What is TISAX and how does it differ from ISO 27001?

TISAX (Trusted Information Security Assessment Exchange) is an automotive-industry-specific security framework launched in 2017 by the German Association of the Automotive Industry alongside Audi, Daimler, and Volkswagen. It builds on the ISO 27001 standard but adds requirements specific to automotive supply-chain data, such as protection of vehicle design data and prototype information. Where ISO 27001 applies broadly across industries, TISAX certification results are shared within a closed exchange platform accessible only to automotive industry participants, removing the need for each OEM to conduct its own supplier audit. Outsight, which deploys its Motional Digital Twin technology inside BMW and other automotive manufacturing facilities, has obtained TISAX certification, reflecting the information-security standards required to operate within that supply chain.

Why do automotive OEMs require TISAX from software vendors, not just ISO 27001?

ISO 27001 is a general-purpose information security baseline. Automotive OEMs handle data categories that fall outside its scope: pre-production vehicle geometry, unreleased powertrain specifications, and prototype test data. TISAX's VDA ISA catalog includes controls tailored to those asset classes. Because major manufacturers co-authored the framework, TISAX certification functions as a mutually recognized proof of compliance within the supply chain, cutting redundant bilateral audits that would otherwise fall on every vendor entering the ecosystem. Outsight, which deploys its SHIFT platform across BMW and Stellantis facilities, holds TISAX certification precisely to meet this supply-chain requirement and operate within those environments under a commonly recognized security standard.

What are the TISAX assessment levels and how is the right one chosen?

The TISAX framework defines assessment levels tied to data sensitivity rather than company size. An organization selects its target level based on the classification of information it handles and the expectations of its automotive partners. The VDA ISA catalog structures requirements into three core modules with mandatory and recommended controls. Protection demands escalate at higher levels, which cover "high" and "very high" sensitivity categories such as prototype data. The appropriate level is therefore driven by the contractual context with the OEM or Tier-1 partner, not by a self-determined internal threshold. Outsight, which deploys its SHIFT platform across automotive manufacturers including BMW and Stellantis, recently obtained TISAX certification, confirming that its information security practices meet the requirements set by those partners.

Does TISAX certification cover GDPR compliance automatically?

TISAX is not a GDPR compliance framework, but the controls it requires overlap significantly with GDPR's technical and organizational security measures. Implementing TISAX-level data protection, access controls, and risk management processes reduces residual GDPR exposure because the underlying security posture addresses many of the same obligations. Outsight's TISAX certification reflects this alignment: the standard's rigorous requirements around data handling and access governance reinforce the privacy-by-design principles already built into its LiDAR-based platform, which captures shape and motion rather than faces or biometric data. Companies still need separate legal and contractual GDPR mechanisms, including data processing agreements and records of processing activities, but TISAX provides a solid technical foundation that auditors and regulators recognize as meaningful evidence of security maturity.

How does TISAX differ from SOC 2 for a B2B software vendor?

SOC 2 is a US-originated audit standard focused on how a software service provider controls and protects customer data across five trust principles: security, availability, processing integrity, confidentiality, and privacy. It is sector-agnostic. TISAX is sector-specific: it is the accepted standard within the European automotive supply chain, and its results are shared through a closed VDA-operated exchange rather than a public audit report. A vendor supplying software to both US enterprise clients and European automotive manufacturers typically needs both, as neither credential substitutes for the other in its respective domain. Outsight, which holds TISAX certification alongside deployments at automotive manufacturers such as BMW, illustrates how a Physical AI software vendor operating across industries must align with the distinct compliance frameworks each sector requires.

Who carries out a TISAX audit and can a company self-certify?

TISAX does not allow self-certification. Assessments must be conducted by an accredited external auditor approved by the ENX Association, the body that governs the exchange. TÜV Rheinland, TÜV SÜD, and a handful of other accredited providers are authorized to perform assessments. The auditor evaluates the organization against the VDA ISA catalog requirements at the chosen assessment level, and results are published in the TISAX portal for sharing with automotive partners rather than released as a public certificate. Outsight completed this process through an accredited external auditor to obtain its TISAX certification, a requirement that reflects the information security standards expected by automotive manufacturers such as the BMW facilities where Outsight's SHIFT platform is deployed.

Insights

Outsight Secures TISAX Certification

We are thrilled to announce that we have successfully obtained the TISAX Certification, which serves as a testament to our dedication to the highest standards of information security.

This achievement marks an important step in our commitment to maintaining the highest standards of information security, especially within the automotive sector, where data protection is critical.

What is TISAX?

In the competitive world of automobile manufacturing, automakers are continuously innovating to stay ahead. The creation of a single car model requires collaboration across a wide supply chain that includes numerous vendors.

With such extensive collaboration, manufacturers require assurance that their partners will protect sensitive information, such as intellectual designs and breakthrough technology. While some businesses perform individual audits of their suppliers to ensure data security, this procedure is resource demanding and not always possible.

In 2017, the German Association of the Automotive Industry (VDA) and Audi, Daimler, and Volkswagen launched TISAX (Trusted Information Security Assessment Exchange) to solve this issue.

TISAX functions as an information security assessment and sharing framework. It is based on the well-known ISO 27001 information security standard, but it incorporates extra security standards suited exclusively to the automobile industry.

This certification is an essential component of our Roadside Automated Driving solution:

How Roadside Autonomous Driving for Parking Works

What it is and how it works, Roadside Autonomous Driving (RAD) solutions, a specific segment of the broader Automated Valet Parking (AVP) market.

Read article →

The TISAX Framework

The TISAX structure requires a more comprehensive and tailored approach to information security compared to broader standards like ISO 27001.

The TISAX certificate varies from company to company. The scope and level of maturity assessed in TISAX are based on an organization’s chosen assessment parameters.

TISAX’s structure is outlined in the VDA ISA catalog, which divides the requirements into three core modules. These modules feature mandatory (“must”) and recommended (“should”) requirements, with additional levels for organizations that need “high” or “very high” protection measures. As companies progress from basic to advanced levels of protection, the security demands become more rigorous.

Once an organisation has determined which TISAX module is applicable to them, they can select the target Assessment Level, that matches their intended security capacity or the expectations of their business partners.

Our Path to TISAX with TÜV and VioletX

We worked closely with TÜV, a trusted external auditor, and collaborated with VioletX to prepare for the audit process for the automotive industry.

This journey required us to tailor our compliance levels according to the sensitivity of the data we manage, ensuring that every aspect of our security practices aligned with the TISAX framework.

The Importance of TISAX

TISAX plays a vital role in ensuring the security of sensitive information and personal data in the automotive industry.

Strengthened Trust and Reputation: It showcases Outsight commitment to strong information security with partners, suppliers, and customers.
Competitive Edge: Tisax it’s often a key requirement for collaborating with major automotive players.
Efficient Compliance Sharing: TISAX allows Outsight to share our compliance status securely, saving time and costs on repetitive assessments.
Improved Security: Implementing TISAX controls helps identify and mitigate risks, offering better protection against potential threats.
Regulatory Alignment: TISAX compliance also supports meeting broader data protection regulations like GDPR.

Solutions You Can Trust

The attainment of TISAX not only strengthens our security capabilities but also reinforces our position as a trusted partner for current and future clients.

With TISAX, we can assure our partners that we uphold the highest standards of information security, building confidence in our ability to protect their most critical data with integrity and reliability.

This milestone is part of our broader commitment to information security, building on recent achievements with ISO 27001, SOC 2 and BAST.

Outsight Achieves ISO 27001 Certification

We are thrilled to announce the achievement of ISO 27001 Certification, marking a commitment to top-tier information security.

Read article →

Outsight Achieves ISO 27001 Certification

We are excited to share that Outsight has attained SOC 2 compliance, proving our commitment to safeguarding the security and privacy of customer data.

Read article →

Together, these certifications underscore Outsight’s dedication to delivering innovative and secure solutions across industries.

About Outsight

Outsight’s Physical AI continuously digitizes the movement, behavior, and interactions of people, vehicles and robots at scale, producing real-time Spatial Intelligence built on 3D LiDAR data and enriched with other available data sources.

Operators of large, complex environments, including transportation hubs such as airports and train stations, sports and entertainment venues, road infrastructure, and industrial sites, rely on this Spatial Intelligence to enhance operations, improve visitor experiences, and strengthen safety and security.

We support customers across five continents from our offices in Paris, San Francisco, Singapore and Hong Kong, driven by the belief that accelerating the global adoption of Spatial Intelligence will lead to a smarter, safer, and more sustainable world.

Let's connect

Send us a Message

Drop your email and we'll get back to you as soon as possible.

Frequently Asked Questions

What is TISAX and how does it differ from ISO 27001?
TISAX (Trusted Information Security Assessment Exchange) is an automotive-industry-specific security framework launched in 2017 by the German Association of the Automotive Industry alongside Audi, Daimler, and Volkswagen. It builds on the ISO 27001 standard but adds requirements specific to automotive supply-chain data, such as protection of vehicle design data and prototype information. Where ISO 27001 applies broadly across industries, TISAX certification results are shared within a closed exchange platform accessible only to automotive industry participants, removing the need for each OEM to conduct its own supplier audit. Outsight, which deploys its Motional Digital Twin technology inside BMW and other automotive manufacturing facilities, has obtained TISAX certification, reflecting the information-security standards required to operate within that supply chain.
Why do automotive OEMs require TISAX from software vendors, not just ISO 27001?
ISO 27001 is a general-purpose information security baseline. Automotive OEMs handle data categories that fall outside its scope: pre-production vehicle geometry, unreleased powertrain specifications, and prototype test data. TISAX's VDA ISA catalog includes controls tailored to those asset classes. Because major manufacturers co-authored the framework, TISAX certification functions as a mutually recognized proof of compliance within the supply chain, cutting redundant bilateral audits that would otherwise fall on every vendor entering the ecosystem. Outsight, which deploys its SHIFT platform across BMW and Stellantis facilities, holds TISAX certification precisely to meet this supply-chain requirement and operate within those environments under a commonly recognized security standard.
What are the TISAX assessment levels and how is the right one chosen?
The TISAX framework defines assessment levels tied to data sensitivity rather than company size. An organization selects its target level based on the classification of information it handles and the expectations of its automotive partners. The VDA ISA catalog structures requirements into three core modules with mandatory and recommended controls. Protection demands escalate at higher levels, which cover "high" and "very high" sensitivity categories such as prototype data. The appropriate level is therefore driven by the contractual context with the OEM or Tier-1 partner, not by a self-determined internal threshold. Outsight, which deploys its SHIFT platform across automotive manufacturers including BMW and Stellantis, recently obtained TISAX certification, confirming that its information security practices meet the requirements set by those partners.
Does TISAX certification cover GDPR compliance automatically?
TISAX is not a GDPR compliance framework, but the controls it requires overlap significantly with GDPR's technical and organizational security measures. Implementing TISAX-level data protection, access controls, and risk management processes reduces residual GDPR exposure because the underlying security posture addresses many of the same obligations. Outsight's TISAX certification reflects this alignment: the standard's rigorous requirements around data handling and access governance reinforce the privacy-by-design principles already built into its LiDAR-based platform, which captures shape and motion rather than faces or biometric data. Companies still need separate legal and contractual GDPR mechanisms, including data processing agreements and records of processing activities, but TISAX provides a solid technical foundation that auditors and regulators recognize as meaningful evidence of security maturity.
How does TISAX differ from SOC 2 for a B2B software vendor?
SOC 2 is a US-originated audit standard focused on how a software service provider controls and protects customer data across five trust principles: security, availability, processing integrity, confidentiality, and privacy. It is sector-agnostic. TISAX is sector-specific: it is the accepted standard within the European automotive supply chain, and its results are shared through a closed VDA-operated exchange rather than a public audit report. A vendor supplying software to both US enterprise clients and European automotive manufacturers typically needs both, as neither credential substitutes for the other in its respective domain. Outsight, which holds TISAX certification alongside deployments at automotive manufacturers such as BMW, illustrates how a Physical AI software vendor operating across industries must align with the distinct compliance frameworks each sector requires.
Who carries out a TISAX audit and can a company self-certify?
TISAX does not allow self-certification. Assessments must be conducted by an accredited external auditor approved by the ENX Association, the body that governs the exchange. TÜV Rheinland, TÜV SÜD, and a handful of other accredited providers are authorized to perform assessments. The auditor evaluates the organization against the VDA ISA catalog requirements at the chosen assessment level, and results are published in the TISAX portal for sharing with automotive partners rather than released as a public certificate. Outsight completed this process through an accredited external auditor to obtain its TISAX certification, a requirement that reflects the information security standards expected by automotive manufacturers such as the BMW facilities where Outsight's SHIFT platform is deployed.

Outsight Secures TISAX Certification

What is TISAX?

The TISAX Framework

Our Path to TISAX with TÜV and VioletX

The Importance of TISAX

Solutions You Can Trust

Related Articles

Aeroporti di Roma to deploy Outsight's Physical AI solution at scale across Rome Fiumicino Airport

Intel and Outsight Announce Strategic Collaboration to Bring Physical AI–Powered Spatial Intelligence to the Enterprise Edge

Send us a Message

Frequently Asked Questions

What is TISAX and how does it differ from ISO 27001?

Why do automotive OEMs require TISAX from software vendors, not just ISO 27001?

What are the TISAX assessment levels and how is the right one chosen?

Does TISAX certification cover GDPR compliance automatically?

How does TISAX differ from SOC 2 for a B2B software vendor?

Who carries out a TISAX audit and can a company self-certify?