UNECE WP.29 — World Forum for Harmonization of Vehicle Regulations

Why it Matters

UNECE WP.29 establishes mandatory cybersecurity and software updaterequirements to ensure the safety and security of connected vehiclesworldwide.

Key benefits include:

• Strengthen automotive cybersecurity governance

Enablecomprehensive oversight of vehicle cybersecurity risks throughstructured policies, processes, and continuous risk assessment.

• Support global regulatory compliance

Facilitateadherence to international vehicle cybersecurity and software updatemandates, reducing legal and operational compliance risks.

• Enhance supply chain security

Promoteconsistent cybersecurity practices among manufacturers and suppliers,minimizing vulnerabilities throughout the automotive ecosystem.

• Improve incident response readiness

Establishrequirements for rapid detection, reporting, and remediation ofcybersecurity incidents impacting vehicle systems.

• Promote long-term operational resilience

Ensure vehiclesremain secure over their lifecycle by requiring ongoing monitoring,software updates, and proactive risk management.

How it Works

The UNECE WP.29 framework establishes a comprehensive regulatorystructure for automotive cybersecurity, mandating requirements acrosskey domains such as risk management, security controls, incidentresponse, and post-production monitoring. Organized by regulatoryprovisions, it specifies processes for Cyber Security ManagementSystems (CSMS) and Software Update Management Systems (SUMS),encompassing the entire vehicle lifecycle from design and developmentto deployment and maintenance.

In practice, automotive manufacturers and suppliers integrate WP.29requirements by conducting risk assessments, implementing prescribedsecurity controls, and maintaining evidence of ongoing compliance.Organizations are required to demonstrate that they can identify,assess, and mitigate cyber risks throughout the supply chain, whileensuring effective monitoring, vulnerability management, and incidenthandling are in place to meet regulatory expectations.

Using SmartSuite, organizations manage their WP.29 complianceprograms by leveraging features such as control libraries aligned toWP.29 requirements, automated risk registers, and workflow-enabledevidence collection. Policy governance modules assist in maintainingup-to-date processes, while compliance tracking, audit readinessdashboards, and remediation management streamline continuousmonitoring and reporting activities related to WP.29 governance.

Key Elements

• Cybersecurity Management System

Specifies asystematic approach for governing automotive cybersecurity acrossorganizational and technical domains.

• Risk Assessment Processes

Definesprocedures for identifying and evaluating cybersecurity threats,vulnerabilities, and risks throughout the vehicle lifecycle.

• Security by Design Integration

Establishesrequirements for embedding security considerations into the designand development of vehicle systems.

• Continuous Monitoring and Incident Response

Describesmechanisms for detecting, reporting, and responding to cybersecurityincidents affecting vehicle components.

• Supply Chain Assurance

Outlines measuresto manage and monitor cybersecurity risks associated with suppliersand third-party providers.

• Compliance and Audit Mechanisms

Providesstructures for verifying and demonstrating conformity with regulatorycybersecurity requirements.

• Lifecycle Management Requirements

Organizesrequirements for maintaining cybersecurity effectiveness from vehicleconception through post-production support.

Framework Scope

UNECE WP.29 is mandated for automotive manufacturers, suppliers, andtechnology providers designing vehicles with automated or connectedfeatures. The regulation governs cybersecurity risk management anddata protection in vehicle systems and supporting IT infrastructure,and is typically adopted to meet regulatory approval, supportoversight activities, and establish robust automotive cybersecuritygovernance.

Framework Objectives

UNECE WP.29 establishes harmonized cybersecurity and governancerequirements for the automotive sector to address evolving digitalrisks.

Strengthen cybersecurity risk management throughout vehicledevelopment and operational lifecycle

Enhance governance and oversight of automotive cybersecurityprocesses and controls

Ensure compliance with international regulatory requirements forvehicle security

Promote effective data protection measures aligned with privacy andsafety standards

Support continuous monitoring and readiness for regulatory andsecurity audits

Improve operational resilience against emerging cyber threatsaffecting vehicles and infrastructure UNECE WP.29 is closely alignedwith ISO/SAE 21434 and ISO 26262, focusing on automotivecybersecurity and functional safety. Organizations implement WP.29 tomeet regulatory compliance requirements, particularly for vehicletype approval, and to demonstrate alignment with global standards formanaging cybersecurity risks in the automotive supply chain andproduct development.

Framework in Context

UNECE WP.29 isclosely aligned with ISO/SAE 21434 and ISO 26262, focusing onautomotive cybersecurity and functional safety. Organizationsimplement WP.29 to meet regulatory compliance requirements,particularly for vehicle type approval, and to demonstrate alignmentwith global standards for managing cybersecurity risks in theautomotive supply chain and product development.

Common Framework Mappings

UNECE WP.29 is often mapped to other automotive, cybersecurity, andprivacy frameworks to support regulatory harmonization, streamlinecompliance efforts, and ensure comprehensive cybersecurity coverageacross the vehicle lifecycle.

Mapped frameworks include:

GDPR

ISO/IEC 21434

ISO/SAE 21434

ISO/IEC 27001

ISO/SAE 26262

NIST Cybersecurity Framework

NIST SP 800-53

TISAX

UN R155

UN R156