UN R155 establishes mandatory cybersecurity standards for the automotive industry. This regulation protects vehicles from threats by requiring OEMs and suppliers to implement cybersecurity risk management processes, a cybersecurity management system (CSMS), and measures aligned with ISO/SAE 21434. Learn about the UN R155’s scope, compliance, and approval process, and how C2A Security can help.

UN Regulation No. 155 (UN R155) is a directive establishing cybersecurity requirements for the automotive industry. This compulsory regulation aims to protect modern vehicles from cyber threats as technology and connectivity becomes more integrated into vehicles. UN R155 requires implementing a cybersecurity management system (CSMS) to guarantee vehicle safety and data protection through rigorous cybersecurity measures.

The Brief Scope of UN Regulation No. 155

UN R155 regulates the cybersecurity of vehicles across various categories. It covers category M, which includes passenger transport vehicles, and category N for goods transport vehicles. Additionally, category O pertains to trailers that are equipped with at least one electronic control unit.

For two or three-wheeled vehicles, specifically categories L6 and L7, the regulation applies only if they possess automated driving functionalities from level 3 upwards, per WP.29 documents on automated vehicles.

It’s important to note that this regulation exists in harmony with other UN regulations and regional or national legislation relating to issues such as vehicle access, data protection, privacy, or cybersecurity concerning replacement parts and components.

Compliance with UN Regulations No. 155

To comply with UN R155, manufacturers must submit an application including a description of the vehicle type as defined in annex 1 of the regulation and a certificate of compliance for the CSMS as specified in paragraph 6 of the regulation.

Approval & Refusal Process

Approval authorities grant type approval for vehicle cybersecurity to those vehicle types that meet the regulation’s requirements. They perform document checks and testing to confirm the manufacturer’s management of supplier-related risks, documentation of risk assessments, test results, and mitigations, implementation of cybersecurity measures, and systems to detect and respond to cyber-attacks, as well as data logging capabilities to support cyber-attack detection and forensic analysis.

Approval will be denied if the manufacturer fails to perform thorough risk assessments, protect against identified risks with suitable mitigations, secure environments for storage and execution of aftermarket software, services, applications, or data, and conduct adequate testing to verify the effectiveness of security measures. Similarly, approval will be refused if the approval authority or technical service does not receive enough information to assess the vehicle’s cybersecurity.

We’re Here to Help

Achieve compliance with the stringent standards of UN Regulation No. 155 and related frameworks such as ISO/SAE 21434, ISO/SAE 26262, and SAE J-3061 by leveraging the industry leading DevSecOps platform – EVSec.

Our alignment with UN R155 for CSMS and type approval equips us to help car makers, suppliers, and mobility companies in their transition towards a dynamic risk management approach and on-going compliance.