Full Report
What UN Regulations 155 and 156 require from vehicle manufacturers in reality, and how to ensure compliance with requirements and prepare for certification if necessary
Analysis Summary
# Regulation/Compliance: UNECE R155 and R156 (Automotive Cybersecurity)
## Overview
Automotive regulations UN R155 and R156 establish mandatory frameworks for vehicle cybersecurity and software updates. UN R155 focuses on Cybersecurity Management Systems (CSMS) to protect vehicles from cyber threats, while UN R156 focuses on Software Update Management Systems (SUMS) to ensure secure over-the-air (OTA) and manual updates.
## Key Details
- **Issuing Authority:** United Nations Economic Commission for Europe (UNECE) / World Forum for Harmonization of Vehicle Regulations (WP.29).
- **Effective Date:** July 2022 (For new vehicle types); July 2024 (For all new vehicles produced).
- **Jurisdiction:** 54 signatory countries (including EU, UK, Japan, South Korea, etc.). Note: The USA and China have independent but similar domestic standards.
- **Status:** Final and In Effect.
## Requirements
### Mandatory Requirements
1. **Cybersecurity Management System (CSMS):** Establish a documented, organization-wide process for identifying and managing cyber risks across the vehicle lifecycle (development, production, post-production).
2. **Software Update Management System (SUMS):** Implement a certified process to manage updates securely, ensuring vehicle safety is not compromised during or after an update.
3. **Vehicle Type Approval:** Each vehicle model must undergo assessment to prove the CSMS/SUMS are applied to that specific design.
4. **Risk Assessment:** Conduct comprehensive risk assessments identifying over 70 specific threat categories outlined in R155 Annex 5.
5. **Monitoring and Response:** Continuous monitoring of vehicle logs and the threat landscape to detect and respond to cyberattacks in the field.
### Recommended Practices
1. **Supply Chain Management:** Cascading cybersecurity requirements to Tier 1 and Tier 2 suppliers through contractual agreements (Cybersecurity Interface Agreements).
2. **TARA (Threat Analysis and Risk Assessment):** Utilizing standardized methodologies to quantify risks.
## Affected Organizations
- **Industries:** Automotive Original Equipment Manufacturers (OEMs), automotive parts suppliers, and software providers.
- **Organization Size:** All sizes (any manufacturer seeking Type Approval in regulated markets).
- **Geographic Scope:** Global manufacturers selling into UNECE member territories.
## Compliance Timeline
- **January 2021:** Regulations officially entered into force.
- **July 2022:** Mandatory for all **new vehicle types** (new models introduced to the market).
- **July 2024:** Mandatory for **all vehicles produced** (including older models still in production).
## Implementation Guidance
### Assessment Phase
- Perform a gap analysis between existing ISO/SAE 21434 processes and R155/R156 requirements.
- Audit current software update pipelines for security vulnerabilities.
### Implementation Phase
- Define a "Cybersecurity Culture" within the organization and assign clear roles/responsibilities.
- Implement technical controls for intrusion detection (IDPS) and secure communication (SecOC).
- Establish an Incident Response Team (CSIRT) dedicated to automotive assets.
### Validation Phase
- Obtain a Certificate of Compliance (CoC) for CSMS and SUMS from an authorized Technical Service (valid for 3 years).
- Conduct "Type Approval" testing for each individual vehicle series.
## Technical Requirements
- **Intrusion Detection:** Capability to detect and log unauthorized access attempts.
- **Secure Updates:** Verification of software authenticity (digital signatures) and integrity (hashes) before installation.
- **Data Protection:** Encryption of sensitive data at rest and in transit (V2X, V2G communications).
- **Safe State:** Ensuring the vehicle can enter a safe mode if a cyberattack or update failure occurs.
## Penalties & Enforcement
- **Fines:** Varies by specific national legislation of the member state.
- **Other Consequences:** **Withdrawal of Type Approval** (meaning vehicles cannot be legally sold or registered in the market); mandatory recalls for vulnerable fleets.
- **Enforcement:** Enforced by national transport authorities (e.g., KBA in Germany) through audits and market surveillance.
## Related Standards
- **ISO/SAE 21434:** The primary engineering standard for automotive cybersecurity; compliance with 21434 is the most common way to satisfy R155.
- **ISO 24089:** The standard for Software Update Engineering, aligning with R156.
- **NIST Cybersecurity Framework:** Often used for high-level organizational risk alignment.
## Resources
- **Official Documentation:** hxxps://unece[.]org/transport/vehicle-regulations
- **Guidance Documents:** ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering.
- **Tools:** Vulnerability scanners for automotive protocols (CAN bus), TARA automation software.
## Practical Recommendations
1. **Unify Compliance:** Ensure R155 and R156 efforts are integrated, as software updates are a primary vector for cybersecurity threats.
2. **End-to-End Traceability:** Maintain a strict Software Bill of Materials (SBOM) for every vehicle to enable rapid patching when new vulnerabilities are discovered.
3. **Supplier Transparency:** Do not assume supplier components are secure; require proof of CSMS compliance from all critical component vendors.