ENX VCS
Vehicle Cyber Security Audit.

What is ENX VCS?

ENX VCS is a harmonized ISO/SAE 21434 based scheme for the independent third party audit of the Vehicle Cybersecurity Management System (V‑CSMS) of cybersecurity relevant automotive suppliers.

ENX VCS Logo

Following international Standards

Based on ISO/SAE 21434 and fully implementing the recommendations of ISO/PAS 5112, ENX VCS enables a structured and consistent evaluation of organizational cybersecurity management capabilities across the automotive product lifecycle.

Audit-Provider Independent

Audits are conducted by multiple internationally recognized audit providers in accordance with the ENX Audit-provider Criteria and Assessment Requirements (ENX ACAR). Audit results form the basis for the issuance of an ENX VCS Label.

Public Audit Criteria

ENX VCS audits are performed against the publicly available ENX Vehicle Cybersecurity Audit (ENX VCSA) criteria catalogue, which defines the organizational cybersecurity management capabilities to be evaluated.

Industry-Driven

ENX VCS and the ENX VCSA are developed and maintained by an international working group of experts from automotive manufacturers and suppliers, providing an industry‑governed and non‑proprietary framework for scalable organizational cybersecurity capability audits across global automotive supply chains.

 

 

Why is ENX VCS Important?

 

Vehicle digitization

Increasing connectivity, software integration and automation expand the vehicle’s cybersecurity attack surface and require systematic management of cybersecurity risks throughout the product lifecycle.

Supply chain complexity

Cybersecurity risks must be effectively managed across a globally distributed automotive supply chain. At the same time, suppliers are expected to demonstrate organizational cybersecurity capabilities to multiple customers, creating the need for a scalable and standardized audit approach that reduces the effort associated with individual second party audits.

Regulatory requirements

UNECE Regulation No. 155 requires vehicle manufacturers to demonstrate the effectiveness of their Cybersecurity Management System (CSMS), including through organizational audits resulting in a Certificate of Compliance (CoC).

 

 

What is the ENX Governance Framework?

ENX VCS Participants benefit from the established ENX ACAR, ensuring objective, transparent and customer-independent audit results across multiple audit providers.

ENX provides centralized scheme governance through:

  • Admission and oversight of ENX VCS audit providers
  • Definition and maintenance of ENX ACAR
  • Cross provider alignment and calibration of audit
    interpretation and execution
  • Continuous monitoring of audit execution quality
  • Administration of standardized information exchange mechanisms
  • Provision of a shared ENX VCS result database for authorized business partners
A schematic house. ENX Association is the roof. Underneath are working and project groups. Underneath Governance. The basement is the ENX Portal. The main part of the house covers Registry & Identity and Audit controls that lead to Participants (Customers and Business Partners) that require proof or provide evidence. And there are Audit provider management that lead to Audit throu Audit providers.

 

 

Lifecycle from Resitration to seeting up self-assessment to initial audit to corrective actions to check if corrections are done to report to ENX provides labels to Participant shares labels with other participants

The ENX VCS Lifecycle

Due to the ENX ACAR framework, which is also applied within TISAX, the ENX VCS lifecycle is closely aligned with the established TISAX assessment lifecycle.

Companies seeking ENX VCS audits for their locations must hold a valid TISAX label covering their Information Security Management System (ISMS) at the time of the ENX VCS audit. ENX VCS audits build on the organizational information security controls already evaluated within TISAX and can be aligned with the existing TISAX assessment lifecycle, minimizing additional assessment effort for participating organizations.

How to ENX VCS?

Registration

1. Registration

Registration of a ENX VCS Participant and at least one ENX VCS Audit Scope. (Caution: Atleast a TISAX scope registration is needed before one can register for ENX VCS)

Provider

2. Selection

After a successful registration you can choose a ENX VCS audit provider for your ENX VCS audit.

Assessment

3. Audit

Undergoing an ENX VCS audit.

Exchange

4. Exchange

Exchange of the ENX VCS audit results with existing and potential partners within ENX VCS.

 

 

After registering and creating an ENX VCS Scope in the ENX Portal, organizations perform a self‑assessment of their Vehicle Cybersecurity Management System (V‑CSMS) based on the ENX VCSA criteria catalogue.

The self‑assessment supports the identification of potential gaps in organizational cybersecurity management capabilities, which can be addressed prior to the kick‑off meeting with an admitted ENX VCS audit provider.

Based on the defined ENX VCS Scope and the results of the self‑assessment, the ENX VCS audit can then be planned together with an admitted ENX VCS audit provider. Depending on the maturity of the existing V‑CSMS, organizational preparation typically takes several months prior to the audit.

Sign in Register

What are the ENX VCS Objectives?

ENX VCS supports different audit objectives aligned with organizational cybersecurity responsibilities across the vehicle lifecycle and corresponding V‑CSMS activities.

Depending on the organizational role and defined ENX VCS Scope, ENX VCS audits can address the following objectives:

  • VCS Development
  • VCS Production
  • VCS Operations & Maintenance

 

 

Regulation, Standards, and Implementation

UNECE Regulation No. 155 is a legally binding vehicle type approval regulation requiring manufacturers to manage cybersecurity risks throughout the vehicle lifecycle, including through the implementation of a Cybersecurity Management System (CSMS).

ISO/SAE 21434 provides a framework for establishing and maintaining organizational cybersecurity management capabilities and engineering processes in support of these regulatory requirements.

ISO/PAS 5112 defines audit guidelines for auditing Vehicle Cybersecurity Management Systems (V‑CSMS) in accordance with ISO/SAE 21434.

ENX VCS operationalizes these audit guidelines as a standardized and industry‑governed third‑party audit scheme for the automotive supply chain.

Regulation UN R-155 on top of Standardisation (Framework) ISO/SAE 21434 on top of Standardisation (audit references) ISO/PAS 5115 on top op Implementation (3rd party audit scheme) ENX VCS

 

 

Global Audit Providers

ENX VCS audits are conducted by independent ENX VCS Audit Providers in accordance with then ENX ACAR.

ENX VCS Audit Providers are available worldwide, enabling ENX VCS audits to be performed across geographically distributed organizations within the global automotive supply chain.

Participants may select their preferred ENX VCS Audit Provider, while centralized scheme governance and cross‑provider alignment ensure a consistent audit approach and comparable audit outcomes across different ENX VCS Audit Providers worldwide.

 

 

A car that is connected to services like Updates, Apps, Maps, Wifi and to other cars

Why ENX VCS?

  • Industry‑governed and non‑proprietary V‑CSMS audit scheme for the automotive supply chain

  • Choice of independent ENX VCS Audit Providers within a consistent scheme framework
  • Comparable and customer‑independent audit results
  • Centralized result sharing via the ENX Portal using proven TISAX mechanisms
  • Globally available through ENX VCS Audit Providers worldwide
  • Alignment of TISAX and ENX VCS activities for increased efficiency