Summary of "UN Regulation No. 155 is in force: Requirements affecting the supply chain [Full Recorded Webcast]"

UN Regulation No. 155 (UNR155) requires a Cyber Security Management System (CSMS) and an organizational Certificate of Compliance (CoC) as prerequisites for vehicle type approval. This materially changes commercial, legal and supplier relationships across the automotive supply chain.

High-level summary (business focus)

• UNR155 mandates a CSMS for road vehicles and introduces type-approval requirements that materially affect OEMs and suppliers.
• Compliance is now both a commercial and legal gate: an organizational Certificate of Compliance (CoC) for a CSMS is required for vehicle type approval. Non-compliance risks loss of market access, fines, product liability exposure and severe brand/reputation damage.
• OEMs are the legal responsible parties for type approval and for managing supplier-related cyber risk; OEMs will typically push UNR155 / ISO/SAE 21434 requirements down the supply chain and expect supplier evidence.

Key frameworks, standards and reference documents (playbook)

• UNR155 — regulation requiring a CSMS and vehicle-level evidence for type approval.
• ISO/SAE 21434 — road vehicle cybersecurity engineering standard; recommended baseline for implementing CSMS and technical engineering.
• UNR156 — software update management system (related but separate).
• Other relevant standards: ISO 27001 (IT security), IEC 62443 (industrial security), ISO PAS 5112 (cybersecurity audits).
• Supporting artifacts: VDA questionnaire; UNR155 interpretation document (searchable; links to ISO/SAE 21434 but may reference older drafts).

Typical CSMS playbook (recommended sequence)

1. Current-state assessment / gap analysis vs. UNR155 and ISO/SAE 21434.
2. Define scope (which vehicles, items, lifecycle phases).
3. Create prioritized action plan (process design, roles, tooling).
4. Implement CSMS (process owners, production control plans, item definitions).
5. Pilot for one project/vehicle type, train stakeholders, iterate.
6. Internal audit and readiness checks.
7. Undergo CoC audit by a technical service; obtain CoC → apply for type approval.
8. Continuous improvement and CoC renewal cycles.

Requirements, processes and organizational tactics (operational detail)

Lifecycle coverage

• CSMS must cover the full product lifecycle: development, production and post-production (operation and decommissioning).

Vehicle-level requirements

• Perform Threat Analysis and Risk Assessment (TARA), implement mitigations, and perform verification, validation and testing to demonstrate controls are effective and detect attacks.

Penetration testing

• Recommended as final validation per ISO/SAE 21434; validates that selected mitigations are correctly implemented and effective, but does not replace earlier engineering activities.

Supplier management

• UNR155 (req. 3.7.3.2) mandates OEMs identify and manage supplier-related risks for the vehicle being approved.
• OEMs typically require suppliers to provide evidence of compliance (often ISO/SAE 21434-aligned artifacts) and may audit suppliers.

TARA and artifact practices

• ISO/SAE 21434 expects item-level TARA; in practice TARAs are often done at multiple levels: vehicle-level (OEM) and item/ECU-level (supplier). Results are reconciled across levels.
• Inputs for vehicle-level TARA: architecture, communication flows, external interfaces, core functionality and prioritized attack surfaces.

Post-production lifecycle and support

• CSMS must include monitoring, detection, incident response and provisioning of data for forensic analysis.
• No industry consensus on support length. Common contractual asks:
  • 15 years of cybersecurity support post end-of-production is common.
  • One OEM example referenced a 50-year expectation.
  • Regulation states lifecycle ends when no vehicles of that type remain in operation — potentially indefinite and ambiguous.

Certifications & audits

• Certificate of Compliance (CoC) is required for organizational CSMS; typically valid for 3 years (some approval authorities provided 1-year transitional CoCs initially).
• Technical services / approval authorities perform audits for CoC and type-approval activities.
• OEMs conduct/collect supplier audits and evidence to demonstrate supplier risk management to approval authorities.

KPIs, timelines and numeric targets referenced

• Geographic scope: UNR155 applies to UNECE member states (~64 countries) and affects global OEMs. Other jurisdictions have analogous mechanisms (e.g., China CCC, U.S. self-declaration).
• Market scale cited: affects around 64 countries with more than 30 million (up to ~40 million) cars per year.
• Regulatory timeline highlights (as stated in the source):
  • UNR155 enforcement began in January (per transcript).
  • Mandatory for new vehicle types from July (same year per transcript).
  • Mandatory for all new vehicles from July 2024 (as stated in the webcast).
• CoC validity: renew every 3 years (with some authorities offering 1-year transitional CoCs).
• Supplier contractual examples: typical OEM asks include 15 years post-production support; one OEM cited 50-year expectation.

Concrete examples & operational cases

• Vehicle scope: applies to categories M and N (passenger and goods vehicles), O (trailers with at least one ECU), and L6/L7 with automated driving capabilities (level 3+). Motorcycles are excluded.
• Supply-chain flow: OEM registers for CSMS assessment and type approval; OEM collects supplier evidence (e.g., supplier CoC / ISO/SAE 21434 artifacts) and may perform supplier audits.
• TARA practice: vehicle-level TARA typically performed by OEM; item/ECU-level TARA by supplier. Supplier TARA is important because suppliers best know their product; OEM TARA assesses vehicle impact.
• CoC audits: example approval authorities (Germany, UK) offered one-year CoCs early on to allow gaps and accelerate market readiness.

Actionable recommendations (what companies should do now)

Immediate steps for any company (OEM or supplier)

1. Run an urgent current-state assessment vs. UNR155 and ISO/SAE 21434.
2. Define which vehicle types/items and lifecycle phases are in scope.
3. Build a prioritized remediation/action plan with timelines tied to OEM product launches and regulatory deadlines.
4. Implement a CSMS covering lifecycle, supplier management and incident response; designate process owners and users.
5. Run internal audits and pilot projects to validate processes before technical-service audit.
6. Prepare artifacts for TARA, verification/validation, penetration tests and supplier evidence packages.
7. Negotiate supplier contracts to clarify lifecycle support obligations and contractual evidence requirements to avoid open-ended exposure.

Supplier-specific tactics

• Expect OEMs to forward UNR155 requirements; prepare to provide ISO/SAE 21434-aligned artifacts and evidence.
• Perform item-level TARA and retain traceable evidence (test reports, V&V artifacts).
• If small, explicitly plan for competence gaps (external consultants, training, phased implementation).

Competency mix recommended

• Cybersecurity domain knowledge (concept-level; CSMS roles do not always require offensive-hacking experts).
• Process design and implementation expertise (create usable, enforceable processes).
• Organizational change and stakeholder engagement skills (to secure management buy-in and funding).

Risk & strategic considerations for leadership

• Resource variance: large OEMs generally have budgets and reserved cost-per-car for cybersecurity; small manufacturers and startups face greater people and competence constraints and must prioritize pragmatically.
• Legal and commercial exposure: UNR155 increases contractual demands and may create new liabilities if support obligations are not clearly defined.
• Brand risk: cybersecurity incidents can rapidly cause reputation loss; customers increasingly treat cybersecurity as a baseline expectation.

Tools, documents and training resources cited

• VDA questionnaire for UNR155 preparation.
• UNR155 interpretation document (online) — helpful guidance though it may reference older ISO drafts.
• ISO/SAE 21434 — use as baseline for CSMS and product engineering.
• Cyrus Consulting — consulting services, training academy, book on ISO/SAE 21434 and on-demand courses/certifications (presenter’s firm).

Presenters / sources

• Manuel Sandler — Partner, Cyrus Consulting (presenter of the webcast).
• Referenced organizations/documents: UNECE / WP.29, UNR155, UNR156, ISO/SAE 21434, VDA questionnaire, national approval authorities (examples: Germany, UK), industry practices and OEM examples cited in the webcast.

Category

Business

---

Share this summary

Share on X/Twitter Share on Facebook Share on LinkedIn Share on Reddit Share on WhatsApp Share on Telegram

---

Is the summary off?

If you think the summary is inaccurate, you can reprocess it with the latest model.

Reprocess summary

Video