What Are Customer-Specific Requirements (CSRs) in IATF 16949?

A supplier can meet every clause of IATF 16949 and still fail an audit. Customer-Specific Requirements are the OEM rules layered on top: what they are, where to find them, and how they are audited.
A quality manager comparing multiple binders of customer requirement documents and a supplier portal on a laptop in an automotive factory office
A quality manager comparing multiple binders of customer requirement documents and a supplier portal on a laptop in an automotive factory office

A supplier can meet every clause of IATF 16949 and still fail an audit, because IATF 16949 is not the whole rulebook. Each customer layers its own Customer-Specific Requirements on top, and those are mandatory, they are audited, and they change. Anyone new to automotive quality underestimates them, usually once.

What Customer-Specific Requirements are

Customer-Specific Requirements (CSRs) are additional requirements an individual customer, usually an OEM such as Ford, General Motors, Stellantis or Volkswagen, places on its suppliers over and above IATF 16949. They interpret the standard, add to it, or make optional parts of it mandatory for that customer's supply chain. IATF 16949 is the common baseline every automotive supplier shares. CSRs are how each customer tailors that baseline to its own systems and risk priorities.

Why they exist

A single global standard cannot capture how every OEM actually runs its supply chain. So the industry keeps one shared standard and lets each customer specify the rest: which PPAP submission level applies, whether FMEAs follow the AIAG or the AIAG-VDA method, and specific rules for warranty, labelling, packaging, escalation and reporting. Two suppliers, both certified to IATF 16949, can face very different obligations depending on who they sell to.

Where to find the ones that apply to you

The IATF maintains a public list of OEM Customer-Specific Requirements on the IATF Global Oversight website, with links to each customer's documents. The practical process is: list your actual customers, find each one on that list, then obtain the current version of their CSRs from their supplier portal. If you supply four OEMs, you have four sets to manage, not one.

What IATF 16949 says about them

Clause 4.3.2 requires customer-specific requirements to be evaluated and included within the scope of your quality management system. That is a specific, auditable obligation: it is not enough to hold the documents, they have to be deployed through your processes and kept current. CSRs are treated as part of the standard, not as an optional extra alongside it.

How they are audited

During a certification audit, the certification body checks that the CSRs applicable to your customers are identified, implemented and effective. A gap is a nonconformity like any other. And because CSRs are revised regularly, working to a superseded version is a common finding. "We had them covered two years ago" is not a defence when the customer issued a new revision last quarter.

The three mistakes that cause findings

  • Not tracking updates. CSRs change. Using an out-of-date revision is one of the most common CSR-related nonconformities.
  • Not flowing them down. You are required to cascade applicable requirements to your own sub-tier suppliers. Your supply chain has to meet them too.
  • Assuming IATF 16949 is enough. The standard is the baseline, not the finish line. Certification without the applicable CSRs deployed is a system that has not actually met its customers' requirements.

Frequently asked questions

Are Customer-Specific Requirements mandatory?

Yes, for any supplier to that customer. If you sell to an OEM that publishes CSRs, meeting them is a condition of doing business, and they are assessed in your IATF 16949 audit.

Where do I find my customers' CSRs?

Start with the IATF Global Oversight website, which lists OEM CSRs with links, then get the current version from each customer's own supplier portal. Only the customer's live version counts.

Are CSRs checked in an IATF 16949 audit?

Yes. Clause 4.3.2 brings them into the scope of your quality management system, so the certification body audits whether the applicable CSRs are identified, implemented and effective.

How REAS approaches this

"What are Customer Specific Requirements" is one of the real questions a quality manager types when they are stuck, and it is exactly the kind of narrow, high-stakes topic that a supplier's whole team needs explained clearly rather than left to a PDF. The IATF 16949 channel REAS built and runs for the International Automotive Oversight Bureau answers questions like this one and has grown to 12,000+ subscribers, with production on a BSI ISO 9001 certified process (FS 763439) so the explanation is as accurate as the requirement it explains.

For the wider picture, read what IATF 16949 is and the five Core Tools. See how REAS approaches video production for standards and certification bodies, or book a strategy call.

What Are Customer-Specific Requirements (CSRs) in IATF 16949?

A supplier can meet every clause of IATF 16949 and still fail an audit, because IATF 16949 is not the whole rulebook. Each customer layers its own Customer-Specific Requirements on top, and those are mandatory, they are audited, and they change. Anyone new to automotive quality underestimates them, usually once.

What Customer-Specific Requirements are

Customer-Specific Requirements (CSRs) are additional requirements an individual customer, usually an OEM such as Ford, General Motors, Stellantis or Volkswagen, places on its suppliers over and above IATF 16949. They interpret the standard, add to it, or make optional parts of it mandatory for that customer's supply chain. IATF 16949 is the common baseline every automotive supplier shares. CSRs are how each customer tailors that baseline to its own systems and risk priorities.

Why they exist

A single global standard cannot capture how every OEM actually runs its supply chain. So the industry keeps one shared standard and lets each customer specify the rest: which PPAP submission level applies, whether FMEAs follow the AIAG or the AIAG-VDA method, and specific rules for warranty, labelling, packaging, escalation and reporting. Two suppliers, both certified to IATF 16949, can face very different obligations depending on who they sell to.

Where to find the ones that apply to you

The IATF maintains a public list of OEM Customer-Specific Requirements on the IATF Global Oversight website, with links to each customer's documents. The practical process is: list your actual customers, find each one on that list, then obtain the current version of their CSRs from their supplier portal. If you supply four OEMs, you have four sets to manage, not one.

What IATF 16949 says about them

Clause 4.3.2 requires customer-specific requirements to be evaluated and included within the scope of your quality management system. That is a specific, auditable obligation: it is not enough to hold the documents, they have to be deployed through your processes and kept current. CSRs are treated as part of the standard, not as an optional extra alongside it.

How they are audited

During a certification audit, the certification body checks that the CSRs applicable to your customers are identified, implemented and effective. A gap is a nonconformity like any other. And because CSRs are revised regularly, working to a superseded version is a common finding. "We had them covered two years ago" is not a defence when the customer issued a new revision last quarter.

The three mistakes that cause findings

  • Not tracking updates. CSRs change. Using an out-of-date revision is one of the most common CSR-related nonconformities.
  • Not flowing them down. You are required to cascade applicable requirements to your own sub-tier suppliers. Your supply chain has to meet them too.
  • Assuming IATF 16949 is enough. The standard is the baseline, not the finish line. Certification without the applicable CSRs deployed is a system that has not actually met its customers' requirements.

Frequently asked questions

Are Customer-Specific Requirements mandatory?

Yes, for any supplier to that customer. If you sell to an OEM that publishes CSRs, meeting them is a condition of doing business, and they are assessed in your IATF 16949 audit.

Where do I find my customers' CSRs?

Start with the IATF Global Oversight website, which lists OEM CSRs with links, then get the current version from each customer's own supplier portal. Only the customer's live version counts.

Are CSRs checked in an IATF 16949 audit?

Yes. Clause 4.3.2 brings them into the scope of your quality management system, so the certification body audits whether the applicable CSRs are identified, implemented and effective.

How REAS approaches this

"What are Customer Specific Requirements" is one of the real questions a quality manager types when they are stuck, and it is exactly the kind of narrow, high-stakes topic that a supplier's whole team needs explained clearly rather than left to a PDF. The IATF 16949 channel REAS built and runs for the International Automotive Oversight Bureau answers questions like this one and has grown to 12,000+ subscribers, with production on a BSI ISO 9001 certified process (FS 763439) so the explanation is as accurate as the requirement it explains.

For the wider picture, read what IATF 16949 is and the five Core Tools. See how REAS approaches video production for standards and certification bodies, or book a strategy call.