Executive Summary
A TISAX label is valid for three years, and it does not renew itself. Recertification is a fresh assessment that builds on your first one, and you book it with an ENX-approved audit provider months ahead. The date that matters is not your assessment day. It is the day your current label expires, because the moment it does, your entry on the ENX portal turns to expired and any OEM that looks can see it. Count backwards from that expiry date and most suppliers need to start roughly nine to twelve months out. Below is the reverse timeline, what a lapsed label really costs you, and why the second assessment is not the formality most teams expect.
Your TISAX label probably felt like a finish line. You collected the evidence, passed the assessment, saw the label land on the ENX portal, and kept the automotive contracts that depended on it. Then everyone moved on to the next thing.
That is exactly where the trouble starts. A label looks like a certificate you file away, but it behaves like a subscription. It runs for three years and then it stops. In the work we do, the suppliers who end up scrambling are rarely the ones who failed something. They are the ones who treated year one as the hard part and forgot that year three comes with a deadline.
So let us talk about that deadline. What it is, what happens the day you miss it, and how to count backwards so you never have to find out.
A TISAX label is a three-year clock, not a document you file
A TISAX label is valid for three years from the day your assessment result is issued. No automatic extension. No quiet grace period if you are close. When the three years run out, the label expires.
Those three years are not meant to be idle. Between assessments you are expected to keep the management system running and to carry out and document your own self-assessments. That is easy to let slip when no external auditor is on the calendar, and a neglected ISMS does not raise its hand. It stays quiet until recertification, when an assessor opens your evidence and finds two years of thin spots.
The clock is really doing two jobs. It counts down to an expiry date, and it records whether you actually kept the system alive or just kept the certificate on the wall.
What actually happens when the label lapses
Most guides skip this part. It is the part that should shape your entire timeline.
A TISAX label is not a private document. It lives on the ENX portal, and that status is what your customers see when they check or when you share your result. While the label is valid, an OEM or a Tier-1 customer who looks you up sees a current, active status. The day it expires, the same entry reads expired.
That visibility is the whole point of TISAX, and it works in both directions. When your status is green, it sells for you. When it lapses, you cannot smooth it over in a quiet email, because your customer often sees the red status before you have even had the conversation.
Here is what that portal gap tends to set off, based on the pattern we see across the automotive supply base.
Procurement usually notices before you do. Larger OEMs track supplier compliance status as routine, so an expired label can show up on their side as a flag, a supplier-risk note, or a blocked field in the onboarding system, sometimes days before your own team registers that the date slipped past.
New business stalls. A current label is often a precondition for quoting at all. If yours has lapsed, requests for quotation and new awards can sit on hold until the status is restored. The work is not gone, but it waits, and in a live tender a wait like that is rarely harmless.
Existing data exchange gets questioned. Some customers gate the exchange of prototype data, specifications, or personal data on a valid label. A lapse can freeze approvals for the exact data flows your current projects run on.
And getting back is slower than staying current. Restoring a label you let expire is not the same as renewing one on time. You can find yourself pushed back into a supplier-qualification process you already cleared, with the forms and the waiting that come with it. Fairly or not, an expired label also reads as a supplier who let its guard down, and in a relationship built around confidential and prototype data, that impression takes a long time to repair.
None of this is a punishment someone decides to hand you. It is just what a public, expiring status does when it turns red. The label is only useful because customers can lean on it, and the same mechanism that gives it value makes a lapse impossible to hide.
So the rule is blunt. Plan so the new label picks up where the old one leaves off, with no gap on the portal. Not a short gap. None.
Recertification is a re-assessment, not a rubber stamp
There is a comfortable assumption floating around that the second time is easy, that recertification is basically a formality once you have passed. It is lighter than starting from zero. It is still a real assessment.
Recertification builds on your first assessment instead of repeating all of it, so your scope and your groundwork carry forward. What changes is what the assessor is hunting for. Has the security level held up over three years? Can you show the system improved rather than sitting frozen at assessment day? Were the minor non-conformities from last time actually closed? And is the ISMS genuinely lived, not rebuilt in the four weeks before the audit?
This is where a neglected middle period bites hardest. If the self-assessments lapsed, if corrective actions stalled, if the scope drifted while the business changed, all of it surfaces at once. The suppliers who sail through are the ones who kept the system ticking over quietly for three years. The ones who scramble are reconstructing an evidence trail against a deadline that will not move for them.
Working backwards from the expiry date
The trap is to plan forwards from today and hope the runway is long enough. Plan backwards from the expiry date instead. That date is fixed, and everything else has to fit inside it.
Here is the countdown we use, anchored on the day your current label expires.
- 9 to 12 months: Internal gap review against the current VDA ISA 6.0.3 catalogue. Confirm the scope still reflects the business. Check that self-assessments and last cycle's corrective actions are current. This is the real starting line.
- ~6 months: Contact your ENX-approved audit provider and reserve the assessment slot. Provider capacity is the constraint suppliers underestimate most; the good ones book out, and being ready with no available date helps nobody.
- 3 to 5 months: Close the gaps the review found. Update documentation, evidence, and the risk treatment plan. Give corrective actions enough time to actually be in place, not just written down.
- ~2 to 4 weeks before the audit: Hand your documentation to the assessor for the document review. Rushing this stage weakens the whole assessment.
- Assessment window: The assessment runs, findings get resolved, and the new label issues so it takes over before the old one expires.
That first gap review is where our TISAX audit-preparation hub is worth an hour of your time. It breaks the assessment down department by department, IT, HR, Facilities, Engineering, Legal, Procurement, and management, with the exact questions an ENX auditor puts to each team and a checklist you can tick off as you confirm the evidence. It turns a vague "we should be fine" into a concrete list of what still needs closing before you book the slot.
Our TISAX® and ISO 27001 experts help European automotive suppliers achieve compliance within 95 days.
If you remember one number, make it the six-month booking point. The assessment itself is not the long pole. Audit-provider lead time is. A supplier that decides in month three to recertify before an expiry in month zero has usually already lost the window for a clean, gap-free handover. Not because the work is impossible, but because the slot is gone.
Now read that table again with your own expiry date in front of you. If it falls inside the next twelve months, you are already in the window where starting today is the difference between a quiet renewal and a gap your customers can see.
How long recertification actually takes
The honest answer is that it depends on how well you kept the system running. The ranges, though, are predictable.
For a mid-sized organisation, the full effort from internal review to issued label usually runs six to eight months. For larger or more complex operations, multiple sites or a wide scope, eight to twelve months is realistic. Those numbers assume the ISMS was genuinely maintained. If it was not, add the time it takes to rebuild an evidence trail and to let corrective actions settle, because an assessor can tell the difference between a control that has been running for a year and one that was switched on last month.
That is also why "recertification is easy" is a risky thing to believe. It is easy when the three years were used well, and a scramble when they were not. The scramble is what pushes suppliers past their own expiry date.
The patterns that turn a routine renewal into a scramble
The same avoidable mistakes come up again and again in recertification work.
- Waiting for the OEM to remind you. By the time a customer flags an approaching or lapsed label, you are already behind. The expiry date is yours to watch.
- Treating the middle years as downtime. Skip the self-assessments and let corrective actions stall, and recertification turns into a rebuild instead of a review.
- Underestimating audit-provider lead time. The assessment is bookable, just not always on your preferred date. Reserve early.
- Letting scope drift in silence. A new site, a new service, a new data type, or a reorganisation can move you outside your assessed scope. Catch that in the gap review, not in the audit.
- Planning to the assessment date instead of the expiry date. The assessment has to finish and the label has to issue before the old one lapses, so build the buffer in from the start.
Frequently asked questions
How long is a TISAX label valid?
Three years from the date your assessment result is issued. There is no automatic renewal. You go through a recertification assessment to get a new one.
When should I start TISAX recertification?
Start your internal gap review nine to twelve months before the label expires, and reserve your audit provider around six months out. The aim is for the new label to take over with no gap on the ENX portal.
Is recertification a completely new assessment?
No. It builds on your initial assessment, so scope and earlier work carry forward. It is still a full re-assessment, though: the assessor checks that your security level held, that you can show continuous improvement, and that earlier non-conformities were closed.
What happens if my TISAX label expires?
Your status on the ENX portal turns to expired and is no longer visible to customers as valid. That can pause new quoting, hold up data exchange, and mean re-onboarding with some customers. Plan for the new label to follow the old one with no gap.
How long does TISAX recertification take?
Usually six to eight months for a mid-sized company and eight to twelve for larger or more complex operations, from the internal review through to the issued label.
Does my existing scope carry over?
Your assessed scope is the starting point, but re-check it. If the business has changed, the scope may need adjusting before recertification. That is exactly what the early gap review is for. If you want to sanity-check what your OEM customers still expect at your assessment level, what automotive procurement actually asks for is a useful starting point.
Start the countdown before it starts for you
If your TISAX label expires within the next year, the question worth asking is not "when is the assessment" but "have we already started." Handled early, recertification is a quiet renewal no OEM ever notices. Handled late, it becomes a visible gap on a portal your customers are watching.
If you want a clear read on where you stand against the VDA ISA 6.0.3 catalogue, and how much runway you really have before your label expires, book a TISAX gap assessment. We will map your current posture against your target and give you an honest timeline.
Related reading: Does ISO 27001 Cover TISAX? · How to Prepare for TISAX Awareness Training · ITIS-Secure TISAX Audit Hub (department-by-department prep tool)
TISAX® and VDA® are registered trademarks of the ENX Association and the VDA respectively. ITIS-Secure prepares organisations for assessment; the ENX-approved audit provider conducts the assessment.

About Iulian Bozdoghina
Lead Auditor and Consultant
"Iulian Bozdoghina is a veteran cybersecurity strategist with over 15 years of experience in securing automotive supply chains and critical infrastructure. He specializes in TISAX®, ISO 27001, and the emerging NIS2/DORA regulatory landscape."




