Street at sunrise

Automotive Compliance, Managed as One Programme.

One audit partner across quality, information security, vehicle cybersecurity and vehicle type approval.


Automotive with DQS: Quality, Software, Security and Approval — Aligned.

DQS has audited automotive organisations since IATF 16949 became a standard — from global OEMs to specialist component suppliers, across 60+ countries. As a globally accredited certification body, DQS covers the standards that matter to your role in the value chain: IATF 16949, the VDA 6 family, TISAX®, ISO/SAE 21434 and ENX VCS, plus vehicle type approval conformity assessment (KBA in Germany and equivalent national authorities elsewhere) where it applies to your products.

IATF-Recognised

Authorised to issue IATF 16949 certificates under the IATF Rules.

VDA Qualified

VDA 6.1/6.2/6.4 plus 6.3 and 6.5 audits with VDA QMC-qualified auditors.

TISAX® & ENX VCS

ENX-approved audit provider for both automotive schemes.

Global Coverage

Auditors in 60+ countries — across every major automotive region.

DQS as a Trusted Partner

Scale, accreditation and sector depth — measured.

DQS has audited automotive organisations across the value chain for decades — from global OEMs to specialist component suppliers. Here is what that scale looks like in numbers.

3,100+
Auditors worldwideIATF-recognised, VDA-qualified, iNTACS-certified and ENX-approved specialists.
65,000+
Certified locationsAcross all DQS standards — including the full automotive portfolio.
60+
CountriesLocal auditor presence in every major automotive hub — Germany, CEE, Asia, Americas.
40+
Years of experienceFounded 1985 by DGQ and DIN — Germany's first management-system certifier.
Self Driving Car Automotive

The automotive compliance landscape just shifted — and it cascades all the way down the supply chain.

Three things changed at once. Vehicle cybersecurity became a type-approval gate under UN Regulation 155 — where it applies, a certified Cyber Security Management System is required for vehicle type approval, and approval may not be granted without it. Software content per vehicle keeps growing, pushing software capability maturity expectations from optional to baseline requirements for safety-critical software suppliers. And TISAX® has hardened from a nice-to-have into a contractual prerequisite for handling OEM development data.

Whatever your role in the value chain — OEM, Tier 1, Tier 2, software supplier, equipment builder, engineering service or logistics — the requirements stack up at the same time. Managing them separately is what creates audit overlap, inconsistent interpretations, and avoidable delays.

The Industry Shift

Cybersecurity is now a regulatory gate, not an R&D topic.

Where UN R155 is in scope, a certified CSMS is required for vehicle type approval in UNECE 1958 contracting states — including the EU, UK, Japan, South Korea and other major automotive markets — and approval may not be granted without it. TISAX® is increasingly cascaded as a contractual prerequisite — not as future-state, but already today.

What’s at Stake

Lost type approval, blocked OEM nominations, missed deadlines.

  • Without ISO/SAE 21434 evidence, vehicle programmes don’t pass approval.
  • Without TISAX®, NDA-protected projects can’t be awarded.
  • Audited in silos, you pay for the same evidence twice and live with calibration gaps between auditors.
The DQS Approach

One audit programme across the full automotive stack — coordinated, calibrated, audit-ready.

  • One certification body across IATF 16949, VDA, TISAX®, ISO/SAE 21434, ENX VCS and KBA.
  • Aligned audit cycles, shared evidence, consistent interpretation across standards and sites.
  • Independent of advisory — the separation that makes the certificate credible to OEMs and regulators.

Typical Requirements Across the Automotive Industry

Whether you build vehicles, deliver parts, develop software, run an engineering service, or manage the logistics — your requirements sit across several layers at the same time.

  • Quality managementIATF 16949 and the VDA family (6.1, 6.2, 6.4)
  • Process and product audits — VDA 6.3 and VDA 6.5
  • Information security TISAX® (VDA ISA)
  • Vehicle cybersecurityISO/SAE 21434 and ENX VCS
  • Vehicle type approvalKBA (Germany), VCA (UK), RDW (Netherlands), NHTSA/EPA (US), MLIT (Japan) and equivalents
Which Requirements Apply to You

Start here — your role in the value chain shapes your scope.

Pick the role closest to yours to see the typical combination of standards. Your final scope is defined by your customers, your products, the regulations that apply, and your position in the value chain — DQS helps confirm the exact scope that applies to your organisation.

Tier 1 / Tier 2

Parts supplier — series production

  • IATF 16949 certification — baseline
  • VDA 6.3 process audits — customer-specific
  • TISAX® assessment — handling development data
  • ISO 14001 / ISO 50001 — OEM Scope 3
  • ISO/SAE 21434 / ENX VCS — if cybersecurity-relevant
Software / SDV

ECU, embedded & software-defined vehicle supplier

  • IATF 16949 — if delivering as hardware too
  • ISO/SAE 21434 / ENX VCS — vehicle cybersecurity
  • TISAX® — corporate information security
  • ISO/IEC 42001 — where AI is part of the stack
Equipment / Tooling

Production equipment & tooling manufacturer

  • VDA 6.4 certification — the sector-specific QMS
  • ISO 9001 — alongside or as baseline
  • TISAX® — if handling customer data
  • ISO 45001 — safety-critical equipment
Engineering Services

Engineering, testing & homologation services

  • VDA 6.2 certification — services-specific QMS
  • ISO 9001 — baseline or alongside
  • TISAX® — typical customer requirement
  • ISO/IEC 17025 — testing laboratory competence
  • ISO/IEC 27001 — IT-heavy service providers
Logistics

Automotive logistics provider

  • ISO 9001 — quality baseline
  • TAPA FSR / TSR — secure cargo handling
  • ISO 28000 — supply chain security
  • AEO — EU customs status
  • TISAX® — where customer data touches TMS
OEM

Vehicle manufacturer

  • IATF 16949 — across manufacturing sites
  • ISO/SAE 21434 + ENX VCS — CSMS for UN R155 (where in scope)
  • ISO/IEC 42001 — ADAS, autonomous, AI features
  • UN ECE type-approval scopes — R10, R155 and others as applicable
Vehicle Type Approval

National type approval & UN ECE conformity

  • National type approval — KBA (Germany), VCA (UK), RDW (Netherlands), MLIT (Japan) and equivalents
  • UN ECE R10 — electromagnetic compatibility (broadly applicable)
  • UN ECE R155 — cybersecurity, where the vehicle scope requires it
  • Other UN ECE regulations as applicable to the product
  • Applies independently of OEM / Tier 1 / Tier 2 position

Not sure which combination applies?

DQS helps you understand which standards are relevant to your position in the automotive value chain, how different requirements fit together, and what an aligned audit programme can look like for your organisation.

Get in touch
The Automotive Portfolio

Five layers — the full automotive stack, in detail.

Drill-down for each standard — grouped by what it answers for OEMs, regulators and your own customers. Quality management, process & product audits, corporate information security, vehicle cybersecurity, and vehicle type approval.

QMS

Quality management — the baseline across automotive manufacturing and services

These standards define the quality management foundation for automotive organisations. Different QMS standards apply depending on your role — series production of vehicles and parts, automotive services, or production equipment manufacturing.

IATF 16949 Certification
Series Production

The global quality management system standard for automotive production and relevant service parts organisations, integrating ISO 9001 with automotive-specific requirements on APQP, PPAP, FMEA, MSA, SPC, product safety and customer-specific requirements (CSRs). Mandatory across the direct supply chain for most OEMs. Issued only by IATF-recognised certification bodies under the IATF Rules.

VDA 6.1 Certification
German Automotive Series Production

The German Association of the Automotive Industry standard for QMS in series production. Historically the predecessor to IATF 16949 in the German supply base; still in use where specific customer requirements or legacy scope make it relevant. Often applied alongside IATF 16949 or as a supplement in particular parts of the VDA-aligned supply chain.

VDA 6.2 Certification
Automotive Service Providers

The VDA QMS standard tailored for providers of services in the automotive industry — logistics, engineering services, testing labs, after-sales, and other service functions outside direct series production. Gives service providers a credible, sector-specific QMS certification rather than a generic ISO 9001 certificate.

VDA 6.4 Certification
Production Equipment Manufacturers

The VDA QMS standard for manufacturers of automotive production equipment — tooling, machines, fixtures, and production-line equipment used by automotive OEMs and Tier suppliers. Covers the design-to-delivery discipline needed from equipment builders whose output directly shapes a manufacturing line's capability.

Your benefit: demonstrate quality management to customers, partners, and regulators — and operate with a recognised industry baseline.
AUD

Process & product audits

Not certifications — structured audits against defined criteria. Widely used as customer-specific supplements to IATF 16949 and as supplier development instruments.

VDA 6.3 Process Audit
Process Audit Methodology

The VDA process audit standard used across the German and wider European automotive supply chain. Assesses specific production and support processes against the VDA 6.3 criteria. Commonly written into OEM customer-specific requirements as a supplement to IATF 16949, or used as a supplier development instrument to surface process-capability issues between IATF surveillance audits.

VDA 6.5 Product Audit
Product Audit Methodology

The VDA product audit standard — a structured assessment of a finished product's conformance with specifications and customer requirements. Often applied alongside VDA 6.3 to combine process-capability evidence with product-level conformance evidence.

Your benefit: identify process risks early and demonstrate reliability to your customers.
SEC

Corporate information security

Information security at the organisation level — how your company protects development data, prototype information, and production systems. Mandatory across the automotive industry for organisations that create, exchange, or handle sensitive technical and customer information.

TISAX® Assessment
ENX Association · VDA ISA

The Trusted Information Security Assessment Exchange, managed by the ENX Association on behalf of the industry. Assessments are conducted against the VDA Information Security Assessment (VDA ISA) criteria catalogue, which aligns with ISO/IEC 27001 and adds automotive-specific expectations. Assessment results are shared via the ENX platform with authorised trading partners. Applies across the automotive industry for organisations handling prototype data, customer development information, or connected vehicle data.

Your benefit: demonstrate secure handling of sensitive information and meet OEM expectations.
VCS

Vehicle cybersecurity

A newer compliance layer specific to the connected and software-defined vehicle itself — distinct from corporate information security. Directly driven by UN Regulation 155, with national transpositions in UNECE 1958 contracting states (EU, UK, Japan, South Korea and other major automotive markets).

ISO/SAE 21434 Assessment
Road Vehicle Cybersecurity Engineering

ISO/SAE 21434:2021 — Road vehicles — Cybersecurity engineering. An engineering standard defining cybersecurity management across the full vehicle lifecycle: concept, development, production, operation, maintenance, and decommissioning. Widely referenced as the technical basis for demonstrating UN R155 conformity, where applicable. Relevant for OEMs and their supply chain — from Tier 1 and Tier 2 suppliers of cybersecurity-relevant components (telematics, ADAS, infotainment, gateway, OTA, in-vehicle networks) through to the type approval holder.

ENX VCS Certification
Vehicle Cyber Security · ENX Association

The ENX Association's global Vehicle Cyber Security standard, developed by and for the automotive industry. VCS provides an industry-recognised certification of vehicle cybersecurity management, aligned with ISO/SAE 21434 and UN R155, with shared audit results distributed across the ENX membership — the same mechanism that underpins TISAX® for corporate information security.

Your benefit: prepare for cybersecurity requirements linked to vehicle approval and connected systems.
VTA

Vehicle type approval

The legal compliance layer. Certain vehicle components and devices cannot legally enter regulated markets without conformity assessment under the applicable national road traffic framework — KBA in Germany, VCA in the UK, RDW in the Netherlands, MLIT in Japan, and equivalent national authorities or frameworks elsewhere.

KBA-related conformity assessment
German Type Approval Framework

Conformity assessment for German road traffic regulations (Straßenverkehrs-Zulassungs-Ordnung, StVZO) under the framework of the Kraftfahrt-Bundesamt (KBA) — the German Federal Motor Transport Authority, and one of the most demanding type approval regimes globally. Applies to vehicle components and devices requiring type approval or technical service testing before they can be placed on the German market, including specific categories of tachographs, speed limiters, and other regulated vehicle equipment. Equivalent national authorities or frameworks apply in other markets — VCA (UK), RDW (Netherlands), MLIT (Japan), and equivalent regulatory frameworks in the US (NHTSA, EPA) and China (MIIT) — each with its own scope and regulatory structure.

Your benefit: ensure your products can legally enter the regulated markets that matter to you.
How the Requirements Fit Together

Each layer answers a different question.

Every automotive requirement addresses a specific question your customers, regulators, or both are asking. Your challenge is that all of them apply at the same time. Your opportunity is to manage them as one aligned programme.

Is your quality management recognised across the industry?
Quality Management
IATF 16949, VDA 6.1, VDA 6.2, VDA 6.4. These define the quality management baseline for automotive manufacturers and their supply chain across series production, services, and production equipment.
Are your processes stable and reliable?
Process & Product Audits
VDA 6.3 process audits and VDA 6.5 product audits evaluate how parts are actually made. They surface capability issues early and give your customers clear evidence of consistent performance.
Is customer data protected?
Corporate Information Security
TISAX® assessment against the VDA ISA catalogue. Shared on the ENX platform with your authorised customers — so you prove information security once and reuse the evidence across multiple OEM relationships.
Is the product secure in operation?
Vehicle Cybersecurity
ISO/SAE 21434 and ENX VCS cover cybersecurity in the vehicle itself. They provide the technical basis for compliance with UN Regulation 155 on vehicle cybersecurity type approval.
Can the product legally enter the market?
Vehicle Type Approval
National type approval conformity assessment — KBA in Germany, VCA in the UK, RDW in the Netherlands, MLIT in Japan and equivalents elsewhere. The legal layer that makes specific vehicle equipment marketable in regulated jurisdictions.
Is AI in your product well governed?
Emerging — AI Governance
ISO/IEC 42001 AI management system. Becoming relevant for suppliers of ADAS, autonomous driving, driver monitoring, and AI-enabled HMI as EU AI Act applicability takes shape.
The Regulatory Driver Behind the Cybersecurity Layer

Where in scope, UN Regulation 155 makes a certified Cyber Security Management System required for vehicle type approval in UNECE 1958 contracting states — approval may not be granted without it.

UN R155 applicability is defined by the vehicle scope and the national type approval authority’s assessment (KBA in Germany, VCA in the UK, MLIT in Japan and equivalents) — it is not a blanket requirement for every product or every customer. Where it does apply, OEMs holding the type approval and suppliers of cybersecurity-relevant components — telematics, ADAS, infotainment, gateway, OTA, in-vehicle networks — need compatible evidence across the value chain. ISO/SAE 21434 gives the technical basis; ENX VCS provides industry-recognised certification. UN ECE R10 (electromagnetic compatibility) is far more broadly applicable across vehicle equipment.

Your Approach — Step by Step

A structured approach — fewer surprises, better audit outcomes.

A clear sequence helps you reduce internal effort and avoid delays at customer, type approval, or regulatory deadlines. Each step below moves you closer to an integrated audit programme.

1

Identify your requirements.

Review customer contracts, regulatory obligations, and market expectations to determine which standards apply to your role.

→ Your benefit: clarity on the scope before you invest in implementation work.
2

Assess your current setup.

Review existing certifications, audit cycles, and internal responsibilities across your sites and functions.

→ Your benefit: visibility over what already exists and what is missing.
3

Align and consolidate.

Where possible, combine certifications into one coordinated programme with aligned audit cycles.

→ Your benefit: fewer duplicate audits and less internal coordination effort.
4

Prepare for new requirements.

Cybersecurity (ISO/SAE 21434, ENX VCS) and AI governance (ISO/IEC 42001) are becoming increasingly relevant across the industry.

→ Your benefit: you are ready when requirements land, not reacting to them.
5

Plan audit capacity early.

Secure audit slots with your certification body in line with your commercial and regulatory deadlines.

→ Your benefit: you protect your delivery dates and avoid last-minute constraints.

What is included when you certify with DQS

Every DQS automotive engagement delivers the same audit-ready package — regardless of whether you book a single standard or an integrated multi-standard programme.

  • Pre-audit gap analysis against the chosen standards, on request.
  • Stage 1 documentation review with written readiness assessment.
  • Stage 2 on-site or hybrid audit by qualified, sector-specialist auditors.
  • Internationally accepted certificate issued under DAkkS accreditation, IATF recognition and ENX approval.
  • Annual surveillance audits coordinated across your full DQS scope.
  • Re-certification audit at the end of each three-year cycle.
  • Findings summary & improvement roadmap after every audit.
  • Listing & verification in relevant industry recognition platforms (IATF and ENX databases; VDA QMC auditor qualification records).
Why DQS

One partner for your full automotive compliance scope.

DQS covers the full automotive portfolio within one framework. That gives you one coordinated audit programme, a consistent audit approach, and clear communication across standards — instead of multiple disconnected processes.

What this means for you

  • One coordinated audit programme — audits aligned across your automotive scope, so scheduling, evidence gathering, and reporting reinforce each other.
  • Consistent audit approach — one calibration standard across auditors, so you do not get conflicting interpretations between standards.
  • Reduced duplication — less overlap, less internal workload, fewer repeat visits to the same site.
  • Clear communication — one certification body across IATF 16949, the VDA family, TISAX®, ENX VCS, ISO/SAE 21434, and vehicle type approval.
  • Independence — DQS is a certification body and does not advise on implementation. That separation is what makes DQS-issued certificates defensible evidence for OEM customers, regulators, and procurement teams.

IATF-Recognised Certification Body

Authorised to issue IATF 16949 certificates under the IATF Rules — with calibrated auditors and full oversight alignment.

VDA-Qualified Auditors

VDA 6.1, 6.2, 6.4 certification plus VDA 6.3 process and VDA 6.5 product audits — with auditors qualified under the VDA Quality Management Center.

TISAX® & ENX VCS Audit Provider

ENX-approved for both automotive schemes — corporate information security and vehicle cybersecurity.

ISO/SAE 21434 & vehicle type approval

Vehicle cybersecurity engineering at component and system scope, plus type approval conformity assessment, including KBA in Germany, for applicable product categories.

Sector Depth, Globally

A strong auditor base across Germany, Central and Eastern Europe, and every major automotive hub — with OEM and Tier 1 operational experience.

Ready to align your automotive compliance requirements?

  • Tell us your role in the value chain
  • We scope the combination that applies — across all nine standards
  • You get one coordinated audit plan, one point of contact, one calibrated approach
Get in touch
Questions & Answers

Frequently asked questions.

Do we need both ISO 9001 and IATF 16949?

IATF 16949 embeds ISO 9001 in full. A site with a valid IATF 16949 certificate has, by definition, met ISO 9001 requirements. Many sites choose not to maintain a separate ISO 9001 certificate once IATF 16949 is in place. Some retain ISO 9001 for non-automotive scope; it is a scope choice.

Who uses VDA 6.1, 6.2, and 6.4?

VDA 6.1 is a QMS standard for automotive series production, historically widely used across the German supply chain before IATF 16949; still relevant in specific contexts. VDA 6.2 applies to providers of services in the automotive industry (engineering, logistics, testing, after-sales). VDA 6.4 applies to manufacturers of automotive production equipment — tooling, machines, production-line equipment. Each exists because ISO 9001 is too generic, and IATF 16949 is aimed at series-production parts suppliers; the other VDA variants fill the gaps.

What is the difference between TISAX® and ENX VCS?

Both are managed by the ENX Association for the automotive industry, but they cover different things. TISAX® assesses corporate information security — how the supplier protects customer development data, prototype information, and production systems at the organisation level, based on the VDA ISA criteria. ENX VCS assesses vehicle cybersecurity — how the supplier builds and manages cybersecurity in the vehicle and its components, aligned with ISO/SAE 21434 and UN R155. Many suppliers need both.

How does ISO/SAE 21434 relate to UN R155?

UN R155 is a UNECE regulation on vehicle cybersecurity that, where it applies, makes a Cyber Security Management System (CSMS) a prerequisite for type approval of new vehicles placed on the market in UNECE 1958 contracting states — including the EU, UK, Japan, South Korea and other major automotive markets. Applicability depends on the vehicle scope and the national type approval authority’s assessment (KBA in Germany, VCA in the UK, MLIT in Japan and equivalents) — it is not a blanket requirement for every customer or every product. R155 sets what has to be achieved; ISO/SAE 21434 sets how — it is the technical standard that operationalises the CSMS requirements across the vehicle lifecycle. By contrast, UN ECE R10 (electromagnetic compatibility) is far more broadly applicable across vehicle equipment.

Is ENX VCS mandatory?

Not legally mandatory in itself. VCS is an industry-recognised certification scheme developed to provide a standard, shareable format for vehicle cybersecurity evidence across the supply chain — analogous to what TISAX® provides for corporate information security. Expectation that ENX VCS becomes a contractual requirement across the supply chain is growing as UN R155 applicability extends. Suppliers establishing ISO/SAE 21434 capability are typically well-positioned for VCS certification as well.

What does KBA certification cover?

KBA — the German Federal Motor Transport Authority — is the competent authority for type approval under German road traffic law (StVZO) and related EU type approval frameworks. KBA-related conformity assessment applies to vehicle components and devices requiring type approval or technical service testing before placement on the German market. The specific products in scope include certain categories of tachographs, speed limiters, and other regulated vehicle equipment. Applicability should be confirmed per product at an early development stage.

What about type approval outside Germany?

Each major automotive market has its own type approval authority or regulatory framework — VCA in the UK, RDW in the Netherlands, MLIT in Japan, and equivalent regulatory frameworks in the US (NHTSA, EPA) and China (MIIT), each with its own scope and regulatory structure. The applicable framework depends on where the product is placed on the market. UN ECE regulations (including R10 on electromagnetic compatibility and R155 on cybersecurity) apply across UNECE 1958 contracting states regardless of the national authority. DQS works with customers to scope the conformity assessment requirements that apply to their specific markets.

Can we run IATF 16949, TISAX®, and ENX VCS through one certification body?

Yes — and for multi-layer compliance requirements, that is typically the most efficient approach. DQS covers all four, plus the VDA family and KBA. A single certification body means one scheduling interface, one calibration baseline across audits, and the ability to integrate scope overlaps where applicable. Each audit retains its own rules and duration; the operational footprint on the site is what improves.