As of 2025, all TISAX® assessments are now conducted under the Version 6.0 framework, making this a critical year for suppliers seeking compliance and continued qualification with OEMs.
Automotive suppliers are no strangers to navigating complex information security requirements. For those supporting original equipment manufacturers (OEMs), especially in Europe and beyond, TISAX® (Trusted Information Security Assessment Exchange) has become a key expectation when it comes to safeguarding sensitive data across the supply chain.
Today, with the rollout of Version 6.0 of the VDA ISA catalog, the foundation of TISAX®, a new layer of complexity is being introduced—one that requires careful attention and action.
The TISAX® 6.0 Journey: July 17, 2025
Sign up to learn how suppliers can align with the new information security requirements.
Loading...
Why Version 6.0 matters
The changes affect confidentiality, system availability, and data privacy expectations—and could influence supplier qualification with leading OEMs. Moreover, any suppliers who were mid-cycle during 2024 may now face re-assessments or renewals in 2025.
Just like evolving cyber threats in public-facing platforms prompt businesses to reevaluate security protocols, the updates to TISAX® serve as a reminder that no environment is static when it comes to digital risk.
With threat actors leveraging automation and AI, these new requirements help ensure supplier environments are equipped for the next generation of digital risk.
What’s New in TISAX® Version 6.0?
1. A New Labeling Framework
The previous “Information Security High” and “Very High” labels have been replaced with a granular system focused on:
- Confidentiality (High, Strict)
- Availability (High, Very High)
- Integrity (High, Very High)
This provides clearer expectations tailored to the type of risk involved in each process or information category.
2. Emphasis on Operational Technology (OT)
Suppliers managing smart factories or connected equipment are expected to address new controls aligned with IEC 62443, reflecting a shift toward securing production systems.
3. Expanded Incident and Crisis Management
Two new controls cover how businesses detect, respond to, and recover from crises—adding depth to business continuity planning.
4. Overhauled Data Protection Requirements
The data protection module has tripled in size, reflecting increased regulatory and customer expectations, particularly around GDPR readiness.
TISAX® Version 5.x vs. Version 6.0: What’s Changed?
Area | Version 5.x (Previous) | Version 6.0 (Current) |
| Labeling System | “Information Security High” and “Very High” | Granular labels by dimension: Confidentiality (High, Strict), Availability (High, Very High), Integrity (High, Very High) |
| Operational Technology (OT) | Minimal or indirect reference | Dedicated OT controls aligned with IEC 62443; required for smart factories, connected systems |
| Incident & Crisis Management | General business continuity coverage | Two new controls for detecting, responding to, and recovering from crises |
| Data Protection Requirements | Basic GDPR alignment, lighter module | Module tripled in size; emphasizes privacy risk management, processor/controller roles |
| Risk Differentiation | Generalized expectations across the board | Risk-specific granularity by type of asset, process, or information |
| Scope Relevance | Static scoping and fewer triggers for reassessment | New labels and OT controls may trigger re-scoping for certified organizations |
| Audit/Assessment Impact | Less differentiation in audit readiness paths | New requirements may lengthen prep time and impact audit outcomes for many suppliers |
Which Automotive Suppliers Are Affected?
All suppliers assessed under TISAX® will encounter the new catalog as of April 2024. However, those working with large automotive OEMs will feel the shift most acutely.
Informational Note
Some OEMs, such as Honda and Hyundai, have recently updated their information security expectations for suppliers. Others, including Daimler, continue to rely on TISAX® to validate key risk control capabilities across their global networks.
These updates are not just checkboxes—they reflect a broader industry push to strengthen trust and resilience in data exchange.
This blog post is independently written and published by DQS. It is not affiliated with or endorsed by Honda Motor Co., Ltd., Hyundai Motor Company, Daimler AG, or any other OEM.
Loading...
What Should OEM Suppliers Do Next?
Organizations currently TISAX®-certified or preparing for their next assessment should:
- Conduct a gap analysis against VDA ISA 6.0
- Review and update ISMS documentation and responsibilities
- Plan team training and awareness for new control expectations
- Consider re-scoping based on new labeling needs (e.g., Confidentiality Strict)
Loading...
Expert Note
“If your TISAX scope includes personal data or production systems, these changes will significantly impact your documentation and technical safeguards.
Preparing now means fewer surprises later—and less risk of delays when interacting with OEM compliance teams."
- Sandeep Pauddar, Global Program Director of IT Sector Audits
Join us for live information on TISAX® 6.0
Ready to explore these changes in more depth?
Join our expert, Sandeep Pauddar, and stay ahead of evolving OEM expectations.
DQS Newsletter
Stay informed and subscribe to our newsletter!
Author
Nadine Heir
Nadine's team communicates the world-class quality for which DQS is globally recognized, in certification and auditing services, to companies across industries.
Loading...
