With Its Second Milestone Coming Soon, the Impact of UNECE R155 Continues to Expand

YONATAN APPEL

CTO & Co-Founder

April 4, 2024

The UNECE WP.29 R155 regulation is rapidly evolving, reflecting the automotive industry’s commitment to addressing cybersecurity risks across an increasingly connected and technologically advanced mobility ecosystem and a significant inflection point in the scale and impact of cyber attacks. In 2023, OEMs and suppliers continued implementing R155 for Cyber Security Management System (CSMS) and Type Approval, alongside WP.29 R156 for Software Update Management System (SUMS). However, a critical milestone looms – based on the second phase of R155, its scope will become mandatory for all new vehicles entering production from July 2024 onwards. Notably, some OEMs have already discontinued specific models due to anticipated R155 compliance challenges and the impending second milestone deadline.

Together with ISO/SAE 21434, R155 is part of a global effort to establish a unified approach to cyber threat protection. While avoiding prescriptive solutions, these regulations stress implementing rigorous cybersecurity analysis standards. The guidelines outline processes, specifying risk analysis and response targets while emphasizing the consideration of lifelong cybersecurity vulnerabilities across development, production, and post-production phases.


unece wp29 r155

Driven by regulatory changes, evolving industry standards, and research insights, organizations like the US National Highway Traffic Safety Administration (NHTSA), the European Union Agency for Cybersecurity (ENISA), and the Auto-ISAC trade association have updated their cybersecurity guidelines and best practices accordingly.

The Regulatory Landscape Continues to Mature

As the Automotive and Smart Mobility ecosystem evolves with new applications, devices, and services, policymakers worldwide are rethinking regulations. In addition to the critical R155 milestone of extending its scope to all new vehicles from July 2024, legislators are becoming increasingly aware of cybersecurity risks to vehicles, infrastructure, and consumer privacy. Consequently, new laws, including those governing autonomous vehicles, are being drafted to address these risks.

The scope of R155 is expected to expand to include motorcycles and agricultural equipment, recognizing the increasing connectivity and software integration in these vehicle categories. Modern two- and three-wheeled vehicles now incorporate multiple software components, sensors, electronic systems, and advanced infotainment capabilities, significantly increasing their cyber risk exposure. Securing motorcycles is part of the global effort to deepen safety and trust in the Automotive ecosystem.

In July 2023, the UNECE submitted a proposal to expand R155’s scope to include all Category L vehicles, beyond the current L6 and L7 categories. If accepted, this proposal, initiated by CLEPA, will become effective in July 2029 and will require motorcycle OEMs to implement CSMS.

Furthermore, the UNECE is discussing the potential inclusion of Category T vehicles (agricultural machinery), as well as related categories R (agricultural trailers) and S (interchangeable towed agricultural equipment) under R155’s purview. While a consensus on this expansion has yet to be reached, a decision is expected during 2024.

As the mobility industry continues its digital transformation, the expanding impact of R155 underscores the need for a proactive and collaborative approach to cybersecurity. By embracing this regulation and actively participating in industry initiatives, stakeholders can enhance the resilience and security of connected vehicles, foster consumer trust, and position themselves as leaders in the evolving mobility ecosystem. Failure to comply with R155 could result in severe consequences, including potential legal liabilities, reputational damage, and financial implications.

Gain invaluable insights into the evolving landscape of automotive cybersecurity by exploring Upstream’s 2024 Global Automotive Cybersecurity Report.
This comprehensive resource delves into the latest regulations and guidelines governing cybersecurity in the automotive industry, offering a holistic understanding of the measures being implemented to safeguard vehicles from emerging cyber threats.

Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

7 Key Financial Implications of Automotive Cybersecurity Risks

In June 2023, a leading Taiwan-based semiconductor manufacturer disclosed a cybersecurity incident involving a ransomware group and one of its IT hardware suppliers, which led…

Read more

Newly Discovered IoT Vulnerabilities in ELDs Raise Risk for Fleet-Wide Attacks

In late March 2024, The Register published a unique coverage, describing multiple new vulnerabilities and elaborating on the cyber risks in ELDs (electronic logging devices)…

Read more

Navigating the Evolving Automotive Cybersecurity Regulatory Landscape

The automotive industry’s digital transformation has ushered in an era of unprecedented connectivity and technological advancement. Yet, it is also exposing mobility assets to a…

Read more

With Its Second Milestone Coming Soon, the Impact of UNECE R155 Continues to Expand

The UNECE WP.29 R155 regulation is rapidly evolving, reflecting the automotive industry’s commitment to addressing cybersecurity risks across an increasingly connected and technologically advanced mobility…

Read more