Home
UN ECE R155 Executive Summary

UN ECE R155 Executive Summary

Table of Contents

Introduction

The complete UN ECE R155 regulation can be found on unece.org. This article contains a simplified summary which can be easily understood.

What is UN ECE Regulation No. 155? It is:

  • binding regulation established by the United Nations Economic Commission for Europe (UNECE)
  • it mandates cybersecurity for the type approval of vehicles
  • ensures that cybersecurity is built into vehicles throughout their entire lifecycle
  • establishes a framework for managing cybersecurity risks
  • it is applicable to manufacturers of M, N, and O category vehicles (passenger cars, trucks, trailers, etc.)
  • it requires vehicle manufacturers to obtain CSMS (Cyber Security Management System) certification and to implement cybersecurity measures in their vehicles to get VTA (Vehicle Type Approval).

UN ECE R155 is based on a risk analysis approach and requires vehicle manufacturer to implement cybersecurity measures based on these core principles:

  • Manage cyber risks via a certified CSMS.
  • Secure vehicles by design to mitigate risks along the value chain.
  • Detect and respond to security incidents.
  • Provide safe and secure software updates (closely linked to UN R156).
  • Ensure data security and provide logs for forensic analysis.

Go back

Scope

UN ECE R155 Applies to:

  • All vehicles of categories M (passenger cars) and N (trucks and buses).
  • Category O (trailers), but only if they are equipped with at least one electronic control unit (ECU).
  • Certain heavy quadricycles (Categories L6 and L7), but only if they are equipped with high-level automated driving functionalities (Level 3 and above).

UN ECE R155 Does Not Override Other Laws: It does not replace or interfere with other national or regional laws concerning:

  • Vehicle Access: Rules on who is authorized to access vehicle data, functions, and resources.
  • Data Privacy: Laws governing the processing of personal data and the right to privacy.
  • Replacement Parts: Regulations for the development and installation of both physical and digital replacement parts.

Go back

Application for Approval

Summary of Application for Approval:

  • Who Applies: The application must be submitted by the vehicle manufacturer (OEM) or their officially accredited representative.
  • Required Documentation: The application must include the following, submitted in triplicate:
    • A detailed description of the vehicle type, as specified in Annex 1 of the regulation.
    • A Certificate of Compliance proving the manufacturer’s Cyber Security Management System (CSMS) has been certified by an approval authority.

In the UK the approval authority for UN ECE R155 is Vehicle Certification Agency (VCA). R155 is audit based, which means they require manufacturers to submit their respective management systems for assessment as well VCA conducting interviews with stakeholders.

Handling of Confidential Data:

  • Manufacturers must provide information needed for compliance checks, even if it is protected by intellectual property or is confidential know-how.
  • The approval authority is obligated to treat this confidential information securely and confidentially.

Documentation Structure: Documentation is split into two parts:

  1. Formal Documentation Package: Submitted directly with the application. It serves as the main reference for the approval authority and must be archived by them for at least 10 years after the vehicle type ceases production.
  2. Additional Supporting Material: Held by the manufacturer but must be made available for inspection during the approval process. The manufacturer must also keep this material available for at least 10 years after production ends.

Go back

Verification Process

How Approval is Decided: The Approval Authority conducts checks to verify the manufacturer has:

  • Document Checks:
    • Managed cybersecurity risks throughout its supply chain.
    • Documented its risk assessments, test results, and implemented mitigations.
    • Designed appropriate cybersecurity measures into the vehicle.
    • Put in place capabilities to detect and respond to cyber attacks.
    • Implemented data logging for forensic analysis after an attack.
  • Testing:
    • Conducted tests (by themselves or in collaboration with the manufacturer) to verify that the documented security measures work effectively.
    • Testing must focus on, but is not limited to, risks assessed as high.

Grounds for Refusing Approval: Approval must be refused if the manufacturer:

  • Did not perform an exhaustive risk assessment (including all threats in Annex 5).
  • Did not protect the vehicle against the risks identified in their own assessment.
  • Did not secure dedicated environments for aftermarket software (if they exist).
  • Did not perform sufficient testing to verify the security measures.
  • Did not provide sufficient information for the authority to assess the vehicle’s cybersecurity.

Communication & Transparency Between Authorities

All decisions (approval, extension, or refusal) must be formally communicated to all countries party to the 1958 Agreement.

To ensure consistent application of the rules globally, Approval Authorities must:

  • Have competent personnel with cybersecurity and automotive skills.
  • Notify other international authorities before granting their first approval, explaining their methods and criteria for assessment.
  • Share this information via the UN’s secure DETA (Database for the Exchange of Type Approval) database.
  • Upload all granted approvals to DETA within 14 days.

Other authorities can submit comments on the assessment methods.

Any diverging views or disputes between national authorities are to be settled according to the 1958 Agreement, with the goal of establishing a common interpretation.

Manufacturer’s Ultimate Responsibility

The manufacturer is responsible for ensuring that all cybersecurity aspects required by the regulation are implemented effectively.

Go back

Certificate of Compliance for CSMS

Purpose: This certificate is official proof that a manufacturer’s Cyber Security Management System (CSMS) has been assessed and complies with UN R155. It is a prerequisite for vehicle type approval.

Who Issues: A national Approval Authority appointed by a country that has adopted the regulation.

Application Process:

  • The manufacturer (or its representative) applies for the certificate.
  • The application must include:
    • Documents describing the CSMS.
    • signed declaration from the manufacturer (using a standard model form).

Assessment: The manufacturer must demonstrate to the Approval Authority that its processes meet all cybersecurity requirements of the regulation.

Validity & Renewal:

  • The certificate is valid for a maximum of 3 years.
  • The manufacturer must apply for a renewal well before the expiry date.
  • The Approval Authority will conduct a new assessment before renewing the certificate for another 3-year period.

Ongoing Oversight:

  • The Approval Authority can verify at any time that the manufacturer still meets the requirements.
  • The manufacturer must inform the authority of any changes affecting the CSMS.
  • The certificate must be withdrawn if the requirements are no longer met.

Consequence of Losing the Certificate:

  • If the certificate expires or is withdrawn, it is treated as a major change to any vehicle type approval that relied on it.
  • This can lead to the withdrawal of the vehicle type approval itself if the issue is not corrected, meaning the manufacturer can no longer sell those vehicles.

Go back

CMSM Specifications

This section outlines the two pillars of compliance: having a certified management system (CSMS) and building secure vehicles.

General Principle

The requirements of UN R155 do not replace or override the requirements of any other UN Regulations.

Requirements for the Cyber Security Management System (CSMS): The CSMS must be a continuous process covering the entire vehicle lifecycle:

  • Phases Covered: Must apply to development, production, and post-production (the entire lifecycle of the vehicle).
  • Key Processes Required: The manufacturer must have processes to:
    • Manage cybersecurity within the organization.
    • Identify risks (must include threats listed in Annex 5, Part A).
    • Assess, categorize, and treat the identified risks.
    • Verify that risks are being managed appropriately.
    • Test the cybersecurity of vehicle types.
    • Keep the risk assessment current.
    • Monitor, detect, and respond to new threats, vulnerabilities, and cyber-attacks in the field.
    • Provide data for forensic analysis after an attack.
  • Response & Monitoring:
    • Must mitigate new threats within a “reasonable timeframe.”
    • Monitoring must be continual and include vehicles after they are sold.
    • Monitoring and data analysis must respect user privacy and data protection laws.
  • Supply Chain: The CSMS must define how cybersecurity is managed with suppliers and service providers.

Requirements for Vehicle Types: These are the technical requirements for a specific vehicle model to be approved.

  • Prerequisite: The manufacturer must have a valid CSMS certificate for the vehicle type.
  • Risk Assessment: Must perform an exhaustive risk assessment that:
    • Identifies critical vehicle elements and their interactions.
    • Considers risks from external systems.
    • Must include all threats listed in Annex 5, Part A.
  • Mitigation: Must implement proportionate security measures to protect against identified risks, including those in Annex 5, Parts B & C. If a listed measure isn’t relevant or feasible, an alternative must be implemented and justified.
  • Aftermarket Protection: Must secure any dedicated environments meant for third-party software or apps.
  • Testing: Must perform sufficient testing before approval to verify security measures are effective.
  • Vehicle Capabilities: The vehicle itself must have features to:
    • Detect and prevent cyber-attacks.
    • Support the manufacturer’s monitoring efforts.
    • Provide data for forensic analysis after an attack.
  • Cryptography: Cryptographic modules should follow international consensus standards (e.g., NIST, ISO), or their use must be justified.

Reporting Provisions

  • Manufacturer’s Duty: Must report at least annually to the approval authority on:
    • The outcomes of its monitoring activities (new attacks, threats, vulnerabilities).
    • Confirmation that existing security measures are still effective.
  • Authority’s Power: The approval authority verifies this reporting and can require the manufacturer to fix any issues. Insufficient reporting or response can lead to the withdrawal of the CSMS certificate.

Go back

Modifications & Extensions & Conformity

Modification and Extension of Vehicle Type Approval

Notification Required: Any change to the vehicle type that affects its cybersecurity performance or its documentation must be reported to the approval authority.

Authority’s Options: The authority can either:

  • Confirm the change is minor and still complies with the existing approval.
  • Require a new complementary assessment (including testing) if the change is significant.

Communication: The decision (confirmation, extension, or refusal of approval) must be formally communicated to all other countries applying the regulation.

Conformity of Production

  • Requirement: The manufacturer must ensure that every vehicle produced continues to comply with the approved type and the regulation’s cybersecurity requirements.
  • Documentation: Production test results must be recorded and stored for a period agreed with the authority, not to exceed 10 years after production ends.
  • Audits: The approval authority can audit the production facilities at any time to verify compliance, with a typical frequency of once every three years.

Penalties for Non-Conformity of Production

  • Consequence: If produced vehicles fail to comply with the regulation, the type approval can be withdrawn.
  • Communication: If an approval is withdrawn, the authority must immediately notify all other countries applying the regulation.

Production Definitively Discontinued

  • Notification: If a manufacturer stops production of an approved vehicle type, it must inform the approval authority.
  • Official Record: The authority then formally notifies all other countries that production has ended by marking the approval form with “PRODUCTION DISCONTINUED”.

Official Points of Contact

  • Directory: Each country must provide the UN with a list of its Approval Authorities and appointed Technical Services to ensure there is clear international communication.

Go back

Conclusion

UN ECE R155 in a nutshell:

  • is the WHAT (needs to be achieved)
  • is the law
  • vehicle manufacturers must have a process to manage cybersecurity
  • vehicle manufacturers must protect the vehicle from attacks

Leave a Reply

Logged in as Anthony Stark. Edit your profile. Log out? Required fields are marked *

Ad Blocker Detected

Dear user, Our website provides free and high quality content by displaying ads to our visitors. Please support us by disabling your Ad blocker for our site. Thank you!

Refresh
Skip to toolbar