Cyber Security and Software Updating

This page was last updated on 25th January 2024

Introduction

UN Regulation No. 155 covers the uniform provisions for vehicle cybersecurity and cybersecurity management systems. The requirements of this regulation can be closely mapped to the requirements laid out in ISO 21434 – Road Vehicles – Cyber Security.

The regulation has the following vehicle categories in scope:

  • Passenger Cars (M)
  • Goods Vehicle (N)
  • Trailers (O) – if fitted with at least one electronic control unit
  • Quads (L6 & L7) – if equipped with automated driving functionalities from Level 3 or above

 

UN Regulation No. 156 covers the uniform provisions for vehicle software updates and software update management systems. The closest applicable standard is ISO 24089 – Road Vehicles – Software Update Engineering, which specifies the requirements for software updates. The purpose of software updates is to ensure continued regulatory compliance, cybersecurity and vehicle safety.

This regulation has the following vehicle categories in scope that permit software updates:

  • Passenger Cars (M)
  • Goods Vehicles (N)
  • Trailers (O)
  • Agricultural Vehicle (T)
  • Agricultural Trailer (R)
  • Interchangeable Towed Equipment (S)

VCA Auditing and Assessment

UN R155 and UN R156 both require very different approaches than conventional regulations. They are audit based, which means they require manufacturers to submit their respective management systems for assessment as well VCA conducting interviews with stakeholders. The approach is systematic and risk-based and defines organisational processes, responsibilities and governance to treat risk associated with cyber threats to vehicles and protect them from cyber-attacks.

Application Dates

Cybersecurity

Dates EU Unlimited Series (M1,2,3 & N1,2,3)

From 06 July 2022 for New Whole-vehicle Type Approval

From 07 July 2024 for Existing Vehicle Type Approval

Dates EU Small Series Scheme I & II (M1, N1) or Special Purpose

From 06 July 2024 for EU Small Series Scheme, I & II

From 07 July 2026, for Existing Approvals

 

Software Updating

Dates EU Unlimited Series: (M1,2,3 & N1,2,3 & O1,2,3,4)

From 06 July 2022 for New Whole-vehicle Type Approvals *

From 07 July 2024, for New Whole-Vehicle Type Approvals

From 07 July 2026, for New Complete Vehicles *

From 07 July 2029, for New Completed Vehicles

* Where the Manufacturer executes software updates that affect type-approved characteristics of those vehicles after their registration.

Dates EU Small Series Scheme I & II (M1) or Special Purpose

From 07 July 2024 for new EU whole-vehicle type approvals produced in small series or special purpose

From 07 July 2026, for Existing Approvals produced in small series or special purpose

From 07 July 2029, for New Completed Vehicles

Special Purpose Vehicles

The following special purpose vehicles are in scope of these regulations.

  • Motor caravans, ambulances and hearses
  • Armoured Vehicles
  • Wheelchair-accessible Vehicles
  • Other Special Purpose, including special group, multi-equipment carrier and trailer caravans
    • Excludes Categories (O1,2,3,4) – With regard UN R155 Cybersecurity
  • Mobile Cranes (N3)
  • Exceptional load transport vehicles
    • Excludes Category O4 – With regard to UN R155 Cybersecurity

Cyber Security and Suppliers

Only vehicle manufacturers can obtain approval according to UN R155. There are however requirements defined within this to provide evidence that they effectively manage their supply chain. This places an onus on the manufacturer to understand and identify the risks posed by the supply chain, and to develop and cascade security requirements to those suppliers which could introduce a risk to a particular vehicle type.  Further information is provided in the ‘Interpretation Document of UN Regulation No. 155′, hosted on the UN ECE Website.  This introduces the use of contracts to reflect supplier related risks.

These requirements can be supported by ISO 21434, referencing Clause 7 Distributed cybersecurity activities.  This provides requirements and recommendations for the implementation of manufacturer – supplier agreements and the alignment of responsibilities.

We advise that for further guidance automotive suppliers should consult with the vehicle manufacturers they are supplying on the implementation of their security requirements. One thing to consider is that the security requirements between manufacturers may differ.

Further Information

Please contact the Regulatory and Technology Group at RTG@vca.gov.uk if you have any technical questions concerning UN R155 or UN R156.


WEBCAV-03 Revision 1