ETAS Academy Webinars


How to reach CSMS certification and cybersecurity vehicle type approval

Successfully implementing UNECE WP.29 cybersecurity & ISO/SAE 21434

Recording: Streamed on 29 Apr 2020

Language: English

Duration: 49 min

Speakers: Dr. Moritz Mintzlaff, Senior Manager ETAS & Jan Stölting, Senior Manager KPMG

The number and reach of potential attack scenarios for modern vehicles has drastically increased. Consequently, activities are underway worldwide to regulate and standardize automotive cybersecurity. They all share three main trends: a stronger focus on the specifics of the automotive industry; the challenge and requirement to maintain security over the entire lifecycle; and the increasingly compulsory nature of regulations such as the inclusion of cybersecurity at type approval. These trends are particularly visible in the upcoming UN Regulation from the UNECE WP.29 and the ISO/SAE 21434. They define and mandate explicit Cybersecurity Management Systems (CSMS) for the protection of vehicles.

Major automotive markets such as the EU and Japan plan to mandate a certified CSMS for approval of new vehicle types from 2022. Further plans are to extend the application of this UN Regulation to first registrations of existing vehicle types in 2024. Considering typical development times, manufacturers and suppliers need to consider the new requirements today. At the same time, both the UN Regulation and the ISO/SAE 21434 are still in draft status. Managing this uncertainty – ensuring successful type approval while avoiding an overspending – has become a critical business success factor.

Industry trends & developments

In the absence of finalized certification schemes, OEMs and supplier need a clear roadmap that focuses on the key “big picture” issues now while allowing for adaptions to the final, detailed requirements later. Using insights from our engagements in all regions worldwide, we address relevant activities and major questions that arise in the buildup of a CSMS. We discuss in this webinar:

  • The UNECE WP.29 test phase
  • Relevant working groups (e.g. at the ISO or VDA)
  • The relationship of information security and cybersecurity
  • Security for the entire lifecycle
  • Impact on the manufacturer/supplier relationship
  • Cybermaturity in the ecosystem, in particular in the supply chain

Optimizing your cybersecurity approach with PROOF

The “Product Security Organization Framework” (PROOF) enables organizations to optimize their CSMS development. It builds on global insights & benchmarks from decades of experience in auditing and automotive security engineering. Its auditing approach provides transparency into an organization’s maturity relative to the ISO/SAE 21434, the UNECE WP.29, and further standards. The leads to clear and goal-oriented CSMS roadmaps so manufacturers and supplier can focus their resources (time, money, expertise) where they have the greatest impact and so they can track progress and perform validation checks before the final certification.

ETAS and KPMG introduce in this webinar a proven methodology to roll out a CSMS and prepare for vehicle type approval using PROOF. The methodology combines lessons learned from successfully applying regulations in many different industries with the automotive security specific expertise that is necessary to take into account the dependencies of cybersecurity with functional safety, environment protection, and theft protection.

Your hosts

This live webinar will be presented by Dr. Moritz Minzlaff, Senior Manager at ETAS and Jan Stölting, Senior Manager Cyber Security at KPMG AG Wirtschaftsprüfungsgesellschaft.

Dr. Moritz Minzlaff has over ten years experience in the field of cyber security and advises automotive companies worldwide, from specialized suppliers and manufacturers to the top 5 OEMS. At ETAS, he has overall responsibility for consulting services on CSMS.

Jan Stölting has over ten years of experience in consulting in the field of cyber security and in particular in managing large security transformation projects and advises, among others, OEMs and suppliers to the automotive industry.


  • CSMS & vehicle type approval: New requirements for automotive cybersecurity
  • Impact on manufacturers, suppliers, and their relationship
  • Industry trends & lessons learned for establishing an automotive CSMS
  • Leveraging existing strengths to optimize resources for vehicle type approval
  • A look beyond UNECE WP.29 and ISO/SAE 21434