The UNECE WP.29 Regulations for Cyber Security

New rules governing software updates for connected vehicles have been in effect since early 2022. These requirements bring cyber security into sharp focus for the automotive industry.

WP.29: The World Forum for Harmonization of Vehicle Regulations

WP.29 is a working group of the World Forum for Harmonization of Vehicle Regulations. The Inland Transport Committee (ITC) and the United Nations Economic Commission for Europe (UNECE) each pursue distinct responsibilities within this framework.

One of the key aims of UNECE WP.29 is to simplify international trade by establishing a uniform regulatory system for vehicle manufacturing. At the same time, regulations such as UNECE R155 aim to harmonize and advance technical standards. The legal frameworks established by WP.29 in 1958, 1997, and 1998 form the foundation for these efforts.

Another important task of UNECE WP.29 is to regulate innovative vehicle technologies in order to continuously improve vehicle safety. The UNECE R155 regulation, for example, was introduced to meet these requirements. In addition to Automotive Cyber Security, other critical aspects such as energy consumption and environmental protection play a central role. Nevertheless, the new regulations focus primarily on cybersecurity, aiming to address deficiencies in current security standards and protect both drivers and manufacturers from cybercriminals.

The WP.29 Regulation in Detail: R155, R156, and R157

The UNECE working group addresses a wide range of topics, from vehicle safety and environmental protection to energy efficiency. Regulations such as UNECE R155 specifically define security mechanisms designed to ensure improved cyber security.

• R155: UNECE R155 focuses on implementing a Cyber Security Management System. Such systems are essential for incident response management throughout the entire vehicle lifecycle. Key information security KPIs, such as Mean Time to Contain, form a central part of this regulation. Additional measures including continuous vulnerability scanning and pentests are also required under R155.
• R156: While UNECE R155 addresses cyber security, R156 focuses on software updates. The directive requires a dedicated software update management system and regular security assessments. This ensures ongoing compatibility of updates throughout the vehicle's service life.
• R157: This regulation addresses the security of advanced driver assistance systems, including the Advanced Driver Assistance System (ADAS) and the Automated Lane Keeping System (ALKS). Both systems demand a high level of cyber security and innovative technology, making UNECE R155 particularly relevant here. To ensure the desired Safety of the Intended Functionality (SOTIF), a so-called black box is required. SOTIF is a subfield of technical product safety that addresses the hazards of technical systems.

Nearly all innovations in the automotive industry stem from increasing digitalization. Modern car IT systems offer exceptional convenience but simultaneously present attractive targets for cybercriminals. While many companies already rely on robust security concepts, modern vehicles often lack adequate cybersecurity.

UNECE R155 addresses this gap through formal regulatory requirements. Thanks to this regulation, cyber security is no longer optional but a mandatory criterion for market access of new vehicles. These regulations should be understood as a collective approach to achieving a higher level of security. After all, remotely performed software updates always carry a degree of risk -- not only in the automotive industry.

The UNECE WP.29 Regulation R155 for CSMS and Its Relevance for Automotive Cyber Security

A particular challenge in implementing UNECE R155 and the other regulations is vehicle type certification. Like R156 and R157, UNECE R155 relies on effective management systems. Manufacturers are required to implement the cyber security measures mandated by UNECE R155 by July 2024. The automotive industry therefore faces numerous changes within a very short time frame.

One positive aspect for many manufacturers is that the new UNECE R155 regulations apply exclusively to new vehicles. Models already delivered and sold are not affected.

Despite these challenges, implementing UNECE R155 also delivers clear advantages, as it considers the entire service life of the vehicle. The combination of individual software solutions and data-driven insights enables technical innovations to be advanced more rapidly.

At the same time, regulations such as UNECE R155 help eliminate security concerns. By consistently implementing these regulations, vehicle manufacturers can also secure a competitive advantage. A high level of cyber security is, after all, a decisive factor in earning the trust of potential buyers.

Security in the Automotive Industry: Get Expert Support

UNECE R155, along with the other regulations, is of critical importance to the automotive industry. Given the extensive requirements of UNECE R155, partnering with experienced professionals is a wise investment. With our deep expertise in vehicle security, the team at turingpoint is ready to support you every step of the way.