Applicable Standards
Intended Beneficiaries
- ✓OEMs and Tier 1 / Tier 2 automotive component suppliers
- ✓Automotive semiconductor, ECU, ADAS system, and V2X connectivity developers
- ✓Taiwanese companies targeting European (VW, BMW, Mercedes) or Japanese supply chains
- ✓Manufacturers already holding IATF 16949 certification looking to add cybersecurity and functional safety compliance
The Difference Between Acting and Waiting
✅ When you act
After passing TISAX certification, Taiwanese automotive component manufacturers are directly added to the approved supplier lists of BMW, Bosch, Continental, and other Tier 1 European manufacturers — stable annual frame orders instead of competing purely on price.
❌ When you wait
Taiwanese suppliers without TISAX certification are filtered out at the inquiry stage by European manufacturers — no chance to even submit a quote, forced to compete on price in lower-tier Asian markets.
✅ When you act
After the EU Cyber Resilience Act (CRA) takes effect in 2027, Taiwanese connected component manufacturers that complete compliance early have their CE mark in hand and the EU market open — first movers capturing the market vacuum under the new standard.
❌ When you wait
Manufacturers insufficiently prepared for CRA compliance face EU market export barriers after 2027, with entire shipments stopped at customs. Losses during the transition period are counted in the hundreds of millions.
✅ When you act
Suppliers with ISO/SAE 21434 certification are prioritized in EV supply chain integration — OEMs know their cybersecurity management is trustworthy, enabling deeper technology collaboration and more stable orders.
❌ When you wait
Suppliers without automotive cybersecurity certification face a hard barrier in the EV wave: no cybersecurity compliance means no supply chain access. Traditional advantages are neutralized by a single certification requirement.
Framework Comparison & Implementation Strategy
TISAX (VDA ISA)
Developed by the German Association of the Automotive Industry (VDA), designed specifically for automotive supply chains. BMW, Bosch, Daimler, and other European manufacturers require supplier TISAX certification — ISO 27001 is not an accepted substitute.
ISO 27001
General information security management standard applicable to all industries. Effective for foundational security frameworks, but does not meet European automotive manufacturers' specific supply chain cybersecurity audit standards and cannot substitute for TISAX.
CRA Requirements
From 2027, all products with digital elements sold in the EU market (connected devices, IoT, software) must comply with mandatory cybersecurity requirements throughout their lifecycle and obtain CE marking. Non-compliance means products banned from the EU market.
Taiwan Manufacturing Reality
Most Taiwanese connected device manufacturers have not designed their products with CRA requirements in mind. Comprehensive upgrades across product design, firmware security, and vulnerability response mechanisms are needed — the time window is closing.
Service Delivery Process (Four Stages)
TISAX Scope Definition & Self-Assessment
Conduct a current-state inventory using the VDA ISA questionnaire (information security, prototype protection, data protection) and define scope and target level (AL 2 / AL 3).
Gap Analysis & Remediation Roadmap
Identify technical and process gaps against TISAX, ISO 21434, and ISO 26262, and develop a prioritized remediation roadmap.
Controls Implementation & Documentation
Establish TISAX-compliant information security controls and ISO 26262 functional safety plan (FSP), safety case, and all required documentation.
Audit Preparation & Certification
Support selection of an accredited audit body (ENX-recognized), conduct mock audits, address non-conformances, and provide full-engagement support through TISAX or ISO 26262 ASIL certification.
Frequently Asked Questions
What is the relationship between TISAX and ISO/SAE 21434?▼
TISAX is the European automotive industry's assessment mechanism for information security, based on the VDA ISA questionnaire. ISO/SAE 21434 is an international standard specifically for automotive cybersecurity engineering. They are complementary: TISAX focuses on supplier information security governance, while 21434 focuses on cybersecurity engineering throughout the product development lifecycle.
How is the ASIL level determined in ISO 26262?▼
ASIL is determined through Hazard Analysis and Risk Assessment (HARA), considering Severity (S), Exposure (E), and Controllability (C), ranging from ASIL A (lowest) to ASIL D (highest). Winners assists you in conducting HARA to correctly determine the ASIL level for each function.
Do Taiwanese suppliers entering European OEM supply chains definitely need TISAX?▼
Yes. Most European OEMs have made TISAX AL 2 or AL 3 assessment a mandatory supplier qualification requirement. Winners helps Taiwanese suppliers achieve recognition via the most efficient pathway.
How long is TISAX assessment validity?▼
TISAX assessment results are valid for 3 years. Re-assessment is required before expiry. Winners provides ongoing compliance maintenance services to ensure smooth re-assessment.
Enquire About This Service
Automotive Cybersecurity (TISAX / ISO 21434)
Request a Complimentary Consultation