This UN Regulation No. 155 establishes uniform provisions for vehicle cyber security and cyber security management systems (CSMS). It sets requirements for vehicle manufacturers to implement comprehensive cybersecurity measures throughout a vehicle’s lifecycle – from development through production and post-production phases.The regulation applies to vehicles of categories L, M, N and O that have at least one electronic control unit. It requires manufacturers to obtain a Certificate of Compliance for their Cyber Security Management System and type approval for vehicle cybersecurity measures.The key structural elements include:
- Detailed specifications for the Cyber Security Management System that manufacturers must implement
- Requirements for vehicle type approval regarding cybersecurity
- Comprehensive annexes listing potential threats and corresponding mitigation measures
- Procedures for maintaining compliance and handling modifications
The main provisions require manufacturers to:
- Implement a certified Cyber Security Management System covering development, production and post-production phases
- Conduct thorough risk assessments and implement appropriate mitigation measures
- Protect vehicle systems, interfaces and communication channels against cyber threats
- Monitor cyber threats and vulnerabilities and respond appropriately
- Provide data forensic capabilities for cyber attack analysis
- Ensure secure software updates and protect dedicated environments for aftermarket software
- Report monitoring outcomes to approval authorities at least annually
