system classification
Mandatory PSB registration and approval (Level 2+)
Graded technical controls for cloud, IoT, ICS
Third-party audits with 75/100 pass score
Ongoing governance and incident reporting obligations

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

TISAX Details

What It Is

TISAX (Trusted Information Security Assessment Exchange) is a certification framework developed by the ENX Association for the automotive industry, based on the VDA ISA catalog (version 5.0.4/6.0). It standardizes assessments to protect sensitive data like IP, prototypes, and personal information across global supply chains. Employs a risk-based approach with CIA triad focus and three maturity levels.

Key Components

Seven control groups: policy, organization, personnel, physical security, access, cryptography, operations (70+ items).
Built on ISO 27001 with automotive extensions like prototype protection.
Assessment levels: AL1 (self-assessment), AL2 (remote check), AL3 (on-site audit).
Shareable TISAX labels valid 3 years via ENX Portal.

Why Organizations Use It

Contractual mandates from OEMs (e.g., BMW, VW) prevent revenue loss.
Reduces duplicate audits by 70-90%, enables market access.
Mitigates risks, enhances resilience, builds supplier trust.
Delivers ROI through efficiency and IP protection.

Implementation Overview

Phased: scoping/gap analysis, remediation/tabletops, audit, sustainment (6-18 months).
Targets OEMs, Tier 1/2 suppliers, service providers; scalable for SMEs/multinationals.
Accredited providers (e.g., DQS, TÜV) conduct AL2/AL3 audits.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's legally mandated cybersecurity framework under the 2017 Cybersecurity Law (Article 21). It requires network operators to classify systems into five protection levels based on potential impact to national security, social order, and public interests, implementing graded technical, organizational, and governance controls.

Key Components

Core domains: physical security, network protection, data security, access control, monitoring, governance.
Standards: GB/T 22239-2019 (basics), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).
Common controls for all levels; extended for cloud, IoT, big data, ICS.
Compliance via self-classification, third-party audits (Level 2+), PSB approval.

Why Organizations Use It

Mandatory for China operations; non-compliance risks fines, suspensions.
Enhances resilience, supports market access, aligns with data laws.
Builds regulator trust, reduces breach risks.

Implementation Overview

Phased: scoping, classification, gap analysis, remediation, audits, ongoing monitoring.
Applies to all network operators in China; higher costs for Level 3+.
Requires local PSB filing, periodic re-evaluations.

Key Differences

Aspect	TISAX	MLPS 2.0 (Multi-Level Protection Scheme)
Scope	Automotive info security, prototypes, CIA triad	All networks, graded by national impact, tech-specific
Industry	Automotive supply chain, global participants	All sectors in China, mandatory for operators
Nature	Voluntary industry certification, ENX-managed	Mandatory regulation, PSB-enforced law
Testing	AL1-3 audits by accredited providers, 3-year validity	Level 2+ third-party audits, PSB approval, periodic re-evals
Penalties	Contract loss, no legal fines	Fines, suspensions, operational shutdowns