The WP.29 regulation and the ISO/SAE standard are complementary and both look at securing modern vehicles in a similar way.
The main commonalities between them are first, that both require securing the vehicle throughout its lifecycle, starting from development, going through production, and all the way to its post-production service-time while it’s on the road.
Secondly, both require an effective cybersecurity management system inside the organization. Both require performing very thorough TARA activities, which is Threat Analysis and Risk Assessment throughout the vehicle lifecycle. And both require effective management of the supply chain of the vehicle.
However, there are a few differences between the standard and regulation. The regulation is legally binding within all the countries that participate in the regulation, which are also known as the contracting parties, while the standard will be probably widely accepted in the industry but will not be legally binding.
Additionally, the regulation is very particular in specific areas. For example, it provides a comprehensive list of threats that serve as baseline threats in order to assess if a vehicle and the connected services are secure. While the standard goes very deep by thoroughly describing how to do some activities such as TARA, Threat Assessment and Risk Analysis, cybersecurity management in the organization, and cybersecurity management for the supply chain.
Ultimately, the standard and the regulation are complimentary and are also non-contradicting, which means that if an OEM does a thorough job in adhering to one of them, it will be well on its way to complying with the other.