![[Translate to English:]](/fileadmin/_processed_/c/d/csm_NewTec_UNECE-R155_156-1-8-24_706f3cbdb8.png)
Vehicles are increasingly becoming networked digital devices on wheels. In order to adequately protect them against cyber attacks and ensure the integrity of all vehicle systems, the United Nations Economic Commission for Europe (UNECE) has issued two complementary regulations, R 155 and R 156. They were drafted by the WP.29 (World Forum for Harmonization of Vehicle Regulations) working group of the UNECE's Inland Transport Committee (ITC).
What both regulations have in common is that they are aimed at vehicle manufacturers and focus on the cybersecurity of their products. With their different focal points, they complement each other to form a comprehensive set of cybersecurity regulations. While UNECE R 155 describes requirements for the introduction and operation of a cybersecurity management system (CSMS), UNECE R 156 focuses on the implementation and operation of a software update management system (SUMS). The regulations came into force at the beginning of 2021 and will apply to all newly produced vehicles from July 1, 2024. For the type approval of newly produced vehicle models, manufacturers must prove compliance with both directives.
Content
- Who is affected by UNECE R 155 and R 156?
- Which vehicle types are affected?
- What are the exceptions?
- What does UNECE R 155 regulate?
- What can manufacturers use as guidance when implementing a CSMS?
- What does UNECE R 156 regulate?
- What can manufacturers use as guidance when implementing a SUMS?
- Sources
- Support for the implementation and operation of CSMS and SUMS
Who is affected by UNECE R 155 and R 156?
UNECE R 155 and R 166 affect vehicle manufacturers in the EU, Japan and South Korea. The regulations only apply explicitly to vehicle manufacturers (OEMs). However, automotive suppliers are also indirectly affected: As OEMs are liable for compliance with the regulations across the entire supply chain and must prove that they also control the risks of their suppliers, they have a vital interest in ensuring that these suppliers also comply with the requirements of the regulations and implement their own CSMS and SUMS if necessary.
Which vehicle types are affected?
The two regulations apply to a wide range of different vehicle types:
- Vehicles in category M: motor vehicles for the carriage of passengers with at least four wheels (passenger cars, buses, etc.)
- Vehicles in category N: Vehicles for the carriage of goods with at least four wheels (trucks, delivery vehicles, etc.)
- Vehicles in category O: Trailers with at least one electronic control unit
- Vehicles with functions for autonomous driving (from autonomy level 3)
- UNECE R 156 also applies to agricultural vehicles in categories T (tractors), R (agricultural trailers with at least one control unit) and S (towed agricultural machinery such as harrows, ploughs, mowers, etc.
What exceptions are there?
- The UNECE regulations do not apply to vehicles in category L (two-wheelers, three-wheelers and very light vehicles under 450 kg), provided they are not equipped with autonomous driving functions (from autonomy level 3).
- An SUMS is generally not required if the vehicles do not contain control units with updatable software.
- A CSMS is currently not required for manufacturers of agricultural vehicles in categories T, R and S.
What does UNECE R 155 regulate?
UNECE R 155 contains comprehensive requirements for the establishment of an effective CSMS, risk management and the control of software updates. The requirements relate to the entire life cycle of a vehicle, from vehicle development through operation to decommissioning/scrapping. Proof of an implemented and functional CSMS is mandatory for the approval of a vehicle type.
With regard to the CSMS, the directive follows a risk-based approach, which results in requirements for organizational processes, responsibilities and the handling of cyber threats and the protection of vehicles.
Essentially, these are:
- Implementation of processes for risk identification and risk mitigation; regular threat analyses and risk assessments (TARA)
- Continuous monitoring of known attacks and new vulnerabilities - including for vehicles in the field
- Monitoring of update management, provision of security updates over the entire life cycle
- Consideration and control of risks along the supply chain
- Establishment of a register for managing regulatory software identification numbers (RXSWIN; see below)
- Documenting the cybersecurity activities carried out
What can manufacturers use as guidance when implementing a CSMS?
The ISO/SAE 21434 standard (Road vehicles -Cybersecurity engineering) can be used as a guideline for the implementation of UNECE R 155. In particular, it describes specific procedures for threat analysis and risk assessment across the entire vehicle life cycle. It also describes, for example, procedures for cooperation with suppliers and customers and for checking the competence of suppliers.
What does UNECE R 156 regulate?
UNECE R 156 contains requirements in connection with software updates for vehicles and prescribes the introduction of a software update management system. This is intended to ensure that software updates are carried out safely and in compliance with the law and that the safety of software in vehicle control systems is guaranteed throughout their entire life cycle. In addition, the implementation of an R-156-compliant SUMS is necessary for the implementation of Directive R 155 (for vehicles with updateable software).
The most important aspects of this regulation are
- Establishment of a software identification scheme: each software must be given an "RX Software Identification Number" (RXSWIN - "RX stands for the approval-relevant standard and "SWIN" for the software number) by which it can be uniquely identified and which can be read out at least via the OBD interface (on-board diagnostic interface).
- Safety and conformity: Updates of software functions that are relevant for type approval (e.g. brakes, engine control, exhaust) must be developed and validated in such a way that the functions concerned continue to function safely and in compliance with the law after the update. All prescribed parameters such as safety, connectivity and environmental factors must be taken into account.
- Tests and validations: Software updates must be tested and validated before being rolled out, also taking into account any potential impact on cybersecurity and vehicle performance.
- Detailed documentation: In order to create transparency for drivers and authorities, all processes and decisions regarding software updates must be documented in a detailed and comprehensible manner.
What can manufacturers use as guidance when implementing an SUMS?
The ISO 24089 standard (Road vehicles - Software update engineering) serves as a guideline for the implementation of UNECE R 156. In addition to requirements and recommendations for the introduction of a SUMS, it also contains requirements and recommendations for software update engineering, validation and risk management with regard to cyber security.
Sources
The two regulations were published in the Official Journal of the European Union and are available online:
UNECE R 155: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:42021X0387
UNECE R 156: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:42021X0388
Support with the implementation and operation of CSMS and SUMS
NewTec supports manufacturers and suppliers with consulting and coaching in the implementation of CSMS and SUMS concepts and the establishment of corresponding processes.
Questions? Please contact us: Contact
Or call us on +49 7302 9611-0