The Vehicle Certification Agency uses essential cookies and similar technologies that allow the site to work properly. It also uses website usage cookies that can be switched on or off. Closing this box will disable website usage cookies.

More about cookies and how to change your settings can be found here: Privacy and cookies

Accept website usage cookies View cookie settings
Home breadcrumb separator arrow Connected and Automated Vehicles breadcrumb separator arrow Cyber Security and Software Updating

Cyber Security and Software Updating

This page was last updated on 29th July 2022

Introduction 

UNECE Regulation 155 covers the uniform provisions for vehicle cybersecurity and cybersecurity management systems. The requirements of this regulation can be closely mapped to the requirements laid out in ISO21434. 

The regulation applies to vehicle categories: 

  • Passenger Cars (M) 
  • Goods Vehicle (N) 
  • Trailers (O) – if fitted with at least one electronic control unit 
  • Quads (L6 & L7) – if equipped with automated driving functionalities from Level 3 or above 

UNECE Regulation 156 covers the uniform provisions for vehicle software updates and software update management systems. The closest applicable standard is ISO24089 (DRAFT) which specifies the requirements for software updates. The purpose of software updates is to ensure software quality, cybersecurity and vehicle safety. 

This regulation applies to vehicle categories that permit software updates: 

  • Passenger Cars (M) 
  • Goods Vehicles (N) 
  • Trailers (O) 
  • Agricultural Vehicle (T) 
  • Agricultural Trailer (R) 
  • Interchangeable Towed Equipment (S) 

VCA Auditing and Assessment 

VCA were actively involved in the development of both R155 and R156, participating in the UNECE Cybersecurity and Over The Air Update task force. 

A UK based project team was formed in August 2020 with the aim of developing the agencies’ capability to assess both regulations. Now that the project has transferred to business as usual, VCA has expertise on both the technical service and approval authority sides of the business with certification being led from the UK. 

R155 and R156 both require very different approaches than conventional regulations. They are audit based, which means they require manufacturers to submit their respective management systems for assessment. The approach is systematic and risk-based and defines organisational processes, responsibilities and governance to treat risk associated with cyber threats to vehicles and protect them from cyber-attacks. 

Please contact the Regulatory and Technology Group at RTG@vca.gov.uk if you have any technical questions either R155 or R156. 

Related Information

Is this page useful?
Is there anything wrong with this page?