TISAX Certification
This is the single biggest execution dependency for the GTM plan. If TISAX AL2 certification is not started, it cannot arrive before Q2 2027, missing the H2 2026 mandate wave entirely. Every channel that touches Catena-X (Cofinity-X listing, BearingPoint referrals, automotiveIT demos) depends on this gate being cleared.
What Is TISAX AL2?
TISAX (Trusted Information Security Assessment Exchange) is the automotive industry’s information security standard, administered by the ENX Association. Assessment Level 2 (AL2) requires:
- Self-assessment via the ISA (Information Security Assessment) questionnaire
- Verification by an ENX-accredited auditor
Since July 2025, TISAX AL2 has been mandatory for all Catena-X certified solution providers. A 12-month grace period ends July 2026. After that date, uncertified providers cannot list on the Cofinity-X Marketplace or hold Catena-X certification.
Why It Matters for Kaphera
The Cofinity-X marketplace (35 apps, 32 services) is the primary commercial distribution surface for Catena-X managed services. Without TISAX AL2:
- No Cofinity-X listing. The marketplace is gated; certification is a prerequisite, not a nice-to-have.
- No Catena-X certification. Kaphera cannot position as a certified Enablement Service Provider.
- Credibility gap. Every competitor on the marketplace (T-Systems, Sovity, MHP) already holds TISAX. Selling to automotive CIOs without it raises immediate objections.
Certification Process
| Step | What It Involves |
|---|---|
| 1. ISA questionnaire | Self-assessment covering information security, prototype protection, and data protection domains |
| 2. ENX-accredited auditor | External verification of the self-assessment by an auditor from the ENX registry |
| 3. Gap remediation | Address findings from the audit; remediation scope depends on current security posture |
Timeline
Timeline depends heavily on existing certifications:
With ISO 27001 (fast track: ~3 months) ISO 27001 covers approximately 70% of ISA requirements. The remaining 30% (prototype protection, automotive-specific data handling) requires dedicated preparation but is manageable in a compressed timeline.
Without ISO 27001 (6 to 12 months) Starting from scratch requires building the full ISA compliance posture. The ISA domains not covered by ISO 27001 (prototype protection, automotive-specific data handling) need dedicated preparation on top of the core information security controls.
Cost
EUR 30,000 to 80,000, depending on:
- Current security posture and existing certifications
- Scope of gap remediation required
- Choice of ENX-accredited auditor
Risk Assessment
| Scenario | Earliest Certification | Catches H2 2026 Wave? |
|---|---|---|
| Already started (ISO 27001 held) | Q3 2026 | Yes |
| Starting now (ISO 27001 held) | Q4 2026 | Tight but possible |
| Starting now (no ISO 27001) | Q1-Q2 2027 | No |
| Not yet started | Q2 2027 at earliest | No |
The H2 2026 mandate wave is the period when OEM mandate letters (BMW, VW, Mercedes-Benz) are actively forcing Tier-2/3 suppliers into Catena-X. Missing this window means Kaphera cannot be the certified option these suppliers find on the marketplace when they search.
Immediate Actions
-
Status check. Confirm whether Think-it holds TISAX AL2 or has begun the assessment process. If status is unknown, treat it as not started.
-
ISO 27001 inventory. If Think-it holds ISO 27001, the fast track (~3 months) is feasible. Confirm certificate validity and scope.
-
Auditor engagement. If not started: engage an ENX-accredited auditor immediately. The ENX Association maintains a registry of accredited audit providers.
-
ISA gap analysis. Run a preliminary ISA self-assessment to identify the delta between current posture and AL2 requirements. Focus on the domains ISO 27001 does not cover: prototype protection and automotive-specific data handling.
-
Timeline commitment. Lock a target certification date and work backwards. Every month of delay pushes the Cofinity-X listing further past GA.
Gated Channels
These channels are blocked until TISAX AL2 is achieved:
- Cofinity-X Marketplace listing (primary Catena-X distribution channel)
- Catena-X Enablement Service Provider certification
- Any SI partnership where the partner requires certified status (BearingPoint referrals, VDMA/SCALE-MX recommendations)
Related
- Regulation Timeline (the deadlines TISAX enables Kaphera to serve)