UN R155 and UN R156 set framework for automotive cybersecurity

The UN R155 and UN R156 regulations adopted last summer by the UNECE World Forum for Harmonization of Vehicle Regulations (UNECE WP.29) will set the future framework for vehicle cybersecurity in many parts of the world. UNECE regulations officially came into force this January.

UNECE regulation UN R155 requires the operation of a certified cybersecurity management system (CSMS), while UN R156 requires that of a software update management system (SUMS) as a future condition of type approval. The UNECE regulations explicitly specify four disciplines:

  • Managing cyberrisks to vehicles
  • Securing vehicles “by design” to mitigate risks along the value chain
  • Detecting and responding to security incidents across vehicle fleets
  • Safely and securely updating the vehicle software, including a legal basis for over-the-air updates

The EU is planning to make these requirements mandatory for the approval of new vehicle types by July 2022 and to extend it to existing architectures by July 2024. Japan and Korea are following similar timetables. Accordingly, car manufacturers worldwide – with the involvement of their suppliers – face the task of designing, implementing and verifying appropriate protective measures for their vehicles.

In cooperation with management consultancy KPMG, ETAS supports OEMs and suppliers around the world in establishing compliant cybersecurity management systems, offers type approval readiness assessments and CSMS audits.