Why TISAX matters for Piacenza
TISAX (Trusted Information Security Assessment Exchange) is the information security standard required by the European automotive industry. Developed by VDA (Verband der Automobilindustrie) and managed by ENX Association, it has become the de facto requirement for anyone working in the supply chain of OEMs such as Volkswagen, BMW, Mercedes-Benz, Stellantis and their Tier-1 suppliers.
The province of Piacenza hosts a significant automotive district: companies specialising in components, precision machining, stamping and sub-assembly that operate as Tier-2 and Tier-3 suppliers to major groups. When an OEM requires TISAX from its direct supplier, the obligation cascades down the entire supply chain. For many Piacenza SMEs, failing to comply means risking exclusion from the supply chain altogether.
What TISAX requires
TISAX is based on the VDA ISA (Information Security Assessment) questionnaire, covering information security, prototype protection and personal data protection. The assessment has three levels:
- Level 1 (AL1)— internal self-assessment without external audit. Useful as a first step but not recognised by major OEMs.
- Level 2 (AL2)— remote audit by an ENX-accredited auditor. Required for most suppliers handling confidential information.
- Level 3 (AL3)— full on-site audit. Mandatory for companies managing physical prototypes or highly confidential data.
Prototype protection is a critical aspect for Piacenza companies that manufacture components in the development phase: TISAX requires specific physical and logical controls to prevent disclosure of information about models not yet released to the public.
ISO 27001 and TISAX: a starting point, not the finish line
Many companies with ISO/IEC 27001 certification assume they are already TISAX-compliant. In reality, ISO 27001 is an excellent foundation — it covers information security management in a structured way — but TISAX adds automotive-specific requirements that ISO 27001 does not address:
- Prototype protection— physical controls (segregated areas, CCTV, biometric access) and digital controls (data classification, DLP) specific to components under development.
- Automotive supplier management— stricter security requirements for the sub-supplier chain, with cascading verification obligations.
- Results sharing— the TISAX model allows assessment results to be shared with business partners through the ENX platform, without repeating audits for each client.
Companies that already hold ISO/IEC 27001 have a tangible advantage: many controls are already in place. But targeted additions are needed to close the TISAX-specific gaps.
What a Piacenza company can do today
The path to TISAX requires planning, but it is achievable even for SMEs. Here are the concrete steps:
- 1Assess your current security posture — our free NIST CSF 2.0 assessment provides a snapshot of your cyber maturity and identifies critical areas.
- 2Perform a TISAX gap analysis— compare your current state against the VDA ISA questionnaire requirements. Our TISAX page explains the requirements and process in detail.
- 3Implement missing controls — from technical cybersecurity (network segmentation, EDR, backup) to governance documentation (policies, procedures, registers).
- 4Engage specialised consultancy— the TISAX journey requires specific expertise. Our IT consultancy supports companies from gap analysis through to final audit preparation.
- 5Leverage existing certifications — if your company already holds ISO certifications, many TISAX requirements will already be covered, reducing compliance time and costs.
Why a local partner makes the difference
TISAX is not a project that can be solved with software or a single document. It requires a structured journey touching technology, processes and people. Having a partner in Piacenza who understands the local manufacturing fabric, the dynamics of the regional automotive supply chain and the specific challenges of SMEs means reliable support and fast response times.
AtWorkStudio has been operating from Piacenza since 2000, with ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications. We are members of Clusit (Italian Association for Information Security) and Confindustria Piacenza. We are not a TISAX certification body — our role is to guide companies through the compliance journey, from the initial gap analysis to preparation for the audit with an ENX-accredited provider.