UN Regulation No. 155 — Cyber Security and Cyber Security Management System
UNECE R155 requires automakers to run a certified cybersecurity management system and secure vehicles across their lifecycle as a condition of type approval. It pairs with ISO/SAE 21434 and applies in the EU, Japan, Korea, and other markets.
What UNECE R155 Is
UN Regulation No. 155, adopted under the United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations (WP.29), requires automotive manufacturers to implement a Cyber Security Management System (CSMS) and to secure vehicles throughout their lifecycle. It exists because modern vehicles are software-defined, connected, and exposed to remote attack, and because cybersecurity failures can affect safety at scale. R155 ties cybersecurity to vehicle type approval, making it a precondition for selling vehicles in adopting markets.
The regulation is closely paired with the engineering standard ISO/SAE 21434, which provides the technical practices to satisfy R155's outcomes.
Who It Applies To
R155 applies to vehicle manufacturers seeking type approval in contracting parties that have adopted the regulation, including the European Union, Japan, South Korea, and many others. It covers passenger cars, vans, trucks, buses, and certain trailers and components, and it cascades obligations into the supply chain, since suppliers contribute software and hardware to the vehicle.
Key Requirements
- CSMS — Establish, certify, and maintain a cybersecurity management system covering development, production, and post-production.
- Risk management — Identify, assess, and treat cyber risks across the vehicle lifecycle.
- Vehicle type security — Demonstrate that each vehicle type implements appropriate security measures.
- Supply chain — Manage cybersecurity risks introduced by suppliers and components.
- Monitoring and response — Detect, respond to, and report cyberattacks and vulnerabilities, including after vehicles are sold.
- Continuous updates — Keep threat intelligence and protections current over the vehicle's life.
Penalties for Non-Compliance
Without a valid CSMS certificate and type approval, manufacturers cannot place vehicles on adopting markets, which is the most significant commercial consequence. Type-approval authorities can suspend or withdraw approvals, and member states enforce associated penalties. Security failures can also trigger recalls and liability.
How to Comply
Stand up a certifiable CSMS and align engineering practices with ISO/SAE 21434, including threat analysis and risk assessment (TARA), secure development, and verification. Extend cybersecurity requirements through supplier contracts and oversight. Build post-production monitoring so attacks and vulnerabilities are detected and handled across the fleet's life, and maintain evidence to support type approval and audits.