
A supplier can meet every clause of IATF 16949 and still fail an audit, because IATF 16949 is not the whole rulebook. Each customer layers its own Customer-Specific Requirements on top, and those are mandatory, they are audited, and they change. Anyone new to automotive quality underestimates them, usually once.
Customer-Specific Requirements (CSRs) are additional requirements an individual customer, usually an OEM such as Ford, General Motors, Stellantis or Volkswagen, places on its suppliers over and above IATF 16949. They interpret the standard, add to it, or make optional parts of it mandatory for that customer's supply chain. IATF 16949 is the common baseline every automotive supplier shares. CSRs are how each customer tailors that baseline to its own systems and risk priorities.
A single global standard cannot capture how every OEM actually runs its supply chain. So the industry keeps one shared standard and lets each customer specify the rest: which PPAP submission level applies, whether FMEAs follow the AIAG or the AIAG-VDA method, and specific rules for warranty, labelling, packaging, escalation and reporting. Two suppliers, both certified to IATF 16949, can face very different obligations depending on who they sell to.
The IATF maintains a public list of OEM Customer-Specific Requirements on the IATF Global Oversight website, with links to each customer's documents. The practical process is: list your actual customers, find each one on that list, then obtain the current version of their CSRs from their supplier portal. If you supply four OEMs, you have four sets to manage, not one.
Clause 4.3.2 requires customer-specific requirements to be evaluated and included within the scope of your quality management system. That is a specific, auditable obligation: it is not enough to hold the documents, they have to be deployed through your processes and kept current. CSRs are treated as part of the standard, not as an optional extra alongside it.
During a certification audit, the certification body checks that the CSRs applicable to your customers are identified, implemented and effective. A gap is a nonconformity like any other. And because CSRs are revised regularly, working to a superseded version is a common finding. "We had them covered two years ago" is not a defence when the customer issued a new revision last quarter.
Yes, for any supplier to that customer. If you sell to an OEM that publishes CSRs, meeting them is a condition of doing business, and they are assessed in your IATF 16949 audit.
Start with the IATF Global Oversight website, which lists OEM CSRs with links, then get the current version from each customer's own supplier portal. Only the customer's live version counts.
Yes. Clause 4.3.2 brings them into the scope of your quality management system, so the certification body audits whether the applicable CSRs are identified, implemented and effective.
"What are Customer Specific Requirements" is one of the real questions a quality manager types when they are stuck, and it is exactly the kind of narrow, high-stakes topic that a supplier's whole team needs explained clearly rather than left to a PDF. The IATF 16949 channel REAS built and runs for the International Automotive Oversight Bureau answers questions like this one and has grown to 12,000+ subscribers, with production on a BSI ISO 9001 certified process (FS 763439) so the explanation is as accurate as the requirement it explains.
For the wider picture, read what IATF 16949 is and the five Core Tools. See how REAS approaches video production for standards and certification bodies, or book a strategy call.