TISAX® (Trusted Information Security Assessment Exchange) is a standardized assessment procedure for information security that was developed specifically for the automotive industry. It is based on the VDA-ISA catalog and enables companies to evaluate and certify their information security measures. 

It is an assessment and exchange mechanism for information security processes in place to manage, exchange and protect information in the automotive industry. 

TISAX® was developed by the ENX Association on behalf of the German Association of the Automotive Industry (VDA). The governance group for the TISAX® testing requirements is the ENX association, a non-profit association created in the year 2000. Access the link for more details: https://www.enx.com/en-US/  

The participants in the ENX board are some OEMs (e.g. Volkswagen, BMW, Daimler, Ford, etc.), some Tier 1 suppliers (e.g. Bosch, Continental, etc.), and some automotive associations (VDA, GALIA, SMMT, ANFAC, etc.). 

TISAX® is based on the VDA-ISA (German Association of the Automotive Industry - Information Security Assessment), which is based on the international standard ISO/IEC 27001 for information security management systems.  

The TISAX® standard scope covers all areas that process confidential information. “The assessment includes all processes, procedures and resources under responsibility of the assessed organization that are relevant to the security of the protection objects and their protection goals as defined in the listed assessment objectives at the listed locations.” (Source: TISAX Participant Handbook (enx.com)). It can be defined by the assessed company which locations are part of the assessment scope. 

These are four external key benefits: 

• The TISAX® label sets a predefined standard scope and hence a set level of information security for suppliers and customers 

• TISAX® is specifically tailored to requirements of the automotive industry 

• The TISAX® label is verified by the ENX Association 

• The TISAX® label is easily shared with different participants via the ENX portal 

Independent accredited testing service providers carry out the plausibility checks (TISAX Audit Provider · ENX Portal). 

TISAX® has 3 Assessment levels: assessment level 1 (self-assessment by supplier), assessment level 2 (self-assessment by supplier with plausibility check by audit provider – on-site is not required), assessment level 3 (comprehensive verification of a company’s compliance including on-site inspection). 

Daimler Tuck requires its suppliers to achieve assessment level 3. 

TISAX® has 12 assessment objectives that are selected depending on the data the company handles. https://www.enx.com/handbook/tisax-participant-handbook.html#ID4685 

TISAX® assessment objectives with Assessment level (AL): 

1. Info high (AL 2) 
2. Info very high (AL 3) 
3. Confidential (AL 2) 
4. Strictly confidential (AL 3) 
5. High availability (AL 2) 
6. Very high availability (AL 3) 
7. Proto Parts (AL 3) 
8. Proto vehicles (AL 3) 
9. Test vehicles (AL 3) 
10. Proto events (AL 3) 
11. Data (AL 2) 
12. Special data (AL 3) 

Daimler Truck requires its suppliers to achieve assessment level 3. 

The TISAX® process consists of 3 steps: 1. Registration, 2. Assessment and 3. Exchange. Additional information about the registration process can be found here: FAQs · ENX Portal. 

Additional information about TISAX® can be found here: TISAX Participant Handbook (enx.com). 

Part of the scoping process is to define the locations which belong to the assessment scope. All locations involved in relationships with Daimler Truck are expected to be TISAX® AL 3 certified. For big groups, the company can also apply for a simplified group assessment. The process steps are detailed in the TISAX® participant handbook (TISAX Participant Handbook (enx.com)). 

The exact content of the assessment is defined as part of the TISAX® process. Basis of the assessment is the VDA Information Security Assessment (ISA) questionnaire which is created and maintained by the VDA Information Security Committee. It can be downloaded from the ENX portal: Downloads - ENX Portal. 

The assessed company has full control of their results and needs to actively share it with the requesting party. For Daimler Truck, the supplier must specify the supplier number for which the TISAX® label is valid in the ENX database directly. This is necessary to provide Daimler Truck with the official result. 

TISAX® is designed to be shared via the designated ENX portal and not via other means, e.g. in paper form. This ensures confidentiality of the assessment results. Therefore, the supplier must specifically share the assessment results with Daimler Truck in the ENX portal. 

The costs for the TISAX® label vary depending on company size, the scope of the certification, the number of sites, the audit provider and the maturity level of the information management system at the company.  

No, Daimler Truck does not pay for the TISAX® label of its suppliers. With the TISAX® label, a company first and foremost enhances their own security measures and only secondarily those of Daimler Truck, other customers, and the supply chain. 

To share the status information of the TISAX® label the supplier can either enter the Daimler Truck TISAX® participant ID (PYF55X) or can search for Daimler Truck in a drop-down list of participant IDs for companies that frequently receive shared assessment results.  

In addition, the supplier defines the depth to which Daimler Truck can access the assessment result. Daimler Truck requires the sharing level: A+ Labels. 

TISAX® label is generally valid for three years. After that, a new assessment must be carried out to maintain the label. 

A TISAX® assessment is the process in which your company’s information security measures are evaluated. A TISAX® label is the result of this assessment, indicating that your company meets TISAX® requirements. Business partners can view this label on the TISAX® platform. 

The Daimler Truck participant ID is PYF55X. 

TISAX® label with the assessment level 3 is required. Each of the following TISAX® assessment objectives receive an assessment level 3: “Info very high”, “Strictly confidential”, “Very high availability”, “Proto parts”, “Proto vehicles”, “Test vehicles”, “Proto events”, “Special data”. 

By sharing the result in the ENX database the TISAX® label will be available for Daimler Truck. The supplier needs to enter the Daimler Truck participant ID ("PYF55X") and needs to specify their Daimler Truck Supplier Number in the field called "Daimler Truck Supplier Number". Daimler Truck will then have access to the TISAX® label. 

Starting 2025 Daimler Truck require TISAX® label with assessment level 3 for all production material supplier.  

Yes, a reasonable grace period can be agreed between Daimler Truck and the supplier, beginning with a new contract or a contract extension. 

No, but a reasonable grace period can be agreed between Daimler Truck and the supplier, beginning with a new contract or a contract extension. 

Yes, it’s necessary. After a reasonable grace period every direct supplier needs a TISAX® label assessment level 3. Individual exceptions are possible under certain circumstances. 

The TISAX® assessment level 1 does not provide the required protection and is therefore not acknowledged. After a reasonable grace period every direct supplier needs a TISAX® label assessment level 3. 

Other certificates can be a good basis for obtaining the TISAX® label. There can be overlaps in scope of the certificate which are also required for the TISAX® label. Nevertheless, the TISAX® label ensures the same levels of security through the standards scope and the TISAX® label is the automotive industry standard. 

The TISAX® label is an important part of the relationship between a supplier and Daimler Truck, as it enhances the resilience of the whole supply chain. Therefore, it may impact future awardings.  

Because the risk for cyberthreats is the same for all suppliers (Tier 1 suppliers and smaller Tier 1, Tier 2 or below). It’s important to understand that first and foremost, each company protects itself with a TISAX® label. The second step is to protect other companies. E.g. the failure of one company could lead to problems in the supply chain, which could then affect other companies. That's why it's important that a wide supplier base is protected. 

The Daimler Truck participant ID is PYF55X. 

Starting 2025 Daimler Truck require TISAX® label with assessment level 3 for all production material supplier. 

Daimler Truck may request the same label from all other suppliers within the respective procurement contract. A risk assessment will be applied for all indirect procurements with a contract volume of more than 500.000 € in cyber critical commodities. Depending on the result of the risk assessment a TISAX® label assessment level 3 can be required starting 2025. 

Yes, a reasonable grace period can be agreed between Daimler Truck and the supplier, beginning with a new contract or a contract extension. 

Yes, only indirect material supplier with a contract volume of more than 500.000 € in cyber critical commodities might need a TISAX® label assessment level 3. If these criteria are fulfilled, each procurement is rated individually, if a TISAX® label is required. Individual exceptions are possible under certain circumstances. 

TISAX® label with the assessment level 3 is required. Each of the following TISAX® assessment objectives receive an assessment level 3: “Info very high”, “Strictly confidential”, “Very high availability”, “Proto parts”, “Proto vehicles”, “Test vehicles”, “Proto events”, “Special data”. 

By sharing the result in the ENX database the TISAX® label will be available for Daimler Truck. The supplier needs to enter the Daimler Truck participant ID ("PYF55X") and to specify their Daimler Truck Supplier Number in the field called "Daimler Truck Supplier Number". Daimler Truck will then have access to the TISAX® Label. 

Yes, it’s necessary. After a reasonable grace period every indirect supplier that fulfills the criteria in 4.2 needs a TISAX® label with assessment level 3. Individual exceptions are possible under certain circumstances. Question 4.2 highlights the criteria that determines if an indirect supplier requires a TISAX® label assessment level 3. 

The TISAX® assessment level 1 does not provide the required protection and is therefore not acknowledged.  

After a reasonable grace period every indirect supplier that fulfills the criteria in 4.2 needs a TISAX® label assessment level 3.  

Other certificates can be a good basis for obtaining the TISAX® label. There can be overlaps in scope of the certificate which are also required for the TISAX® label. Nevertheless, the TISAX® label ensures the same levels of security through the standards scope and the TISAX® label is the automotive industry standard. 

Yes, if a supplier of indirect material has no procurement higher than 500.000 € with Daimler Truck, the supplier is not required to present a TISAX® Label. There are no exceptions possible for suppliers with procurements above 500.000 €. Please note that there is no exception approval based on company size alone. 

Because the risk for cyberthreats is the same for all suppliers (Tier 1 suppliers and smaller Tier 1, Tier 2 or below). It’s important to understand that first and foremost, each company protects itself with a TISAX® label. The second step is to protect other companies. E.g. the failure of one company could lead to problems in the supply chain, which could then affect other companies. That's why it's important that a wide supplier base is protected. 

The TISAX® label is an important part of the relationship between a supplier and Daimler Truck, as it enhances the resilience of the whole supply chain. Therefore, it may impact future awardings.