Automotive with DQS: Quality, Software, Security and Approval — Aligned.
DQS has audited automotive organisations since IATF 16949 became a standard — from global OEMs to specialist component suppliers, across 60+ countries. As a globally accredited certification body, DQS covers the standards that matter to your role in the value chain: IATF 16949, the VDA 6 family, TISAX®, ISO/SAE 21434 and ENX VCS, plus vehicle type approval conformity assessment (KBA in Germany and equivalent national authorities elsewhere) where it applies to your products.
IATF-Recognised
Authorised to issue IATF 16949 certificates under the IATF Rules.
VDA Qualified
VDA 6.1/6.2/6.4 plus 6.3 and 6.5 audits with VDA QMC-qualified auditors.
TISAX® & ENX VCS
ENX-approved audit provider for both automotive schemes.
Global Coverage
Auditors in 60+ countries — across every major automotive region.
DQS AS A TRUSTED PARTNER
Scale, accreditation and sector depth — measured.
DQS has audited automotive organisations across the value chain for decades — from global OEMs to specialist component suppliers. Here is what that scale looks like in numbers.
3,100+ Auditors worldwide
IATF-recognised, VDA-qualified, iNTACS-certified and ENX-approved specialists.
65,000+ Certified locations
Across all DQS standards — including the full automotive portfolio.
60+ Countries
Local auditor presence in every major automotive hub — Germany, CEE, Asia, Americas.
40+ Years of experience
Founded 1985 by DGQ and DIN — Germany's first management-system certifier.
The automotive compliance landscape just shifted — and it cascades all the way down the supply chain.
Three things changed at once. Vehicle cybersecurity became a type-approval gate under UN Regulation 155 — where it applies, a certified Cyber Security Management System is required for vehicle type approval, and approval may not be granted without it. Software content per vehicle keeps growing, pushing software capability maturity expectations from optional to baseline requirements for safety-critical software suppliers. And TISAX® has hardened from a nice-to-have into a contractual prerequisite for handling OEM development data.
Whatever your role in the value chain — OEM, Tier 1, Tier 2, software supplier, equipment builder, engineering service or logistics — the requirements stack up at the same time. Managing them separately is what creates audit overlap, inconsistent interpretations, and avoidable delays.
Cybersecurity is now a regulatory gate, not an R&D topic.
Where UN R155 is in scope, a certified CSMS is required for vehicle type approval in UNECE 1958 contracting states — including the EU, UK, Japan, South Korea and other major automotive markets — and approval may not be granted without it. TISAX® is increasingly cascaded as a contractual prerequisite — not as future-state, but already today.
Lost type approval, blocked OEM nominations, missed deadlines.
- Without ISO/SAE 21434 evidence, vehicle programmes don’t pass approval.
- Without TISAX®, NDA-protected projects can’t be awarded.
- Audited in silos, you pay for the same evidence twice and live with calibration gaps between auditors.
One audit programme across the full automotive stack — coordinated, calibrated, audit-ready.
- One certification body across IATF 16949, VDA, TISAX®, ISO/SAE 21434, ENX VCS and KBA.
- Aligned audit cycles, shared evidence, consistent interpretation across standards and sites.
- Independent of advisory — the separation that makes the certificate credible to OEMs and regulators.
Typical Requirements Across the Automotive Industry
Whether you build vehicles, deliver parts, develop software, run an engineering service, or manage the logistics — your requirements sit across several layers at the same time.
- Quality management — IATF 16949 and the VDA family (6.1, 6.2, 6.4)
- Process and product audits — VDA 6.3 and VDA 6.5
- Information security — TISAX® (VDA ISA)
- Vehicle cybersecurity — ISO/SAE 21434 and ENX VCS
- Vehicle type approval — KBA (Germany), VCA (UK), RDW (Netherlands), NHTSA/EPA (US), MLIT (Japan) and equivalents
WHICH REQUIREMENTS APPLY TO YOU
Start here — your role in the value chain shapes your scope.
DQS has audited automotive organisations across the value chain for decades — from global OEMs to specialist component suppliers. Here is what that scale looks like in numbers.
Five layers — the full automotive stack, in detail.
Drill-down for each standard — grouped by what it answers for OEMs, regulators and your own customers. Quality management, process & product audits, corporate information security, vehicle cybersecurity, and vehicle type approval.
Quality management — the baseline across automotive manufacturing and services
These standards define the quality management foundation for automotive organisations. Different QMS standards apply depending on your role — series production of vehicles and parts, automotive services, or production equipment manufacturing.
The global quality management system standard for automotive production and relevant service parts organisations, integrating ISO 9001 with automotive-specific requirements on APQP, PPAP, FMEA, MSA, SPC, product safety and customer-specific requirements (CSRs). Mandatory across the direct supply chain for most OEMs. Issued only by IATF-recognised certification bodies under the IATF Rules.
The German Association of the Automotive Industry standard for QMS in series production. Historically the predecessor to IATF 16949 in the German supply base; still in use where specific customer requirements or legacy scope make it relevant. Often applied alongside IATF 16949 or as a supplement in particular parts of the VDA-aligned supply chain.
The VDA QMS standard tailored for providers of services in the automotive industry — logistics, engineering services, testing labs, after-sales, and other service functions outside direct series production. Gives service providers a credible, sector-specific QMS certification rather than a generic ISO 9001 certificate.
The VDA QMS standard for manufacturers of automotive production equipment — tooling, machines, fixtures, and production-line equipment used by automotive OEMs and Tier suppliers. Covers the design-to-delivery discipline needed from equipment builders whose output directly shapes a manufacturing line's capability.
Process & product audits
Not certifications — structured audits against defined criteria. Widely used as customer-specific supplements to IATF 16949 and as supplier development instruments.
The VDA process audit standard used across the German and wider European automotive supply chain. Assesses specific production and support processes against the VDA 6.3 criteria. Commonly written into OEM customer-specific requirements as a supplement to IATF 16949, or used as a supplier development instrument to surface process-capability issues between IATF surveillance audits.
The VDA product audit standard — a structured assessment of a finished product's conformance with specifications and customer requirements. Often applied alongside VDA 6.3 to combine process-capability evidence with product-level conformance evidence.
Corporate information security
Information security at the organisation level — how your company protects development data, prototype information, and production systems. Mandatory across the automotive industry for organisations that create, exchange, or handle sensitive technical and customer information.
The Trusted Information Security Assessment Exchange, managed by the ENX Association on behalf of the industry. Assessments are conducted against the VDA Information Security Assessment (VDA ISA) criteria catalogue, which aligns with ISO/IEC 27001 and adds automotive-specific expectations. Assessment results are shared via the ENX platform with authorised trading partners. Applies across the automotive industry for organisations handling prototype data, customer development information, or connected vehicle data.
Vehicle cybersecurity
A newer compliance layer specific to the connected and software-defined vehicle itself — distinct from corporate information security. Directly driven by UN Regulation 155, with national transpositions in UNECE 1958 contracting states (EU, UK, Japan, South Korea and other major automotive markets).
ISO/SAE 21434:2021 — Road vehicles — Cybersecurity engineering. An engineering standard defining cybersecurity management across the full vehicle lifecycle: concept, development, production, operation, maintenance, and decommissioning. Widely referenced as the technical basis for demonstrating UN R155 conformity, where applicable. Relevant for OEMs and their supply chain — from Tier 1 and Tier 2 suppliers of cybersecurity-relevant components (telematics, ADAS, infotainment, gateway, OTA, in-vehicle networks) through to the type approval holder.
The ENX Association's global Vehicle Cyber Security standard, developed by and for the automotive industry. VCS provides an industry-recognised certification of vehicle cybersecurity management, aligned with ISO/SAE 21434 and UN R155, with shared audit results distributed across the ENX membership — the same mechanism that underpins TISAX® for corporate information security.
Vehicle type approval
The legal compliance layer. Certain vehicle components and devices cannot legally enter regulated markets without conformity assessment under the applicable national road traffic framework — KBA in Germany, VCA in the UK, RDW in the Netherlands, MLIT in Japan, and equivalent national authorities or frameworks elsewhere.
Conformity assessment for German road traffic regulations (Straßenverkehrs-Zulassungs-Ordnung, StVZO) under the framework of the Kraftfahrt-Bundesamt (KBA) — the German Federal Motor Transport Authority, and one of the most demanding type approval regimes globally. Applies to vehicle components and devices requiring type approval or technical service testing before they can be placed on the German market, including specific categories of tachographs, speed limiters, and other regulated vehicle equipment. Equivalent national authorities or frameworks apply in other markets — VCA (UK), RDW (Netherlands), MLIT (Japan), and equivalent regulatory frameworks in the US (NHTSA, EPA) and China (MIIT) — each with its own scope and regulatory structure.
The ENX Association's global Vehicle Cyber Security standard, developed by and for the automotive industry. VCS provides an industry-recognised certification of vehicle cybersecurity management, aligned with ISO/SAE 21434 and UN R155, with shared audit results distributed across the ENX membership — the same mechanism that underpins TISAX® for corporate information security.
Automotive Compliance Map (PDF, 1 page)
The full portfolio at a glance, with the typical product combinations for each supplier segment and the regulatory drivers behind each layer.
Each layer answers a different question.
Every automotive requirement addresses a specific question your customers, regulators, or both are asking. Your challenge is that all of them apply at the same time. Your opportunity is to manage them as one aligned programme.
IATF 16949, VDA 6.1, VDA 6.2, VDA 6.4. These define the quality management baseline for automotive manufacturers and their supply chain across series production, services, and production equipment.
VDA 6.3 process audits and VDA 6.5 product audits evaluate how parts are actually made. They surface capability issues early and give your customers clear evidence of consistent performance.
TISAX® assessment against the VDA ISA catalogue. Shared on the ENX platform with your authorised customers — so you prove information security once and reuse the evidence across multiple OEM relationships.
ISO/SAE 21434 and ENX VCS cover cybersecurity in the vehicle itself. They provide the technical basis for compliance with UN Regulation 155 on vehicle cybersecurity type approval.
National type approval conformity assessment — KBA in Germany, VCA in the UK, RDW in the Netherlands, MLIT in Japan and equivalents elsewhere. The legal layer that makes specific vehicle equipment marketable in regulated jurisdictions.
ISO/IEC 42001 AI management system. Becoming relevant for suppliers of ADAS, autonomous driving, driver monitoring, and AI-enabled HMI as EU AI Act applicability takes shape.
The Regulatory Driver Behind the Cybersecurity Layer
A structured approach — fewer surprises, better audit outcomes.
A clear sequence helps you reduce internal effort and avoid delays at customer, type approval, or regulatory deadlines. Each step below moves you closer to an integrated audit programme.
Identify your requirements.
Review customer contracts, regulatory obligations, and market expectations to determine which standards apply to your role.
Assess your current setup.
Review existing certifications, audit cycles, and internal responsibilities across your sites and functions.
Align and consolidate.
Where possible, combine certifications into one coordinated programme with aligned audit cycles.
Prepare for new requirements.
Cybersecurity (ISO/SAE 21434, ENX VCS) and AI governance (ISO/IEC 42001) are becoming increasingly relevant across the industry.
Plan audit capacity early.
Secure audit slots with your certification body in line with your commercial and regulatory deadlines.
What is included when you certify with DQS
Every DQS automotive engagement delivers the same audit-ready package — regardless of whether you book a single standard or an integrated multi-standard programme.
WHY DQS
One partner for your full automotive compliance scope.
DQS covers the full automotive portfolio within one framework. That gives you one coordinated audit programme, a consistent audit approach, and clear communication across standards — instead of multiple disconnected processes.
Ready to align your automotive compliance requirements?
- Tell us your role in the value chain
- We scope the combination that applies — across all nine standards
- You get one coordinated audit plan, one point of contact, one calibrated approach
Frequently asked questions.
What should I look for when choosing a certification body for automotive quality?
Seven factors determine whether a certification body can credibly serve an automotive supplier. First, IATF recognition under the IATF Rules — without it, IATF 16949 certificates are not accepted by OEMs. Second, VDA QMC-qualified auditors — required for VDA 6.1, 6.2, 6.4 certification and VDA 6.3 process audits. Third, ENX Association approval for TISAX® and ENX VCS assessments. Fourth, accreditation under an IAF MLA signatory body (DAkkS, ANAB, UKAS or equivalent). Fifth, qualified auditors in every region of your manufacturing footprint. Sixth, the ability to run multiple standards under one coordinated audit programme. Seventh, independence from advisory work under ISO/IEC 17021-1 §5.2 — the separation that makes the certificate defensible evidence to customers and regulators.
DQS: IATF-recognised, VDA QMC-qualified, ENX-approved for TISAX® and VCS, accredited under DAkkS, with 3,100+ auditors across 60+ countries and the ability to run IATF 16949, the VDA family, TISAX®, ENX VCS, ISO/SAE 21434 and KBA-related conformity assessment under one coordinated programme — as an independent certification body, no advisory.
How do I compare certification bodies for IATF 16949 and VDA audits?
Comparison comes down to four objective questions. (1) Is the certification body IATF-recognised — yes or no? Recognition status is published in the IATF database and is the hard prerequisite for IATF 16949. (2) Are its auditors qualified by the VDA Quality Management Center for the specific VDA scopes you need — 6.1, 6.2, 6.4, 6.3 or 6.5? Qualification is per auditor, per scope. (3) What is its accreditation and scheme-approval footprint — DAkkS, ANAB, UKAS, IATF, ENX, VDA QMC? Each one extends what the body can credibly certify. (4) Where does it have qualified auditors in person? An IATF-recognised body without auditors in your manufacturing region adds cost and calendar friction. Marketing language ("global leader", "trusted partner") is not a comparison criterion — recognitions, qualifications and accreditations are.
DQS: listed in the IATF database as a recognised certification body, VDA QMC-qualified across 6.1, 6.2, 6.4, 6.3 and 6.5, accredited under DAkkS and recognised by IATF, ENX and VDA QMC, with auditors based in every major automotive region across 60+ countries.
Do we need both ISO 9001 and IATF 16949?
IATF 16949 embeds ISO 9001 in full. A site with a valid IATF 16949 certificate has, by definition, met ISO 9001 requirements. Many sites choose not to maintain a separate ISO 9001 certificate once IATF 16949 is in place. Some retain ISO 9001 for non-automotive scope; it is a scope choice.
Who uses VDA 6.1, 6.2, and 6.4?
VDA 6.1 is a QMS standard for automotive series production, historically widely used across the German supply chain before IATF 16949; still relevant in specific contexts. VDA 6.2 applies to providers of services in the automotive industry (engineering, logistics, testing, after-sales). VDA 6.4 applies to manufacturers of automotive production equipment — tooling, machines, production-line equipment. Each exists because ISO 9001 is too generic, and IATF 16949 is aimed at series-production parts suppliers; the other VDA variants fill the gaps.
DQS: VDA QMC-qualified across VDA 6.1, 6.2 and 6.4 certification, plus VDA 6.3 process and VDA 6.5 product audits.
What is the difference between TISAX® and ENX VCS?
Both are managed by the ENX Association for the automotive industry, but they cover different things. TISAX® assesses corporate information security — how the supplier protects customer development data, prototype information, and production systems at the organisation level, based on the VDA ISA criteria. ENX VCS assesses vehicle cybersecurity — how the supplier builds and manages cybersecurity in the vehicle and its components, aligned with ISO/SAE 21434 and UN R155. Many suppliers need both.
DQS: ENX-approved audit provider for both TISAX® and ENX VCS.
How does ISO/SAE 21434 relate to UN R155?
UN R155 is a UNECE regulation on vehicle cybersecurity that, where it applies, makes a Cyber Security Management System (CSMS) a prerequisite for type approval of new vehicles placed on the market in UNECE 1958 contracting states — including the EU, UK, Japan, South Korea and other major automotive markets. Applicability depends on the vehicle scope and the national type approval authority’s assessment (KBA in Germany, VCA in the UK, MLIT in Japan and equivalents) — it is not a blanket requirement for every customer or every product. R155 sets what has to be achieved; ISO/SAE 21434 sets how — it is the technical standard that operationalises the CSMS requirements across the vehicle lifecycle. By contrast, UN ECE R10 (electromagnetic compatibility) is far more broadly applicable across vehicle equipment.
Is ENX VCS mandatory?
Not legally mandatory in itself. VCS is an industry-recognised certification scheme developed to provide a standard, shareable format for vehicle cybersecurity evidence across the supply chain — analogous to what TISAX® provides for corporate information security. Expectation that ENX VCS becomes a contractual requirement across the supply chain is growing as UN R155 applicability extends. Suppliers establishing ISO/SAE 21434 capability are typically well-positioned for VCS certification as well.
DQS: ENX-approved audit provider for ENX VCS, covering both ISO/SAE 21434 assessment and VCS certification under one audit programme.
What does KBA certification cover?
KBA — the German Federal Motor Transport Authority — is the competent authority for type approval under German road traffic law (StVZO) and related EU type approval frameworks. KBA-related conformity assessment applies to vehicle components and devices requiring type approval or technical service testing before placement on the German market. The specific products in scope include certain categories of tachographs, speed limiters, and other regulated vehicle equipment. Applicability should be confirmed per product at an early development stage.
DQS: performs KBA-related conformity assessment for applicable product categories under the German type approval framework.
What about type approval outside Germany?
Each major automotive market has its own type approval authority or regulatory framework — VCA in the UK, RDW in the Netherlands, MLIT in Japan, and equivalent regulatory frameworks in the US (NHTSA, EPA) and China (MIIT), each with its own scope and regulatory structure. The applicable framework depends on where the product is placed on the market. UN ECE regulations (including R10 on electromagnetic compatibility and R155 on cybersecurity) apply across UNECE 1958 contracting states regardless of the national authority.
DQS: works with customers to scope the conformity assessment requirements that apply to their specific markets, drawing on auditor presence across 60+ countries.
Can we run IATF 16949, TISAX®, and ENX VCS through one certification body?
Yes — and for multi-layer compliance requirements, that is typically the most efficient approach. DQS covers all four, plus the VDA family and KBA. A single certification body means one scheduling interface, one calibration baseline across audits, and the ability to integrate scope overlaps where applicable. Each audit retains its own rules and duration; the operational footprint on the site is what improves.