UNECE R155 and ISO/SAE 21434: Cybersecurity requirements for automotive manufacturers and suppliers

The automotive sector is being transformed by the increasing digitalization of vehicles. This development is crucial for automation and connectivity, but also poses significant cybersecurity risks: the increasing number of ways to access electrical and electronic systems endangers the security of vehicles and the privacy of consumers. 

Legal requirements for automotive manufacturers 

To counteract the new threats, the Working Party WP.29 of the United Nations Economic Commission for Europe (UNECE) has created an initial regulatory framework for cyber security in the automotive sector: UNECE R155.   

The regulation focuses on the entire value chain, from individual information security infrastructures to vehicle components and the entire vehicle, with the aim of protecting from cyber threats. This regulation has been mandatory for all new vehicle types since July 2022 and for all newly produced vehicles in the European Union since July 2024. 

UNECE R155: simply explained 

In order to meet the requirements of the regulation, automotive manufacturers need a comprehensive cybersecurity management system (CSMS) at an organizational level. The requirements for the CSMS cover the entire life cycle and the entire ecosystem of a vehicle, including development, production and the entire post-production period.   

The regulation also addresses the monitoring of risks and threats as well as procedures for responding to cyber security incidents. The list of relevant cyber threats and corresponding mitigation measures are listed in the annex to UNECE R155 and must be taken into account from the outset when setting up CSMS processes. 

In addition to the CSMS, a type approval is also required for each vehicle type. The requirements cover all electronic components of vehicles along the entire value chain. The requirements are specified by the ISO/SAE 21434 standard, which provides structured specifications for the cybersecurity-compliant design of vehicle systems.   

Suppliers are also affected   

The vehicle manufacturer is responsible for compliance with the requirements. It is the party to be certified and must prove UNECE compliance to the approval authorities for type approval. 

However UNECE R155 also has an impact on downstream partners in the supply chain. Particularly in the area of software and electronics technologies, many systems and components are developed and purchased from different suppliers. The Original Equipment Manufacturer (OEM) obtains the finished software system directly from its Tier 1 supplier. The OEM purchases individual modules and components of the software system from other Tier 2/3/… suppliers (from the OEM’s perspective). Due to this close integration in the value chain, requirements are passed on from the OEM to the suppliers. This means that they are also required to implement the necessary UNECE R155 specifications and demonstrate their ability to develop and manufacture cybersecurity-compliant products.   

Such proof can be provided via ISO/SAE 21434 certification, for example. If the specifications are too extensive, you can fall back on individual agreements that contractually regulate the cyber security requirements of the products. The latest certification standard is the VCS (Vehicle Cyber Security) test scheme launched in June 2024 by the ENX Association, a consortium of European OEMs, suppliers and associations. With ENX VCS, OEMs and suppliers that have a TISAX label are finally to be offered a globally standardized test basis for verifying their automotive cyber security. Several partner companies have already been certified in the ENX VCS pilot phase and free registration for ENX VCS is possible until the end of 2024. 

What needs to be done?  

In any case, if CSMS requirements are not implemented (and/or proof is not provided), suppliers run the risk of no longer being considered for the procurement of electronic components and systems in the future. To avoid this, a holistic view of cyber security in vehicle systems is required.   

EFS Consulting recommends the following measures: 

1. Analyze individual impact of UNECE R155 and ISO/SAE 21434 and record current cybersecurity processes for vehicle systems  
2.  Define the target image for an optimized CSMS and formulate the desired proof of requirements  
3.  Implement CSMS processes to close gaps  
4.  Conduct internal assessment to determine CSMS readiness   
5.  Audit CSMS by external certification company as proof of effective CSMS processes and procedures 

For OEMs or suppliers who have already implemented a CSMS, it is now a matter of ensuring the success of the CSMS in the long term.   

Recommended steps: 

1. Operationalize CSMS processes and anchor them sustainably in the individual company departments  
2. Identify and utilize synergies with other management systems (e.g. ISMS, QMS, etc.)  
3. Automate CSMS processes on a tool basis  

Conclusion 

UNECE R155 and ISO/SAE 21434 require vehicle manufacturers and their suppliers to implement comprehensive cybersecurity management systems (CSMS) that cover the entire life cycle of vehicles. Compliance with these requirements is not only necessary for the type approval of new vehicles, but also has far-reaching implications for the entire supply chain. Vehicle manufacturers and suppliers must meet these requirements to ensure their competitiveness and compliance in the digital vehicle world. 

More information on this topic can be found here „Safe vehicles thanks to UNECE R155 & ISO/SAE 21434“.