New cyber threats are constantly emerging, with hackers targeting businesses, private communication networks, and even the software in your car. 

The connected nature of modern vehicles means that anyone can become a target and that cars have to be protected just like any other device. Imagine some hacker being able to take control of your vehicle while you’re driving. It’s not that far-fetched. 

In response, regulators in the European Union have introduced two new automotive cyber security regulations: R155 and R156.

This means that any automaker that operates in or wants to do business with member states has to ensure that they are compliant.

Why is automotive cybersecurity a priority?

The EU has taken a firm and united stance when it comes to cyber security. With the proposal of the EU Cyber Solidarity Act, policymakers made it clear that they are determined to improve the European Union’s preparedness, detection, and response to large-scale malicious attacks across various sectors, including transportation.

Automakers are not immune to cyberattacks. Here are some recent examples:

• In 2022, Toyota was forced to halt production after a supplier faced a breach.
• Components manufacturer Continental, despite having a number of cybersecurity solutions in place, faced massive data losses in 2023 after hackers breached their IT systems.
• In recent years, Tesla dealt with a number of cybersecurity incidents, including one where hackers were able to access vehicle software that controlled numerous car functions, including the lights, trunk, and horn.

Some automakers have revealed that their cars simply aren’t able to deal with emerging cybersecurity threats and are in the process of withdrawing their cars from the market, as they aren’t able to meet the cyber security requirements of the new regulations.

In most cases, it’s simply too expensive to integrate a new electronic architecture into the existing models.

In any case, the major players in the automotive industry—whether located in Europe or not—have to start taking vehicle cybersecurity seriously to prepare for much more stringent regulatory requirements.

What are the new rules?

There are two new regulations that automakers need to be aware of:

UN R155 (UN Regulation No. 155)
Focuses on cybersecurity and cybersecurity management systems (CSMS) for vehicles. Introduced in 2021, it mandates car manufacturers to establish a CSMS to identify, assess, and mitigate cybersecurity risks throughout a vehicle’s lifecycle (design, production, operation). It’s compulsory.

UN R156 (UN Regulation No. 156)
Specifically addresses software update and software update management systems (SUMS). With the increasing reliance on software in cars, this regulation ensures car manufacturers have a robust process for delivering secure software updates to vehicles. This includes measures to prevent unauthorized modifications and ensure the integrity of the updates.

Together, UN R155 and R156 aim to improve cybersecurity in modern vehicles by requiring car manufacturers to implement a systematic approach to cybersecurity and ensure secure software updates to address vulnerabilities and maintain vehicle security (R156).

When do the rules come into effect?

UN R155 and R156 have a two-phased implementation timeline for UNECE member countries:

• Phase 1: Effective from July 2022: These regulations became mandatory for approval of all new vehicle types. This means car manufacturers need to demonstrate compliance with R155 and R156 for their new vehicle designs to be approved for sale in UNECE member countries.
• Phase 2: Effective from July 2024: Once in effect, UN R155 and R156 will apply to all vehicles seeking type approval, including existing vehicle models. This means any car manufacturer seeking approval for a new model or even a significant update to an existing model needs to comply with these regulations.

In essence, as of the time of this article, UN R155 and R156 are already in effect for all new vehicle types seeking type approval in UNECE member countries. From July 2024 onwards, compliance will be mandatory for all vehicles going through the type approval process.

How will these rules impact automakers?

Many automakers have already taken preparatory steps to secure their network and information systems as well as the technology within their new vehicles. What we’ve really seen in Europe is a shift towards a “security by design” approach. Carmakers will need to prioritize automotive cybersecurity throughout the entire vehicle development process, from initial concept to production and beyond. This will require investment in digital security expertise, tools, and processes.

UN R155 already requires carmakers to establish a CSMS. This system involves identifying potential cybersecurity risks across a vehicle’s lifecycle, assessing their severity, and implementing appropriate mitigation strategies. Many vehicle makers have opted to stop production on selected cars as it’s too expensive to become compliant. Even 2025 models will likely carry extra costs as carmakers have to hire cybersecurity specialists, purchase additional security tools, and implement new secure development practices as part of data protection efforts.

Any automotive OEMS who were unprepared for the additional complexity will likely find their production lines delayed.

The benefits of becoming compliant

While there will be initial challenges, UN R155 and R156 will ultimately benefit carmakers in the long run. 

By prioritizing cybersecurity, carmakers can build more secure vehicles, reducing the risk of cyberattacks that could damage their reputation and lead to costly recalls. 

Demonstrating a commitment to cybersecurity can enhance a carmaker’s brand image and attract customers who are increasingly concerned about the security of connected vehicles. 

The EU regulations are just one example of a growing trend towards stricter cybersecurity regulations for the automotive industry. Many other countries and regions are likely to implement similar regulations in the coming years. By familiarizing themselves with UN R155 and R156, carmakers can get a head start on complying with future regulations around the world.

It’s also important to bear in mind that UN R155 and R156 are based on international standards like ISO 21434. As more countries adopt these regulations or develop their own, there’s a good chance they will be harmonized with existing standards. This can simplify compliance for carmakers who sell vehicles in multiple markets.

By designing and developing vehicles with cybersecurity in mind from the beginning, carmakers can avoid costly modifications later on to comply with upcoming regulations in different markets. This “security by design” approach can save time and money in the long run.

Looking ahead

UN R155 and R156 represent a strong benchmark for automotive cybersecurity. Following these guidelines demonstrates a commitment to best practices, and will be valuable for carmakers looking to expand into new markets or build trust with consumers worldwide.

Overall, UN R155 and R156 represent a paradigm shift for all carmakers. While these regulations will require adjustments and investments, they pave the way for a more secure future for connected vehicles, ultimately benefiting carmakers, vehicles, and their drivers.