What is the UNECE/R155? 

UNECE/R155 is the cybersecurity regulation that aims primarily to protect vehicles against 70 specific cybersecurity threats that the UN details in the regulation. To comply with this regulation, manufacturers must create a cybersecurity management system for their vehicles. The aim is to establish a common future framework for vehicle cybersecurity that is applicable in different parts of the world.

This regulation is mandatory for all vehicles type-approved in the European Union from July 2022 and to all vehicles on sale from July 2024.

The standard is applicable to vehicles of categories M (cars and buses) and N (vans and trucks), as far as cybersecurity is concerned. It is also applicable to vehicles of category O (trailers and caravans with an electronic control unit) if they are fitted with at least one electronic control unit. In addition, it is applicable to vehicles of categories L6 and L7 (light quadricycles and quadricycles without cab if they have at least level 3 autonomous driving capability) if they are equipped with automated driving functions from level 3 onwards.

Key Security Measures for Cybersecurity in Vehicles

  • UNECE/R155 sets out a number of key security measures:

    • Cybersecurity risk management: manufacturers must identify and manage cybersecurity risks during vehicle design. This includes verification of risk management, including testing.
    • Vulnerability mitigation: The regulation requires manufacturers to implement mitigation measures to protect vehicles against 70 specific cybersecurity threats.
    • Security updates: Manufacturers must keep risk assessments up to date and ensure that vehicle systems are updated with the latest security measures.
    • Monitoring and responding to cyber-attacks: Manufacturers should monitor and respond effectively to cyber-attacks, as well as analyze successful or attempted attacks.
    • Supplier management: Manufacturers must manage risks related to contracted suppliers.
    • Cybersecurity certification: Manufacturers should contract an external technical service to certify that their vehicle is cybersecure.

The UNECE/R155 standard includes several sections addressing different aspects of cybersecurity:

  • Application for type-approval: Manufacturers must apply for type-approval of their vehicles regarding cybersecurity.
  • Markings: Vehicles must bear specific markings indicating that they comply with cybersecurity provisions.
  • Approval: Vehicles must be type-approved by an authorized entity certifying that they comply with cybersecurity provisions.
  • Cybersecurity Management System Conformity Certificate: Manufacturers must obtain a Cybersecurity Management System Conformity Certificate for their vehicles. This certificate will be valid for a maximum of three years from the date of issue, unless withdrawn.
  • Specifications: Vehicles must comply with the technical specifications detailed in the standard.
  • Modification of vehicle type and extension of type-approval: If the vehicle type is modified, a new type-approval must be applied for. If the validity of the certificate is coming to an end, a new certificate of compliance must be applied for – if there have been changes to the regulation – or the validity of the previous one must be extended for an additional period of three years.
  • Conformity of production: Vehicles must be produced in accordance with the technical specifications detailed in the standard.
  • Penalties for non-conformity of production: In case of non-compliance with this regulation, a technical service or authorized entity may refuse to grant the certificate of compliance with the Cybersecurity Management System Conformity Certificate for the vehicle.

Consequences of non-compliance

In case of non-compliance with these regulations, a technical service or authorized entity may refuse to grant the vehicle’s Cybersecurity Management System Conformity Certificate compliance certificate. This certificate shall be valid for a maximum of three years from the date of issue, unless it is withdrawn. When the validity of the certificate is coming to an end, a new certificate of compliance must be requested – if there have been changes to the regulation – or the validity of the previous one must be extended for an additional period of three years.

In conclusion, the UNECE/R155 regulation has a significant impact on the automotive sector, affecting manufacturers, dealers, insurers, workshops and customers. It aims to ensure the cybersecurity of vehicles and protect them against potential cyber threats.

Link to UNECE/R155 https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security