What is TISAX and Who Needs It?
Definition
TISAX
Trusted Information Security Assessment Exchange. An automotive industry assessment and exchange mechanism for information security, based on the VDA ISA (Information Security Assessment) questionnaire. Managed by the ENX Association. Required by most major European and international OEMs for suppliers handling sensitive data.
TISAX was introduced by the VDA (German Association of the Automotive Industry) to create a standardized way for automotive companies to assess the information security of their suppliers and partners. Unlike ISO 27001 — which is a certification — TISAX is an assessment whose results can be shared between OEM and supplier without requiring each OEM to conduct its own audit.
If your organization handles any of the following for an automotive OEM, you likely need a TISAX assessment: prototype vehicle data, personal data of vehicle users, production-relevant technical data, or information classified as 'confidential' or above by your OEM customer.
Does TISAX Apply to Cloud-Hosted Data?
Yes — and this is a frequent source of confusion. TISAX assesses your information security management system and the controls protecting the data, regardless of where the data is physically hosted. Moving from on-premise servers to AWS S3 or Azure Blob Storage does not change your TISAX obligations — it changes how you meet them.
The VDA ISA questionnaire includes specific controls for external hosting (cloud providers). Control 1.2.4 covers outsourcing, and assessors will specifically ask how you manage security responsibilities with your cloud service provider. The key document you need is a clear shared responsibility model.
Shared Responsibility: What Your CSP Covers and What You Own
TISAX Control Responsibility in Cloud Environments
| Control Area | Cloud Provider Responsibility | Your Responsibility |
|---|---|---|
| Physical security | Full (data center access, environmental controls) | None (inherited) |
| Infrastructure patching | Managed services (RDS, AKS, etc.) | IaaS VMs — you patch the OS |
| Data encryption at rest | Managed keys available | Key management policy, rotation schedule |
| Data encryption in transit | TLS termination available | Configuration and enforcement |
| Access management (IAM) | IAM tooling provided | Identity architecture, role assignment, review cycle |
| Vulnerability management | Managed services patched by CSP | Application-layer vulns, IaaS OS vulns |
| Incident response | CSP notifies of platform incidents | Your ISMS incident response process |
| Data classification & handling | None | Full responsibility |
Your cloud service provider will hold ISO 27001 certification and likely SOC 2 Type II reports. These cover the provider's own infrastructure and operations. They do not cover your application, your data handling practices, or your organizational processes — those remain in scope for TISAX.
Approved Cloud Providers for TISAX Data
TISAX does not maintain a list of 'approved' cloud providers, but assessors will evaluate whether your chosen CSP holds appropriate certifications (ISO 27001, C5, SOC 2 Type II are acceptable). AWS, Microsoft Azure, and Google Cloud all hold these certifications and publish their compliance documentation.
For data with the highest TISAX protection need (Level 3: highly sensitive prototype data), assessors may scrutinize data residency requirements and sovereign cloud options more carefully. In practice, AWS EU regions, Azure Germany regions, and Google Cloud Frankfurt regions have been accepted in TISAX assessments for German automotive suppliers.
Key Actions Before Your Next TISAX Assessment
1. Document your cloud architecture: which data is stored where, which services process it, and which CSP controls you rely on. This goes into your ISMS documentation as an asset inventory and system description.
2. Obtain and review your CSP's compliance documentation: AWS Artifact, Azure Compliance Manager, and GCP Compliance Reports Center provide certification scopes, penetration test reports, and SOC 2 reports.
3. Complete a shared responsibility analysis: for each TISAX control that touches cloud infrastructure, document explicitly whether the control is met by the CSP, by you, or shared.
4. Update your risk register: cloud-specific risks (data residency, CSP lock-in, shared infrastructure side-channel attacks) should be assessed and treated.
5. Inform your TISAX auditor in advance: if your data hosting has changed since your last assessment, notify your assessment service provider (ENX-approved auditor) before the assessment begins — not during it.