Skip to content Skip to footer

Automotive Cybersecurity: UN-R155 – ISO/SAE 21434 – The 2026 Guide for Manufacturers

ART-AUTO · Neo Coeur Intelligence · Published: July 2026 · Standards: UN-R155 (2021) · ISO/SAE 21434 (2021)

📋 TABLE OF CONTENTS

00.Introduction
I.General Overview: The Automotive Cybersecurity Landscape
1.1Regulatory foundations: UN-R155 and ISO/SAE 21434
1.2Stakes and market figures
II.Detailed Analysis: Obligations, Attack Surface and TARA
2.1Regulatory calendar and enforcement timeline
2.2The modern vehicle attack surface
2.3TARA methodology: Threat Analysis and Risk Assessment
2.4OTA security and V2X: the new frontiers
2.5Concrete cases by OEM profile
III.The Certification Roadmap: 5 Steps to UN-R155 Compliance
3.1Step 1. Establish CSMS governance
3.2Step 2. Conduct the TARA
3.3Step 3. Implement cybersecurity controls
3.4Step 4. Secure OTA and supply chain
3.5Step 5. Audit, type approval and continuous monitoring
3.6UN-R155 compliance checklist
IV.Conclusion
V.Bibliographic References

Introduction

A modern vehicle contains more than 100 Electronic Control Units (ECUs), hundreds of millions of lines of code, and is permanently connected to the outside world through V2X communication, OTA update channels, mobile applications and third-party APIs. This technological reality transforms every new vehicle into a potential cyber target. And every OEM into a de facto cybersecurity operator.

Between 2018 and 2023, automotive cyberattacks multiplied by a factor of six. The financial consequences are no longer theoretical: a single software-related recall can cost up to 1.5 billion dollars. Yet the vast majority of manufacturers still approach cybersecurity as a post-development layer, not as a design-time discipline.

UN Regulation No. 155 (UN-R155), adopted by the UNECE WP.29 working party, changes this equation permanently. It imposes a Cyber Security Management System (CSMS) certified by a technical service on every new vehicle type approved in the 54 signatory countries. ISO/SAE 21434 provides the engineering framework to operationalize this obligation at the system and component level.

This article provides the complete 2026 roadmap for OEMs, Tier-1 suppliers and cybersecurity teams: regulatory obligations, TARA methodology, OTA security requirements, audit preparation and continuous monitoring governance.

⚡ REGULATORY UPDATE, 2026

As of July 2024, UN-R155 applies to all new vehicles in type-approval countries, including all existing model variants. The grace period for vehicles already in production has expired. Any new type approval issued after this date without a valid CSMS certificate from an accredited technical service is legally invalid in the 54 signatory countries, covering the EU, Japan, South Korea and the UK.

I. General Overview: The Automotive Cybersecurity Landscape

1. Regulatory Foundations: UN-R155 and ISO/SAE 21434

UN-R155 is a UNECE type-approval regulation adopted in March 2021 and applicable in all 54 WP.29 member countries. It operates at the vehicle type-approval level: no CSMS certificate, no market access. It does not prescribe technical solutions. It mandates outcomes and processes.

ISO/SAE 21434, published in August 2021, is the engineering standard that operationalizes UN-R155 requirements at the component and system level. It defines the complete lifecycle of cybersecurity engineering: concept, development, production, operations, maintenance and decommissioning. Compliance with ISO/SAE 21434 does not automatically imply UN-R155 certification, but it is the de facto recognised path to demonstrate conformity.

FIGURE 01 · REGULATORY ARCHITECTURE · UN-R155 & ISO/SAE 21434WP.29 · UNECE
UN-R155
UNECE WP.29 · Type Approval
Market access obligation
ISO/SAE 21434
Engineering Standard
Cybersecurity lifecycle · TARA · controls
UN-R156
Software Update Management System
OTA update security · SUMS certification
CSMS + SUMS
Certified by Accredited Technical Service
TÜV · DEKRA · Bureau Veritas · SGS
Source: UNECE WP.29 · UN Regulation No. 155 (2021) and UN Regulation No. 156 (2021)

2. Stakes and Market Figures

The strategic and financial stakes of automotive cybersecurity have reached a scale that removes any ambiguity about the priority it deserves in OEM and supplier investment plans.

FIGURE 02 · KEY FIGURES · AUTOMOTIVE CYBERSECURITY 2026MARKET DATA
×6
Automotive cyberattacks in 5 years (2018–2023)
$800B
Connected vehicle market size by 2035
85%
Of new vehicles will embed AI systems by 2030
$1.5B
Average cost of a software-related recall campaign
Sources: Upstream Security Global Automotive Cybersecurity Report 2024 · McKinsey Mobility 2035 · Gartner Automotive AI Survey 2025

Beyond market figures, the liability dimension is critical. Under EU product liability reform and the NIS2 Directive, OEMs operating connected vehicle fleets are now classified as operators of essential services in the transport sector. A cyber incident resulting in injury or infrastructure disruption triggers both regulatory and civil liability exposure that no CSMS certificate alone can fully shield. But its absence makes the situation catastrophically worse.

II. Detailed Analysis: Obligations, Attack Surface and TARA

1. Regulatory Calendar and Enforcement Timeline

FIGURE 03 · UN-R155 ENFORCEMENT TIMELINETIMELINE
MAR 2021
UN-R155 adopted by WP.29 DONE
Publication of the regulation. 54 signatory countries. Start of the transition period for manufacturers.
JUL 2022
New type approvals, mandatory CSMS DONE
Any new vehicle type submitted for approval after this date requires a valid CSMS certificate from an accredited technical service.
JUL 2024
All new vehicles, full scope ENFORCED
Extension to all new vehicles including existing model variants. No grandfather clause. Production without CSMS = illegal type approval.
2026–2027
⚡ Enforcement intensification NOW
National type-approval authorities increasing audit frequency. Technical services conducting deeper CSMS evidence reviews. Tier-1 contractual cascade accelerating.
2030+
CSMS revision cycle expected HORIZON
WP.29 working groups already examining AI-specific cybersecurity requirements for autonomous driving systems (L3+).
Source: UNECE WP.29. UN-R155 application schedule and national implementation status

2. The Modern Vehicle Attack Surface

A vehicle produced in 2026 is not a mechanical system with embedded electronics. It is a distributed computing platform on wheels, permanently connected, continuously updated, and interfacing with an ecosystem of cloud services, mobile applications, roadside infrastructure and third-party APIs. Understanding the attack surface is the mandatory prerequisite to any meaningful TARA.

FIGURE 04 · VEHICLE ATTACK SURFACE · 100+ ECU ARCHITECTUREECU · V2X · OTA
🚗
Powertrain ECU
Engine, transmission, battery management. Safety-critical
🛞
Chassis & ADAS
ABS, ESP, autonomous driving. Physical harm potential
📡
Telematics Unit
4G/5G, V2X, fleet management. Primary remote entry point
🔵
Infotainment & BT
Bluetooth, Wi-Fi, USB, smartphone integration
🔑
Access Control
Keyless entry, immobiliser, digital key. Physical security
🔄
OTA Gateway
Software update orchestration. Integrity critical
🏭
Diagnostic Port
OBD-II. Physical access, dongle vulnerabilities
🌐
Backend APIs
Cloud services, manufacturer APIs, third-party apps
Each communication interface represents a potential attack vector. UN-R155 Annex 5 lists 69 threats across 7 categories

⊘ CRITICAL: THE LATERAL MOVEMENT RISK

The most severe attack scenarios documented by Upstream Security and ENISA involve lateral movement: an attacker gains initial access through a low-security ECU (infotainment, OBD dongle) and pivots through the internal vehicle network (CAN bus, Ethernet) to reach safety-critical systems (braking, steering). UN-R155 explicitly requires OEMs to demonstrate network segmentation controls preventing this pivot.

3. TARA Methodology: Threat Analysis and Risk Assessment

The Threat Analysis and Risk Assessment (TARA) is the analytical engine of ISO/SAE 21434. It is not optional: UN-R155 Annex 5 explicitly requires documented evidence of threat identification and risk treatment decisions for each vehicle type. A TARA that cannot be produced on demand during a technical service audit is a certification blocker.

FIGURE 05 · TARA PROCESS · ISO/SAE 21434 CLAUSE 15ISO 21434
01
Asset Identification
Identify cybersecurity-relevant assets (ECUs, interfaces, data) and their damage scenarios
02
Threat Scenario Analysis
Map threats to each asset using STRIDE or EVITA model. Reference UN-R155 Annex 5 threat list (69 threats)
03
Impact Rating
Rate impact across 4 dimensions: Safety · Financial · Operational · Privacy (S-F-O-P)
04
Attack Path Analysis
Identify feasible attack paths for each threat scenario. Attack Feasibility Rating (AFR)
05
Risk Determination
Combine impact and feasibility to determine CAL (Cybersecurity Assurance Level) 1–4
06
Risk Treatment Decision
Avoid · Reduce · Share · Accept. Documented, justified and linked to cybersecurity goals
Source: ISO/SAE 21434:2021, Clause 15 · Threat analysis and risk assessment

4. OTA Security and V2X: The New Frontiers

Over-the-Air (OTA) software updates have become the primary vehicle lifecycle management mechanism for every major OEM. They also represent one of the highest-risk attack surfaces: a compromised OTA channel provides an attacker with authenticated, manufacturer-signed access to every ECU in a vehicle fleet simultaneously.

⚠ ATTACK VECTOR
Malicious OTA Package Injection
Attacker intercepts or replaces a legitimate update package. Without cryptographic signature verification at ECU level, arbitrary code executes with full system privileges.
✓ UN-R156 CONTROL
End-to-End Cryptographic Integrity
UN-R156 requires: authenticated update servers, signed packages (HSM-verified), rollback protection, update campaign logging and post-update integrity verification.
⚠ ATTACK VECTOR
V2X Message Spoofing
Attacker broadcasts falsified V2X messages (fake obstacles, emergency braking triggers). ADAS systems relying on V2X inputs react to non-existent threats at highway speed.
✓ ETSI ITS CONTROL
PKI-Based V2X Authentication
ETSI TS 103 097 mandates pseudonymous certificates for V2X messages. Certificate revocation infrastructure (CPOC) must be operational before V2X deployment.

5. Concrete Cases by OEM Profile

🏭 CASE 1. Volume OEM: The Supplier Cascade Challenge

A volume manufacturer producing 1.5 million vehicles per year works with 400+ Tier-1 suppliers. UN-R155 requires demonstrating cybersecurity controls across the entire supply chain. Without a structured Cybersecurity Interface Agreement (CIA) framework imposed contractually on all suppliers, the OEM’s CSMS audit will fail on supply chain governance. Regardless of the quality of internal controls.

⚡ CASE 2. EV Startup: OTA as a Business Model Risk

A direct-to-consumer EV manufacturer relies entirely on OTA updates to deliver new features and fix defects. Its backend infrastructure processes 50,000 update campaigns per month. A single vulnerability in the update orchestration layer, absent UN-R156 SUMS controls, creates a single point of compromise for the entire fleet. The business model and the attack surface are inseparable.

✓ CASE 3. Tier-1 Supplier: ISO 21434 as a Commercial Differentiator

A Tier-1 ECU supplier achieves ISO/SAE 21434 certification for its gateway product line before OEM customers make it a mandatory procurement requirement. It becomes the preferred supplier for three new vehicle platforms, capturing an estimated 15% price premium on certified components versus non-certified equivalents from competitors.

III. The Certification Roadmap: 5 Steps to UN-R155 Compliance

FIGURE 06 · OVERVIEW · 5-STEP UN-R155 CERTIFICATION ROADMAPPROCESS
1
CSMS Governance
Policy · RACI · Scope · Budget
2
TARA
Assets · Threats · CAL · Treatment
3
Controls
Security by design · Penetration tests · HSM
4
OTA & Supply Chain
SUMS · CIA · Supplier audit
5
Audit & Approval
Technical service · Monitoring · KPI
Each step produces auditable deliverables required by the technical service during CSMS certification assessment

Step 1. Establish CSMS Governance

1
STEP

Build the Cyber Security Management System (CSMS) governance framework

Define organizational structure, policies, responsibilities and resources dedicated to vehicle cybersecurity across the full lifecycle.

UN-R155 Clause 7.2 requires manufacturers to demonstrate that cybersecurity is managed as an organizational discipline with defined ownership, documented processes and verifiable evidence. Not as a project-by-project activity. The CSMS must cover the full vehicle lifecycle: concept, development, production, post-production and decommissioning.

  • Executive sponsor: CISO or VP Engineering. Cybersecurity must have P&L visibility
  • Cybersecurity Manager: dedicated role per ISO/SAE 21434 Clause 5.4, not combined with functional safety
  • Cross-functional team: Engineering, Procurement, Legal, After-Sales, IT/OT Security
  • Supplier interface: dedicated team for Cybersecurity Interface Agreement (CIA) management
  • Budget line: cybersecurity investment must be documented as a standalone budget item

The CSMS must be certified by an accredited technical service (TÜV, DEKRA, Bureau Veritas, SGS) before any vehicle type using it can receive type approval. The certification assessment examines documented evidence of all processes. Not just their existence on paper.

Step 2. Conduct the TARA

2
STEP

Execute the Threat Analysis and Risk Assessment for each vehicle type

Apply ISO/SAE 21434 Clause 15 methodology to systematically identify, rate and treat cybersecurity risks across the complete vehicle architecture.

The TARA is vehicle-type specific. A TARA conducted for one platform cannot be reused for another without demonstrating architectural equivalence. The 69 threat categories listed in UN-R155 Annex 5 provide the mandatory starting taxonomy, which must be extended with vehicle-specific threats identified during asset analysis.

  1. Scope the analysis: define vehicle boundaries, external interfaces and operational scenarios (driving, parking, charging, servicing)
  2. Identify cybersecurity assets: ECUs, communication buses (CAN, Ethernet, LIN), external interfaces, stored data, software components
  3. Develop damage scenarios: what happens if this asset is compromised? Map to S-F-O-P impact dimensions
  4. Enumerate threat scenarios: for each asset and damage scenario, identify plausible threat actors and attack methods
  5. Rate Attack Feasibility (AFR): elapsed time, specialist expertise, knowledge of the item, window of opportunity, equipment required
  6. Determine Cybersecurity Assurance Level (CAL 1–4): combine impact severity with attack feasibility
  7. Select and document risk treatment: avoid, reduce (cybersecurity goals → requirements), share, accept with justification

Step 3. Implement Cybersecurity Controls

3
STEP

Design and validate security controls derived from TARA cybersecurity goals

Translate risk treatment decisions into verifiable technical and organizational controls, validated through penetration testing and security testing.

Controls must be traceable from TARA risk treatment decisions through cybersecurity goals, cybersecurity requirements, design specifications and verification results. This traceability chain is what technical services examine during CSMS assessment.

  • Hardware Security Modules (HSM): mandatory for cryptographic key management in safety-critical ECUs
  • Secure Boot: cryptographic verification of software integrity at each boot stage
  • Network segmentation: gateway firewalling between infotainment and powertrain/chassis domains
  • Intrusion Detection Systems (IDPS): in-vehicle and backend anomaly detection with defined response playbooks
  • Penetration testing: independent red team assessment of completed vehicle architecture before type approval submission
  • Vulnerability disclosure program: coordinated disclosure process per ISO/IEC 30111 and ISO/IEC 29147

Step 4. Secure OTA and Supply Chain

4
STEP

Implement UN-R156 SUMS controls and enforce Cybersecurity Interface Agreements across the supplier base

OTA and supply chain are the two most frequently cited deficiencies in CSMS assessments.

UN-R156 (Software Update Management System, SUMS) is the companion regulation to UN-R155. It requires manufacturers to demonstrate that software updates can be delivered securely, that update history is logged, and that update failures trigger defined rollback procedures. SUMS certification is a separate audit from CSMS certification but both are required for type approval.

For supply chain governance, every Tier-1 supplier providing a cybersecurity-relevant component must sign a Cybersecurity Interface Agreement (CIA) defining:

  • Allocation of cybersecurity responsibilities between OEM and supplier
  • Supplier’s TARA obligations for its component scope
  • Vulnerability notification obligations (timeline: typically 72h for critical, 30 days for high)
  • Evidence requirements for supplier’s own cybersecurity processes (ISO/SAE 21434 or equivalent)
  • Right-to-audit clause for OEM or delegated technical service

Step 5. Audit, Type Approval and Continuous Monitoring

5
STEP

Prepare for technical service assessment, obtain CSMS certificate, and sustain compliance through post-production monitoring

Certification is not the end state. It is the beginning of continuous cybersecurity operations.

The CSMS certificate is valid for three years and subject to surveillance audits. Post-production obligations under UN-R155 require manufacturers to monitor cybersecurity threats and vulnerabilities for vehicles in operation, assess new threats against existing vehicle types, and implement remediation when risk thresholds are exceeded.

  • Pre-audit evidence package: CSMS documentation, TARA evidence, control verification reports, penetration test results, supplier CIA register
  • Technical service selection: accredited body in the type-approval country (EU: designated national authorities)
  • Cyber Threat Intelligence (CTI): subscription to automotive-specific threat feeds (AutoISAC, ENISA)
  • Incident response playbook: defined escalation paths for in-production vulnerabilities including recall decision criteria
  • KPI dashboard: mean time to detect (MTTD), mean time to respond (MTTR), open vulnerability backlog by severity
FIGURE 07 · POST-PRODUCTION MONITORING OBLIGATIONS · UN-R155 CLAUSE 7.3.6CONTINUOUS
THREAT MONITORING
Ongoing
For all vehicles in operation
New vulnerabilities assessed against in-production vehicle architectures. Not just future models
CSMS SURVEILLANCE
3 years
Certificate validity cycle
Surveillance audits by technical service during validity period. Evidence of continued CSMS operation required
INCIDENT REPORTING
72h
Critical incident notification
Notification to type-approval authority for incidents meeting defined severity thresholds. Similar to NIS2 obligations
Source: UN-R155 Clauses 7.3.6 and 7.3.7 · post-production cybersecurity management obligations

UN-R155 Compliance Checklist

☑ CSMS GOVERNANCE

  • Cybersecurity policy documented and approved at executive level
  • Cybersecurity Manager role formally appointed (ISO 21434 Cl. 5.4)
  • CSMS scope defined covering full vehicle lifecycle
  • Cybersecurity budget documented as standalone line item
  • Cybersecurity training program operational for all relevant staff

☑ TARA AND RISK MANAGEMENT

  • Asset identification completed for each vehicle type in scope
  • Damage scenarios mapped to S-F-O-P impact dimensions
  • All 69 UN-R155 Annex 5 threat categories reviewed and addressed
  • Attack Feasibility Rating (AFR) documented for each threat scenario
  • CAL 1–4 determined and risk treatment decisions documented with justification
  • Cybersecurity goals derived from risk treatment decisions

☑ TECHNICAL CONTROLS AND VALIDATION

  • HSM implemented in all safety-critical and security-critical ECUs
  • Secure boot chain validated across powertrain and chassis ECUs
  • Network segmentation between infotainment and safety domains verified
  • In-vehicle IDPS deployed with backend monitoring connectivity
  • Independent penetration test conducted on final vehicle architecture
  • Vulnerability disclosure program operational (ISO/IEC 29147 compliant)

☑ OTA, SUPPLY CHAIN AND POST-PRODUCTION

  • UN-R156 SUMS documentation prepared for separate certification
  • OTA package signing and verification chain implemented end-to-end
  • Cybersecurity Interface Agreements signed with all Tier-1 suppliers
  • Supplier cybersecurity evidence collected and archived
  • Cyber Threat Intelligence subscription active (AutoISAC or equivalent)
  • Incident response playbook documented including recall decision criteria

Is your vehicle architecture UN-R155 ready?

Our automotive cybersecurity team conducts gap assessments against UN-R155 and ISO/SAE 21434 requirements, from TARA methodology review to CSMS pre-audit preparation.

Identify your certification gaps before your technical service does.

→ Request an ISO 21434 Audit

IV. Conclusion

A modern vehicle is 100 ECUs, hundreds of millions of lines of code, and dozens of permanently active external interfaces. UN-R155 is no longer a future compliance requirement. It is the present legal condition for market access across 54 countries, and its enforcement is intensifying in 2026.

The manufacturers and suppliers who treat UN-R155 certification as a documentation exercise will find themselves repeatedly failing technical service assessments. Those who treat it as an organizational transformation, building genuine CSMS governance, conducting rigorous TARA, implementing verifiable controls and sustaining post-production monitoring, will reach certification faster, at lower cost, and with a competitive advantage in an industry where cybersecurity is rapidly becoming a purchase criterion.

The five-step roadmap presented in this article is not a theoretical framework. It is the operational sequence that emerges from the structure of UN-R155 itself: governance before analysis, analysis before controls, controls before audit, audit before operations. Each step produces auditable deliverables. Each deliverable reduces certification risk.

The question is no longer whether to invest in automotive cybersecurity. The question is how much a failed type approval, a fleet recall, or a ransomware incident affecting your connected vehicle backend will cost compared to building the CSMS correctly from the start.

V. Bibliographic References

[1] UNECE WP.29. UN Regulation No. 155 · Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system. ECE/TRANS/WP.29/2020/79, adopted March 2021.

[2] UNECE WP.29. UN Regulation No. 156 · Uniform provisions concerning the approval of vehicles with regards to software update and software updates management system. Adopted March 2021.

[3] ISO/SAE International. ISO/SAE 21434:2021, Road vehicles, Cybersecurity engineering. Geneva: ISO, August 2021.

[4] Upstream Security. Global Automotive Cybersecurity Report 2024. Tel Aviv: Upstream Security Ltd., 2024.

[5] ENISA. Good Practices for Security of Smart Cars. European Union Agency for Cybersecurity, 2021.

[6] McKinsey & Company. The future of mobility: Connected and autonomous vehicles 2035. McKinsey Center for Future Mobility, 2024.

[7] Gartner, Inc. Automotive AI Systems Survey 2025. Gartner Research, 2025.

[8] ETSI. TS 103 097 · Intelligent Transport Systems (ITS); Security; Security header and certificate formats. European Telecommunications Standards Institute, 2023.

[9] AutoISAC. Automotive Cybersecurity Best Practices · Executive Summary. Automotive Information Sharing and Analysis Center, 2023.

[10] NHTSA. Cybersecurity Best Practices for the Safety of Modern Vehicles. National Highway Traffic Safety Administration, 2022.

Leave a comment