UN Regulation No. 155, issued by the United Nations Economic Commission for Europe (UNECE), is a major regulation in the field of vehicle security. Since its introduction in 2021, the Cybersecurity Directive has had a significant impact on the automotive industry. It is mandatory for all new passenger cars on public roads from July 2024, having previously only applied to new vehicle types from July 2022.
Manuel Sandler
Scope and requirements
UN Regulation No. 155 covers 64 member states of the 1958 Convention, which must transpose this regulation into national law.
In summary, the regulation aims to systematize the identification and mitigation of cybersecurity risks and make them mandatory. This makes risk management in relation to cybersecurity a central field of action.
UN R155 forces vehicle manufacturers to provide evidence of a Cybersecurity Management System (CSMS). This system must not only cover the manufacturer’s own processes, but also ensure that suppliers at all levels of the value chain – from Tier 1 to Tier 3 suppliers – comply with the principles of the CSMS.
The CSMS is a central element that safeguards the entire lifecycle of a vehicle. From the initial concept, through the entire development, the start of production and the complete operational phase to decommissioning – cybersecurity becomes a task for the entire life of the vehicle.
Proper review of the CSMS takes place through regular audits, which must be carried out at least every three years (read also: UN R155 audit). The associated Certificate of Compliance is the basic prerequisite for applying for type approval of a vehicle.
Challenges and implementation of UN R155
The implementation of UN R155 poses various challenges for many organizations. These are intensified by the existing shortage of specialists in the field of cybersecurity, which is placing a heavy burden on the entire industry. Organizations are still faced with the task of developing their own approaches and adapting existing structures in order to meet the new requirements. The ISO/SAE 21434 standard, which is deliberately kept abstract, can provide support here, as it allows for different ways of implementation.
At present, the biggest challenges across companies can be summarized as follows:
- Time and cost pressure: All changes at the organizational level, in processes and for specific development projects require considerable resources in terms of time and ultimately money. Mastering the balancing act between efficiency and proper implementation (which can be demonstrated reliably to third parties) is becoming the supreme discipline.
- Faster development cycles, accompanied by increasing complexity: Current development work, for example with regard to ADAS systems, e-mobility and increasing connectivity, is more complex and time-consuming. Bringing these together with cybersecurity requirements must not stand in the way of meeting deadlines and budgets.
- Insufficient best practices and lessons learned: The entire industry (not only the players in the value chain, but even the technical services involved in the approval process) only began integrating cybersecurity requirements into their processes a few years ago. Experience and best practices are still rare.
- Legacy, for example due to re-use: The automotive industry traditionally relies heavily on the re-use of components, hardware and software – not least due to time and cost pressures. Many products in modern vehicles were developed before cybersecurity was even an issue.
- Limited resource in embedded systems: Cybersecurity mechanisms go hand in hand with resource requirements that often cannot be readily accommodated in embedded systems. Adding computing power, replacing components at a later date – even simple cybersecurity requirements can have far-reaching implications for architectures and systems in individual cases.
Effects on the value chain
Not only vehicle manufacturers, but also their suppliers are strongly affected by UN R155. The regulation requires manufacturers to identify and manage the risks posed by their suppliers as well. This means that the entire supply chain must be integrated into the cybersecurity process. For manufacturers, this means an immense additional coordination and management effort and for suppliers, a large number of additional requirements on top of the already extensive requirements for their work.
Extension to other vehicle categories
In addition to passenger cars, other vehicle categories are also covered by UN R155. From July 2029, motorcycles will also have to have a CSMS, and special vehicles such as ambulances, commercial vehicles and trailers are also affected. These must be audited every three years to ensure that they comply with cybersecurity standards.
These manufacturers often do not have the same structures, processes and procedures as the major car manufacturers. At the same time, they are subject to the same regulatory requirements, which means that proper compliance is likely to be a much higher hurdle in many cases.
Future perspectives and global relevance
Although UN R155 currently applies mainly in UNECE member countries, there are signs that it could become a global standard. In countries such as the USA, China and India, which do not belong to the UNECE member states, similar requirements are already being introduced. Some countries already allow self-declarations to ensure compliance with local regulations.
Summary
UN Regulation No. 155 represents a significant step towards increased cybersecurity in the automotive industry. It forces manufacturers and suppliers to implement and continuously review comprehensive cybersecurity measures. Despite the challenges, it also offers the opportunity to increase the trustworthiness and security of vehicles worldwide through standardized security protocols.
The comprehensive requirements and the need to integrate the entire value chain underline the importance of cybersecurity in modern vehicle development. Companies must adapt their processes and invest in appropriate technologies and expertise to meet the new standards and remain competitive in the global market.
