sustainability-about-us-dqs-charging an electric car

What Automotive Suppliers Need to Know About TISAX ® 6.0 Updates

Nadine Heir

Managing North America's marketing strategy and team, Nadine is building the visibility of DQS' brand in this key region.
Apr 30 , 2025

As of 2025, all TISAX® assessments are now conducted under the Version 6.0 framework, making this a critical year for suppliers seeking compliance and continued qualification with OEMs. 

Automotive suppliers are no strangers to navigating complex information security requirements. For those supporting original equipment manufacturers (OEMs), especially in Europe and beyond, TISAX® (Trusted Information Security Assessment Exchange) has become a key expectation when it comes to safeguarding sensitive data across the supply chain. 

Today, with the rollout of Version 6.0 of the VDA ISA catalog, the foundation of TISAX®, a new layer of complexity is being introduced—one that requires careful attention and action.  

View in the side mirror of the car. Orange dawn over the hills. The car is going at high speed. Gree

Why Version 6.0 matters

The changes affect confidentiality, system availability, and data privacy expectations—and could influence supplier qualification with leading OEMs. Moreover, any suppliers who were mid-cycle during 2024 may now face re-assessments or renewals in 2026. 

Just like evolving cyber threats in public-facing platforms prompt businesses to reevaluate security protocols, the updates to TISAX® serve as a reminder that no environment is static when it comes to digital risk. 

With threat actors leveraging automation and AI, these new requirements help ensure supplier environments are equipped for the next generation of digital risk. 

What’s New in TISAX® Version 6.0? 

1. A New Labeling Framework 

The previous “Information Security High” and “Very High” labels have been replaced with a granular system focused on: 

  • Confidentiality (High, Strict) 
  • Availability (High, Very High) 
  • Integrity (High, Very High) 

This provides clearer expectations tailored to the type of risk involved in each process or information category. 

2. Emphasis on Operational Technology (OT) 

Suppliers managing smart factories or connected equipment are expected to address new controls aligned with IEC 62443, reflecting a shift toward securing production systems. 

3. Expanded Incident and Crisis Management 

Two new controls cover how businesses detect, respond to, and recover from crises—adding depth to business continuity planning. 

4. Overhauled Data Protection Requirements 

The data protection module has tripled in size, reflecting increased regulatory and customer expectations, particularly around GDPR readiness. 

Sandeep Pauddar.jpeg

Expert Note

“If your TISAX scope includes personal data or production systems, these changes will significantly impact your documentation and technical safeguards. 

Preparing now means fewer surprises later—and less risk of delays when interacting with OEM compliance teams."

- Sandeep Pauddar, Global Program Director of IT Sector Audits
 

TISAX® Version 5.x vs. Version 6.0: What’s Changed? 

Area 

Version 5.x (Previous) 

Version 6.0 (Current) 

Labeling System “Information Security High” and “Very High” Granular labels by dimension: Confidentiality (High, Strict), Availability (High, Very High), Integrity (High, Very High) 
Operational Technology (OT) Minimal or indirect reference Dedicated OT controls aligned with IEC 62443; required for smart factories, connected systems 
Incident & Crisis Management General business continuity coverage Two new controls for detecting, responding to, and recovering from crises 
Data Protection Requirements Basic GDPR alignment, lighter module Module tripled in size; emphasizes privacy risk management, processor/controller roles 
Risk Differentiation Generalized expectations across the board Risk-specific granularity by type of asset, process, or information 
Scope Relevance Static scoping and fewer triggers for reassessment New labels and OT controls may trigger re-scoping for certified organizations 
Audit/Assessment Impact Less differentiation in audit readiness paths New requirements may lengthen prep time and impact audit outcomes for many suppliers 

Which Automotive Suppliers Are Affected? 

All suppliers assessed under TISAX® have encountered the new catalog launched in April 2024. However, those working with large automotive OEMs are feeling the shift most acutely. 

Informational Note 
Some OEMs, such as Honda and Hyundai, have recently updated their information security expectations for suppliers. Others, including Daimler, continue to rely on TISAX® to validate key risk control capabilities across their global networks. 

These updates are not just checkboxes—they reflect a broader industry push to strengthen trust and resilience in data exchange. 

This blog post is independently written and published by DQS. It is not affiliated with or endorsed by Honda Motor Co., Ltd., Hyundai Motor Company, Daimler AG, or any other OEM. 

Packaging Production in a Fabric

What Should OEM Suppliers Do Next?

Organizations currently TISAX®-certified or preparing for their next assessment should:

  • Conduct a gap analysis against VDA ISA 6.0 
     
  • Review and update ISMS documentation and responsibilities 
     
  • Plan team training and awareness for new control expectations 
     
  • Consider re-scoping based on new labeling needs (e.g., Confidentiality Strict) 
Author

Nadine Heir

Nadine's team communicates the world-class quality for which DQS is globally recognized, in certification and auditing services, to companies across industries.

You Might Also Enjoy These Reads

Discover more articles that dive deep into related themes and ideas.
Blog

What the latest IATF updates reveal about audit expectations

Read more
Blog

Opening Doors: How IATF Certification Helps Tier 2 & 3 Suppliers Win New Business

Read more
Blog

How the New TISAX® Rules Empower Automotive Suppliers

Read more