With Its Second Milestone Coming Soon, the Impact of UNECE R155 Continues to Expand

The UNECE WP.29 R155 regulation is rapidly evolving, reflecting the automotive industry’s commitment to addressing cybersecurity risks across an increasingly connected and technologically advanced mobility ecosystem and a significant inflection point in the scale and impact of cyber attacks. In 2023, OEMs and suppliers continued implementing R155 for Cyber Security Management System (CSMS) and Type Approval, alongside WP.29 R156 for Software Update Management System (SUMS). However, a critical milestone looms – based on the second phase of R155, its scope will become mandatory for all new vehicles entering production from July 2024 onwards. Notably, some OEMs have already discontinued specific models due to anticipated R155 compliance challenges and the impending second milestone deadline.

Together with ISO/SAE 21434, R155 is part of a global effort to establish a unified approach to cyber threat protection. While avoiding prescriptive solutions, these regulations stress implementing rigorous cybersecurity analysis standards. The guidelines outline processes, specifying risk analysis and response targets while emphasizing the consideration of lifelong cybersecurity vulnerabilities across development, production, and post-production phases.

Driven by regulatory changes, evolving industry standards, and research insights, organizations like the US National Highway Traffic Safety Administration (NHTSA), the European Union Agency for Cybersecurity (ENISA), and the Auto-ISAC trade association have updated their cybersecurity guidelines and best practices accordingly.

The Regulatory Landscape Continues to Mature

As the Automotive and Smart Mobility ecosystem evolves with new applications, devices, and services, policymakers worldwide are rethinking regulations. In addition to the critical R155 milestone of extending its scope to all new vehicles from July 2024, legislators are becoming increasingly aware of cybersecurity risks to vehicles, infrastructure, and consumer privacy. Consequently, new laws, including those governing autonomous vehicles, are being drafted to address these risks.

The scope of R155 is expected to expand to include motorcycles and agricultural equipment, recognizing the increasing connectivity and software integration in these vehicle categories. Modern two- and three-wheeled vehicles now incorporate multiple software components, sensors, electronic systems, and advanced infotainment capabilities, significantly increasing their cyber risk exposure. Securing motorcycles is part of the global effort to deepen safety and trust in the Automotive ecosystem.

In July 2023, the UNECE submitted a proposal to expand R155’s scope to include all Category L vehicles, beyond the current L6 and L7 categories. If accepted, this proposal, initiated by CLEPA, will become effective in July 2029 and will require motorcycle OEMs to implement CSMS.

Furthermore, the UNECE is discussing the potential inclusion of Category T vehicles (agricultural machinery), as well as related categories R (agricultural trailers) and S (interchangeable towed agricultural equipment) under R155’s purview. While a consensus on this expansion has yet to be reached, a decision is expected during 2024.

As the mobility industry continues its digital transformation, the expanding impact of R155 underscores the need for a proactive and collaborative approach to cybersecurity. By embracing this regulation and actively participating in industry initiatives, stakeholders can enhance the resilience and security of connected vehicles, foster consumer trust, and position themselves as leaders in the evolving mobility ecosystem. Failure to comply with R155 could result in severe consequences, including potential legal liabilities, reputational damage, and financial implications.