Blogs | 6clicks

TISAX passed 20,000 locations and automotive supply chain security is now "table stakes"

Written by Marcus Smith | Apr 15, 2026

 

TL;DR

  • TISAX has surpassed 20,000 assessed locations globally, making it the de facto standard for automotive supply chain security
  • UK and European suppliers in critical infrastructure, government, and defense face overlapping TISAX and NIS2 obligations in 2026
  • If you supply into regulated sectors and can't evidence your controls across sites, you risk losing OEM contracts and facing regulatory scrutiny
  • The operational challenge isn't knowing what's required — it's running a scalable evidence program across multiple entities
  • 6clicks' Hub & Spoke architecture is purpose-built for multi-site, multi-supplier GRC oversight
  • Start here: Book a free 30-minute GRC maturity assessment to identify your highest-risk gaps before an OEM or assessor does

TISAX (Trusted Information Security Assessment Exchange) surpassing 20,000 assessed locations globally as of February 2026 is a clear signal: automotive supply chain security has entered a new phase where trust must be proven continuously, not asserted annually. For suppliers in the UK and Europe — particularly those operating in critical infrastructure, government, and defence — this milestone arrives alongside overlapping regulatory pressure from NIS2 and sector-specific mandates that make TISAX readiness a strategic necessity.

Why is this happening now

A few automotive-specific forces are converging:

 

  • TISAX is contract language now. For many OEMs and Tier-1s, a TISAX label is no longer a differentiator — it’s the price of entry.
  • Assessments are becoming more operational. The bar keeps moving from “policy exists” to repeatable evidence: access controls, supplier controls, incident readiness, and consistent execution across sites.
  • The supply chain keeps widening. More digital suppliers, more tooling, more partners — and more ways sensitive OEM information can leak or be mishandled.

The real bottleneck: evidence across plants and programs

 

Most teams don’t fail TISAX because they “don’t care about security.” They fail because evidence ends up owned by too many people (IT, HR, plant ops, engineering, quality), stored everywhere (tickets, spreadsheets, email threads, file shares), inconsistent by site (Plant A has controls; Plant B has tribal knowledge), and rebuilt every cycle—turning audit prep into an annual scramble.

 

You’re in a strong position when you can confidently answer key questions without hesitation—like which plants or entities are in scope for the next assessment and who owns each one, where your evidence for critical controls (access, asset inventory, supplier due diligence, incident response) is stored and when it was last reviewed, which sub-suppliers have access to OEM data and what proof you have of their control effectiveness, and whether you can provide assurance on demand without pulling together a last-minute war room.

 

What this means for automotive suppliers

 

If you’re a mid-market automotive supplier supporting OEM programs, TISAX at 20,000+ assessed locations signals a market where:

  • procurement teams will assume you can pass TISAX (and will disqualify you faster if you can’t)
  • your weakest point may be a sub-supplier (IT, engineering services, manufacturing systems, logistics, etc.)
  • audits will be less forgiving when evidence is fragmented across plants, business units, and shared drives

How 6clicks helps automotive teams keep TISAX sustainable

 

6clicks is designed for multi-entity automotive environments where governance is central but execution is distributed.

  • Use Hub & Spoke to standardise what “good” looks like (controls, policies, evidence requirements)
  • Roll it out to plants / business units with clear ownership, tasks, and audit trails
  • Keep a single source of truth for evidence so assessment prep becomes maintenance, not a rebuild


 


Frequently asked questions

What is TISAX and why does it matter for automotive suppliers?

TISAX is an automotive-sector information security assessment standard used by OEMs and Tier-1s to validate supplier security maturity. In practice, it’s often a contractual requirement to win and keep programmes.

How long does TISAX readiness take?

It depends on starting maturity and how many plants/entities are in scope. Many mid-market suppliers should plan 3 to 6 months for a structured program, faster if evidence is already organised and consistently implemented across sites.

What do assessors and OEMs care about most?

Less about slide decks, more about proof: consistent execution, clear ownership, and evidence that can be traced, repeated, and kept current.

Bottomline: TISAX is "table stakes" and the advantage is operational maturity

With 20,000+ assessed locations, the winners won’t be the teams that add another tool. They’ll be the teams that can prove trust quickly across plants, programs, and sub-suppliers.

Next step

Book a free GRC maturity assessment (no demo required)


In 30 minutes, you'll walk away with:

  • A clear baseline of where your governance is strong vs. where it's fragile
  • The breakdown points creating audit stress and slow issue closure
  • A prioritized set of next steps to move from complexity to clarity

Stop adding more tools. Start understanding what's actually broken, and move from complexity to clarity. 

 
View full post