UN Regulation No. 155 — Cybersecurity and Cybersecurity Management System

Overview

UN RegulationNo. 155 is an international automotive cybersecurity regulation thatrequires vehicle manufacturers to establish and maintain an effectiveCybersecurity Management System (CSMS) throughout the vehiclelifecycle. The regulation aims to ensure that vehicles are protectedagainst cyber threats, safeguarding critical vehicle systems andconsumer data from potential attacks.

Published by theUnited Nations Economic Commission for Europe (UNECE), UN RegulationNo. 155 applies to automotive manufacturers and suppliers seekingvehicle type approval in markets aligned with UNECE WP.29regulations. The regulation covers a wide range of areas includingrisk assessment, implementation of technical and organizationalcybersecurity controls, incident response, and ongoing monitoring ofthreats throughout development, production, and post-productionphases.

Automotiveorganizations implement the CSMS by integrating risk management andsecurity controls into product development processes, conductingregular threat assessments, and maintaining compliance documentationfor regulatory audits. UN Regulation No. 155 aligns with broaderindustry cybersecurity standards, supporting organizations instrengthening compliance programs and harmonizing security practicesacross global automotive supply chains.

Why it Matters

UN RegulationNo. 155 establishes a structured approach to managing automotivecybersecurity risks, ensuring safer vehicles and secure operationsacross their lifecycle.

Key benefitsinclude:

•  Strengthen automotive cybersecurity governance

Establishclearly defined roles, responsibilities, and processes foridentifying, assessing, and mitigating vehicle cybersecurity threats.

•  Enhance regulatory alignment

Supportcompliance with international automotive regulatory requirements,facilitating smoother market access and certification formanufacturers.

•  Improve incident detection and response

Requiresystematic monitoring processes that enable timely detection,reporting, and containment of cyber incidents affecting vehicles orinfrastructure.

•  Promote operational resilience

Reduce theimpact of cyberattacks by ensuring robust prevention, response, andrecovery measures are integrated into vehicle design and operation.

•  Increase audit readiness

Documentcontrols and processes comprehensively, allowing for more efficientexternal audits and internal reviews of cybersecurity managementpractices.

How it Works

UN RegulationNo. 155 structures cybersecurity requirements for vehicles through aCybersecurity Management System (CSMS) framework, focusing ongovernance, risk assessment, and lifecycle management processes. Theframework organizes its requirements around the identification andmanagement of cyber threats, the implementation of security controls,and ongoing monitoring across the vehicle development and operationallifecycle. Regulatory obligations specify controls for threatanalysis, incident response, secure updates, and continual riskmanagement.

Organizationsaddress compliance by integrating the CSMS into their existingsecurity and compliance programs. This involves conducting regularrisk assessments, implementing technical and organizational securitycontrols for vehicle systems, documenting processes, and maintainingevidence of compliance. Ongoing activities include monitoring foremerging threats, responding to incidents, and undergoing regulatoryaudits to ensure the CSMS remains effective and up to date within theorganization’s broader security governance.

UsingSmartSuite, organizations operationalize UN Regulation No. 155 byleveraging control libraries for CSMS requirements, establishing riskregisters tailored to vehicle cybersecurity, and tracking policygovernance. The platform supports evidence collection, continuouscompliance monitoring, and workflow management for remediation.Additionally, dashboards and reporting tools enable organizations tomonitor progress, maintain audit readiness, and demonstrateregulatory compliance efficiently.

Key Elements

•  Cybersecurity Management System Structure

Describes theorganizational processes, roles, and responsibilities required foreffective cybersecurity governance.

•  Risk Identification and Assessment Processes

Outlines methodsfor recognizing, evaluating, and prioritizing cybersecurity risksrelevant to vehicle systems and components.

•  Security Controls and Countermeasure Requirements

Specifiestechnical and procedural measures to mitigate identified risksthroughout vehicle lifecycle stages.

•  Incident Detection and Response Procedures

Establishesprocesses for monitoring, detecting, reporting, and responding tocybersecurity incidents.

•  Supply Chain Risk Management

Definesrequirements for managing cybersecurity risks associated withsuppliers and external service providers.

•  Cybersecurity Lifecycle Integration

Organizes theinclusion of cybersecurity considerations at every stage, from designand development to post-production.

Framework Scope

UN RegulationNo. 155 is adopted by automotive manufacturers, suppliers, andrelated entities responsible for the cybersecurity of vehicle systemsand road vehicles. It covers the governance of electronic controlunits, vehicle networks, and supporting infrastructure, typicallydeployed to comply with regulatory requirements, improve automotivecybersecurity management, and support type approval and ongoingassurance programs.

Framework Objectives

UN RegulationNo. 155 sets out requirements to manage cybersecurity risksthroughout the vehicle lifecycle and supply chain.

•  Establish effective risk management processes for automotivecybersecurity threats

•  Strengthen governance for oversight of cybersecurity andregulatory compliance

•  Enhance operational resilience by addressing vulnerabilities andemerging threats

•  Support data protection through implementation of robustsecurity controls

•  Promote audit readiness with clear documentation ofcybersecurity measures UN Regulation No. 155 is aligned withautomotive cybersecurity standards and often mapped to ISO/SAE 21434and ISO 27001 to ensure comprehensive vehicle cybersecurity riskmanagement. Automotive manufacturers and suppliers implement UN R155for regulatory compliance, certification, and to addresscybersecurity requirements throughout vehicle development andlifecycle management.

Common Framework Mappings

UN RegulationNo. 155 is often mapped to established global cybersecurity andprivacy frameworks, enabling organizations to streamline compliance,demonstrate due diligence, and align automotive cybersecuritycontrols with broader industry best practices.

Mappedframeworks include:

CIS CriticalSecurity Controls

GDPR

IEC 62443

ISO/IEC 27001

ISO/IEC 27005

ISO/SAE 21434

NISTCybersecurity Framework

NIST SP 800-53

PCI DSS

SOC 2