UN Regulation No. 155 — Cybersecurity and Cybersecurity Management System

Why it Matters

UNECE WP.29 R155establishes comprehensive vehicle cybersecurity management, ensuringautomotive manufacturers safeguard vehicles and their data throughoutthe entire lifecycle.

Key benefits include:

• Strengthen cybersecurity governance

Promote a structured,organization-wide approach to managing vehicle cybersecurity risksand enforcing security accountability across product teams.

• Enhance regulatory alignment

Enable compliance with internationalrequirements, supporting lawful vehicle market access and aligningautomotive practices with global regulatory expectations.

• Improve incident response readiness

Mandate development of processes fortimely detection of, and effective response to, cyber threatsaffecting vehicle safety or operational integrity.

• Protect sensitive vehicle data

Support robust safeguards for in-cardata and critical vehicle functions, minimizing the risk ofunauthorized access or data breaches.

• Increase audit and compliance readiness

Require systematic documentation andprocess validation, streamlining internal and external audits forregulatory and customer compliance.

How it Works

The UNECE WP.29R155 Vehicle Cybersecurity Regulation establishes a structured set ofregulatory requirements that span the vehicle lifecycle, focusing onrisk-based management and continuous improvement. The frameworkcovers governance, risk assessment, technical and organizationalsecurity controls, incident detection, and response, all mapped tokey lifecycle phases such as development, production,post-production, and end-of-life management. These requirements areformalized in terms of processes and controls that must beimplemented and demonstrated by automotive manufacturers and theirsupply chains.

In practice,organizations integrate UNECE WP.29 R155 by developing andmaintaining a Cybersecurity Management System (CSMS) that governssecurity policies, conducts periodic risk assessments, implementsappropriate security controls, and ensures ongoing monitoring andreporting. Compliance activities include mapping controls toorganizational processes, supporting regulatory audits, managingincident response procedures, and producing evidence of regulatoryadherence. Risk management and governance processes are continuouslyreviewed and updated to address emerging threats and vulnerabilitiesthroughout the vehicle’s lifecycle.

SmartSuiteenables operationalization of UNECE WP.29 R155 by providing controllibraries mapped to regulatory requirements, risk registers fortracking cyber risks, and centralized policy governance tools.Organizations leverage compliance tracking, evidence collectionmodules, audit readiness features, and reporting dashboards to managethe regulatory lifecycle and demonstrate continuous compliance withR155 mandates throughout their automotive security programs.

Key Elements

• Cybersecurity Management System Structure

Establishes organizational processesand responsibilities for managing vehicle cybersecurity across thedevelopment lifecycle.

• Risk Assessment and Treatment Process

Describes systematic approaches foridentifying, evaluating, and addressing cyber risks to vehiclesystems.

• Cybersecurity Controls for Vehicle Systems

Specifies technical andorganizational measures to safeguard vehicle electronic systems fromcybersecurity threats.

• Incident Response and Notification

Outlines procedures for detecting,reporting, and responding to cybersecurity incidents affectingvehicles.

• Secure Software Update Processes

Defines requirements forauthentication, integrity, and delivery of software and firmwareupdates to vehicles.

• Continuous Monitoring and Review

Provides mechanisms for ongoingassessment and improvement of cybersecurity measures throughout thevehicle’s operational life.

Framework Scope

UNECE WP.29 —Vehicle Cybersecurity Regulation (R155) is adopted by automotivemanufacturers producing vehicles for regulated markets, encompassingelectronic systems, software, and connectivity features withinvehicles. It typically governs environments during productdevelopment and vehicle lifecycle management, supporting ongoing riskmanagement, cybersecurity controls, and compliance oversight forregulatory and operational requirements.

Framework Objectives

UNECE WP.29 —Vehicle Cybersecurity Regulation (R155) sets requirements formanaging automotive cybersecurity risks and ensuring compliancethroughout the vehicle lifecycle.

Strengthen cybersecurity governance and oversight for connectedvehicle systems

Establish comprehensive risk management processes specific toautomotive security threats

Enhance data protection by safeguarding personal and operationalvehicle information

Support regulatory compliance with evolving vehicle cybersecurity andprivacy standards

Improve operational resilience against cyber threats affectingvehicle safety and performance

Demonstrate audit readiness through effective documentation ofsecurity controls and processes UNECE WP.29 R155 mandates vehiclecybersecurity requirements and is commonly implemented alongsideISO/SAE 21434 (cybersecurity engineering), ISO 26262 (functionalsafety), and UNECE R156 (software update management). Organizationsadopt R155 for regulatory type-approval, demonstrating compliance,strengthening security governance, and aligning engineering andupdate processes with certification requirements.

Framework in Context

UNECE WP.29 R155 mandates vehiclecybersecurity requirements and is commonly implemented alongsideISO/SAE 21434 (cybersecurity engineering), ISO 26262 (functionalsafety), and UNECE R156 (software update management). Organizationsadopt R155 for regulatory type-approval, demonstrating compliance,strengthening security governance, and aligning engineering andupdate processes with certification requirements.

Common Framework Mappings

Organizationscommonly map R155 to related automotive safety, privacy, andcybersecurity standards to ensure cohesive risk management,regulatory compliance, and secure vehicle software lifecyclepractices.

Mapped frameworks include:

EU General DataProtection Regulation (GDPR)

ISO 26262 —Road vehicles — Functional safety

ISO/IEC 27001 —Information security management

ISO/SAE 21434 —Road vehicles — Cybersecurity engineering

MITRE ATT&CK

UNECE WP.29 —Vehicle Software Update Regulation (R156)

‍