{"id":26724,"date":"2026-07-12T11:10:32","date_gmt":"2026-07-12T10:10:32","guid":{"rendered":"https:\/\/neocoeurintelligence.com\/?p=26724"},"modified":"2026-07-13T14:26:28","modified_gmt":"2026-07-13T13:26:28","slug":"automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers","status":"publish","type":"post","link":"https:\/\/neocoeurintelligence.com\/fr\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/","title":{"rendered":"Cybers\u00e9curit\u00e9 automobile : UN-R155 \u2013 ISO\/SAE 21434 \u2013 Le guide 2026 pour les fabricants"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"26724\" class=\"elementor elementor-26724\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b1258d0 e-flex e-con-boxed sc_layouts_column_icons_position_left e-con e-parent\" data-id=\"b1258d0\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5f1f5ac sc_fly_static elementor-widget elementor-widget-text-editor\" data-id=\"5f1f5ac\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<style>\n.aiact-art{color:#1A1A1A;font-family:'Tinos','Liberation Serif',Georgia,serif;line-height:1.7}\n.aiact-art *{box-sizing:border-box}\n.aiact-wrap{max-width:760px;margin:0 auto;padding:0 24px}\n.aiact-toc{background:#0F2540;color:#E8EEF3;border:1px solid #1F4863;border-radius:14px;padding:32px 36px;margin:24px auto 48px;max-width:720px;position:relative;overflow:hidden;font-family:'Source Sans Pro',Arial,sans-serif}\n.aiact-toc:after{content:\"\";position:absolute;top:-30px;right:-30px;width:120px;height:120px;background:radial-gradient(circle,#22D3EE 0%,#1F7A8C 60%,transparent 80%);opacity:.6;border-radius:50%}\n.aiact-toc h3{color:#22D3EE;font-size:13px;letter-spacing:2px;margin:0 0 24px;font-weight:700;position:relative}\n.aiact-toc-item{display:flex;align-items:center;border-bottom:1px solid #1F4863;padding:10px 0;font-size:14px;color:#D5E1EC}\n.aiact-toc-item.indent{padding-left:42px;font-size:13px;color:#A8BCCD}\n.aiact-toc-num{font-family:'Courier New',monospace;font-size:11px;color:#22D3EE;width:36px;flex-shrink:0;letter-spacing:1px}\n.aiact-meta{font-family:'Source Sans Pro',Arial,sans-serif;font-size:11px;color:#7B98B0;letter-spacing:.5px;text-align:center;margin:24px 0;padding:12px 0;border-top:1px solid #DDE5EB;border-bottom:1px solid #DDE5EB}\n.aiact-meta strong{color:#1F7A8C;font-weight:700}\n.aiact-section{padding:32px 0 64px;font-family:'Tinos',Georgia,serif}\n.aiact-section .aiact-wrap{font-size:16px;line-height:1.8;text-align:justify}\n.aiact-section h1{font-family:'Source Sans Pro',Arial,sans-serif;font-size:30px;color:#0A1A2F;margin:48px 0 16px;font-weight:700;letter-spacing:-.5px}\n.aiact-section h2{font-family:'Source Sans Pro',Arial,sans-serif;font-size:22px;color:#1F7A8C;margin:40px 0 16px;font-weight:700}\n.aiact-section h3{font-family:'Source Sans Pro',Arial,sans-serif;font-size:16px;color:#1F7A8C;margin:28px 0 12px;font-weight:700;letter-spacing:.3px}\n.aiact-section p{margin:0 0 16px}\n.aiact-divider{height:2px;background:#22D3EE;width:120px;margin:0 0 32px}\n.aiact-update{background:#0F2540;color:#E8EEF3;border-left:4px solid #22D3EE;padding:24px 28px;margin:32px 0;border-radius:0 8px 8px 0;font-family:'Source Sans Pro',Arial,sans-serif}\n.aiact-update h4{margin:0 0 10px;font-size:12px;letter-spacing:2px;color:#22D3EE;font-weight:700}\n.aiact-update p{font-size:14px;line-height:1.7;margin:0;color:#D5E1EC}\n.fig{background:#0F2540;color:#E8EEF3;border-radius:14px;margin:40px 0;padding:24px;font-family:'Source Sans Pro',Arial,sans-serif;overflow:hidden}\n.fig-head{display:flex;justify-content:space-between;align-items:center;font-family:'Courier New',monospace;font-size:10px;color:#7B98B0;letter-spacing:1.5px;margin-bottom:24px;padding-bottom:16px;border-bottom:1px solid #1F4863}\n.fig-head .dots{display:inline-block;margin-right:10px;color:#FF6B6B}\n.fig-head .dots span:nth-child(2){color:#FFD93D}\n.fig-head .dots span:nth-child(3){color:#6BCB77}\n.fig-tag{background:#1F4863;padding:4px 10px;border-radius:4px;color:#22D3EE;font-size:9px}\n.fig-foot{font-family:'Courier New',monospace;font-size:9px;color:#5A7188;letter-spacing:1px;text-align:center;margin-top:20px;padding-top:16px;border-top:1px solid #1F4863;text-transform:uppercase}\n.stat-grid{display:grid;grid-template-columns:repeat(4,1fr);gap:16px;margin:8px 0}\n.stat-card{background:rgba(34,211,238,.07);border:1px solid rgba(34,211,238,.2);border-radius:10px;padding:20px 14px;text-align:center}\n.stat-val{font-size:32px;font-weight:700;color:#22D3EE;line-height:1;margin-bottom:6px}\n.stat-lbl{font-size:10px;color:#A8BCCD;letter-spacing:1px;line-height:1.4}\n.pyramid{display:flex;flex-direction:column;align-items:center;gap:8px;padding:16px 0}\n.pyr-tier{padding:14px 24px;border-radius:8px;color:#fff;text-align:center;display:flex;align-items:center;justify-content:space-between;gap:24px;min-height:60px;position:relative}\n.pyr-tier .label{font-weight:700;font-size:15px}\n.pyr-tier .article{font-size:11px;opacity:.85;display:block;margin-top:2px}\n.pyr-tier .ex{font-size:11px;color:rgba(255,255,255,.9);font-style:italic}\n.pyr-tier.t1{background:#E74C3C;width:280px}\n.pyr-tier.t2{background:#E67E22;width:400px}\n.pyr-tier.t3{background:#3498DB;width:520px}\n.pyr-tier.t4{background:#0EA5E9;width:640px}\n.timeline{position:relative;padding-left:80px}\n.timeline:before{content:\"\";position:absolute;left:35px;top:8px;bottom:8px;width:2px;background:#1F4863}\n.tl-item{position:relative;margin-bottom:24px;padding-bottom:16px}\n.tl-dot{position:absolute;left:-58px;top:2px;width:24px;height:24px;border-radius:50%;border:3px solid #22D3EE;background:#0F2540}\n.tl-dot.urgent{border-color:#FF6B6B}\n.tl-dot.done{border-color:#27AE60}\n.tl-date{position:absolute;left:-180px;top:4px;font-family:'Courier New',monospace;font-size:10px;color:#7B98B0;letter-spacing:1px;width:110px;text-align:right}\n.tl-title{font-size:14px;font-weight:700;color:#E8EEF3;margin-bottom:4px}\n.tl-pill{display:inline-block;font-size:9px;background:#1F4863;color:#22D3EE;padding:2px 8px;border-radius:4px;font-family:'Courier New',monospace;letter-spacing:1px;margin-left:8px}\n.tl-pill.urgent{background:rgba(255,107,107,.2);color:#FF6B6B}\n.tl-pill.done{background:rgba(39,174,96,.2);color:#6BCB77}\n.tl-desc{font-size:12px;color:#A8BCCD;line-height:1.6}\n.tara-grid{display:grid;grid-template-columns:repeat(3,1fr);gap:14px;margin:8px 0}\n.tara-card{background:#0A1A2F;border:1px solid #1F4863;border-radius:10px;padding:18px;text-align:center}\n.tara-num{font-family:'Courier New',monospace;font-size:20px;color:#22D3EE;font-weight:700;margin-bottom:6px}\n.tara-title{font-size:13px;font-weight:700;color:#E8EEF3;margin-bottom:4px}\n.tara-desc{font-size:11px;color:#A8BCCD;line-height:1.4}\n.sanctions{display:grid;grid-template-columns:1fr 1fr 1fr;gap:16px}\n.sanc{background:linear-gradient(180deg,rgba(255,107,107,.15),rgba(255,107,107,.05));border:1px solid rgba(255,107,107,.3);border-radius:10px;padding:24px 18px;text-align:center}\n.sanc.s2{background:linear-gradient(180deg,rgba(230,126,34,.15),rgba(230,126,34,.05));border-color:rgba(230,126,34,.3)}\n.sanc.s3{background:linear-gradient(180deg,rgba(14,165,233,.15),rgba(14,165,233,.05));border-color:rgba(14,165,233,.3)}\n.sanc-lbl{font-family:'Courier New',monospace;font-size:9px;letter-spacing:1.5px;color:#7B98B0;margin-bottom:12px}\n.sanc-val{font-size:36px;font-weight:700;color:#FF6B6B;line-height:1}\n.sanc.s2 .sanc-val{color:#FFA94D}\n.sanc.s3 .sanc-val{color:#22D3EE}\n.sanc-pct{font-size:12px;color:#A8BCCD;margin:6px 0 14px}\n.sanc-desc{font-size:11px;color:#D5E1EC;line-height:1.5}\n.process5{display:grid;grid-template-columns:repeat(5,1fr);gap:8px;align-items:start;margin:8px 0}\n.step-circle{width:54px;height:54px;border-radius:50%;color:#fff;display:flex;align-items:center;justify-content:center;font-size:24px;font-weight:700;margin:0 auto 10px}\n.proc-step{text-align:center}\n.proc-step .name{font-size:12px;font-weight:700;color:#E8EEF3;margin-bottom:4px}\n.proc-step .desc{font-size:10px;color:#A8BCCD;line-height:1.4}\n.proc-arrow{align-self:center;color:#7B98B0;font-size:20px;text-align:center}\n.s1c{background:#E74C3C}.s2c{background:#E67E22}.s3c{background:#3498DB}.s4c{background:#5B6EE1}.s5c{background:#27AE60}\n.step-card{display:flex;align-items:stretch;background:#fff;border:1px solid #DDE5EB;border-radius:10px;overflow:hidden;margin:24px 0 20px}\n.step-card .step-num-box{width:84px;display:flex;flex-direction:column;align-items:center;justify-content:center;color:#fff;font-family:'Source Sans Pro',Arial,sans-serif;flex-shrink:0}\n.step-card .step-num-box .n{font-size:38px;font-weight:700;line-height:1}\n.step-card .step-num-box .l{font-size:9px;letter-spacing:2px;margin-top:4px}\n.step-card.sc1 .step-num-box{background:#E74C3C}\n.step-card.sc2 .step-num-box{background:#E67E22}\n.step-card.sc3 .step-num-box{background:#3498DB}\n.step-card.sc4 .step-num-box{background:#5B6EE1}\n.step-card.sc5 .step-num-box{background:#27AE60}\n.step-card .step-body{padding:18px 22px;font-family:'Source Sans Pro',Arial,sans-serif}\n.step-card .step-body h4{margin:0 0 8px;font-size:15px;color:#0A1A2F;font-weight:700}\n.step-card .step-body p{margin:0;font-size:13px;color:#4A5965;line-height:1.6}\nol.aiact-ol,ul.aiact-ul{margin:0 0 20px 0;padding-left:24px;font-family:'Source Sans Pro',Arial,sans-serif;font-size:14px;line-height:1.8}\nol.aiact-ol li,ul.aiact-ul li{margin-bottom:8px}\nul.aiact-ul.arrow{list-style:none;padding-left:0}\nul.aiact-ul.arrow li{padding-left:20px;position:relative}\nul.aiact-ul.arrow li:before{content:\"\\25B8\";position:absolute;left:0;color:#1F7A8C}\n.warning-box{background:rgba(231,76,60,.08);border-left:4px solid #E74C3C;padding:20px 24px;border-radius:0 6px 6px 0;margin:32px 0;font-family:'Source Sans Pro',Arial,sans-serif}\n.warning-box h4{margin:0 0 10px;color:#C0392B;font-size:13px;letter-spacing:1px;font-weight:700}\n.warning-box p{margin:0;font-size:14px;color:#5A2D26;line-height:1.7}\n.case{padding:20px 24px;border-radius:8px;margin:20px 0;font-family:'Source Sans Pro',Arial,sans-serif;border-left:4px solid}\n.case h4{margin:0 0 10px;font-size:13px;letter-spacing:.5px;font-weight:700}\n.case p{margin:0;font-size:13.5px;line-height:1.7}\n.case.c1{background:#FFF4E6;border-left-color:#E67E22}\n.case.c1 h4{color:#9C5520}\n.case.c1 p{color:#5A3315}\n.case.c2{background:#FFFBE6;border-left-color:#F1C40F}\n.case.c2 h4{color:#8A6D08}\n.case.c2 p{color:#4A3D08}\n.case.c3{background:#E8F8EF;border-left-color:#27AE60}\n.case.c3 h4{color:#1A6B3D}\n.case.c3 p{color:#1A3D26}\n.checklist-box{background:#FAF8F4;border:1px solid #DDE5EB;border-radius:10px;padding:24px;font-family:'Source Sans Pro',Arial,sans-serif;margin:24px 0}\n.checklist-box h3{font-size:14px;color:#1F7A8C;margin:0 0 12px;letter-spacing:.5px}\n.checklist-box ul{list-style:none;padding-left:0;margin:0}\n.checklist-box li{padding:6px 0 6px 28px;position:relative;font-size:13.5px;color:#1A1A1A}\n.checklist-box li:before{content:\"\\2610\";position:absolute;left:0;color:#1F7A8C;font-weight:700;font-size:16px}\n.cta-box{background:linear-gradient(135deg,#0A1A2F,#0F2540);color:#fff;padding:40px;border-radius:14px;text-align:center;margin:40px 0;font-family:'Source Sans Pro',Arial,sans-serif}\n.cta-box h3{margin:0 0 12px;color:#22D3EE;font-size:22px}\n.cta-box p{margin:8px 0;color:#D5E1EC;font-size:14px}\n.cta-btn{display:inline-block;background:#22D3EE;color:#0A1A2F!important;padding:14px 30px;border-radius:8px;font-weight:700;text-decoration:none;margin-top:16px;font-size:14px;letter-spacing:.5px}\n.refs{font-family:'Source Sans Pro',Arial,sans-serif;font-size:12.5px;line-height:1.7;color:#3D4D5C}\n.refs p{margin:0 0 12px}\n.refs a{color:#1F7A8C}\n.ecu-grid{display:grid;grid-template-columns:repeat(4,1fr);gap:12px;margin:8px 0}\n.ecu-card{background:#0A1A2F;border:1px solid #1F4863;border-radius:8px;padding:16px 12px;text-align:center}\n.ecu-icon{font-size:22px;margin-bottom:8px}\n.ecu-title{font-size:12px;font-weight:700;color:#E8EEF3;margin-bottom:4px}\n.ecu-desc{font-size:10px;color:#7B98B0;line-height:1.4}\n.attack-row{display:grid;grid-template-columns:1fr 1fr;gap:14px;margin:8px 0}\n.atk{background:#0A1A2F;border-left:4px solid #FF6B6B;border-radius:0 8px 8px 0;padding:16px 18px}\n.atk.green{border-left-color:#22D3EE}\n.atk-label{font-family:'Courier New',monospace;font-size:9px;color:#FF6B6B;letter-spacing:1.5px;margin-bottom:6px}\n.atk.green .atk-label{color:#22D3EE}\n.atk-title{font-size:13px;font-weight:700;color:#E8EEF3;margin-bottom:4px}\n.atk-desc{font-size:11px;color:#A8BCCD;line-height:1.5}\n@media(max-width:720px){\n.stat-grid{grid-template-columns:1fr 1fr}\n.tara-grid{grid-template-columns:1fr}\n.sanctions{grid-template-columns:1fr}\n.process5{grid-template-columns:1fr}\n.proc-arrow{display:none}\n.ecu-grid{grid-template-columns:1fr 1fr}\n.attack-row{grid-template-columns:1fr}\n.timeline{padding-left:40px}\n.tl-date{position:static;display:block;margin-bottom:6px;text-align:left;width:auto}\n.pyr-tier{width:90%!important}\n}\n<\/style>\n\n<div class=\"aiact-art\">\n\n<div class=\"aiact-wrap\">\n<div class=\"aiact-meta\"><strong>ART-AUTO<\/strong> \u00b7 Neo Coeur Intelligence \u00b7 Published: July 2026 \u00b7 Standards: UN-R155 (2021) \u00b7 ISO\/SAE 21434 (2021)<\/div>\n<\/div>\n\n<div class=\"aiact-toc\">\n<h3>\ud83d\udccb TABLE OF CONTENTS<\/h3>\n<div class=\"aiact-toc-item\"><span class=\"aiact-toc-num\">00.<\/span>Introduction<\/div>\n<div class=\"aiact-toc-item\"><span class=\"aiact-toc-num\">I.<\/span>General Overview: The Automotive Cybersecurity Landscape<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">1.1<\/span>Regulatory foundations: UN-R155 and ISO\/SAE 21434<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">1.2<\/span>Stakes and market figures<\/div>\n<div class=\"aiact-toc-item\"><span class=\"aiact-toc-num\">II.<\/span>Detailed Analysis: Obligations, Attack Surface and TARA<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">2.1<\/span>Regulatory calendar and enforcement timeline<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">2.2<\/span>The modern vehicle attack surface<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">2.3<\/span>TARA methodology: Threat Analysis and Risk Assessment<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">2.4<\/span>OTA security and V2X: the new frontiers<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">2.5<\/span>Concrete cases by OEM profile<\/div>\n<div class=\"aiact-toc-item\"><span class=\"aiact-toc-num\">III.<\/span>The Certification Roadmap: 5 Steps to UN-R155 Compliance<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">3.1<\/span>Step 1. Establish CSMS governance<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">3.2<\/span>Step 2. Conduct the TARA<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">3.3<\/span>Step 3. Implement cybersecurity controls<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">3.4<\/span>Step 4. Secure OTA and supply chain<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">3.5<\/span>Step 5. Audit, type approval and continuous monitoring<\/div>\n<div class=\"aiact-toc-item indent\"><span class=\"aiact-toc-num\">3.6<\/span>UN-R155 compliance checklist<\/div>\n<div class=\"aiact-toc-item\"><span class=\"aiact-toc-num\">IV.<\/span>Conclusion<\/div>\n<div class=\"aiact-toc-item\"><span class=\"aiact-toc-num\">V.<\/span>Bibliographic References<\/div>\n<\/div>\n\n<div class=\"aiact-section\">\n<div class=\"aiact-wrap\">\n\n<h1>Introduction<\/h1>\n<div class=\"aiact-divider\"><\/div>\n\n<p>A modern vehicle contains more than 100 Electronic Control Units (ECUs), hundreds of millions of lines of code, and is permanently connected to the outside world through V2X communication, OTA update channels, mobile applications and third-party APIs. This technological reality transforms every new vehicle into a potential cyber target. And every OEM into a de facto cybersecurity operator.<\/p>\n\n<p>Between 2018 and 2023, automotive cyberattacks multiplied by a factor of six. The financial consequences are no longer theoretical: a single software-related recall can cost up to 1.5 billion dollars. Yet the vast majority of manufacturers still approach cybersecurity as a post-development layer, not as a design-time discipline.<\/p>\n\n<p>UN Regulation No. 155 (UN-R155), adopted by the UNECE WP.29 working party, changes this equation permanently. It imposes a Cyber Security Management System (CSMS) certified by a technical service on every new vehicle type approved in the 54 signatory countries. ISO\/SAE 21434 provides the engineering framework to operationalize this obligation at the system and component level.<\/p>\n\n<p>This article provides the complete 2026 roadmap for OEMs, Tier-1 suppliers and cybersecurity teams: regulatory obligations, TARA methodology, OTA security requirements, audit preparation and continuous monitoring governance.<\/p>\n\n<div class=\"aiact-update\">\n<h4>\u26a1 REGULATORY UPDATE, 2026<\/h4>\n<p>As of July 2024, UN-R155 applies to <strong>all new vehicles<\/strong> in type-approval countries, including all existing model variants. The grace period for vehicles already in production has expired. Any new type approval issued after this date without a valid CSMS certificate from an accredited technical service is legally invalid in the 54 signatory countries, covering the EU, Japan, South Korea and the UK.<\/p>\n<\/div>\n\n<h1 style=\"margin-top:64px\">I. General Overview: The Automotive Cybersecurity Landscape<\/h1>\n<div class=\"aiact-divider\"><\/div>\n\n<h2>1. Regulatory Foundations: UN-R155 and ISO\/SAE 21434<\/h2>\n\n<p>UN-R155 is a UNECE type-approval regulation adopted in March 2021 and applicable in all 54 WP.29 member countries. It operates at the vehicle type-approval level: no CSMS certificate, no market access. It does not prescribe technical solutions. It mandates outcomes and processes.<\/p>\n\n<p>ISO\/SAE 21434, published in August 2021, is the engineering standard that operationalizes UN-R155 requirements at the component and system level. It defines the complete lifecycle of cybersecurity engineering: concept, development, production, operations, maintenance and decommissioning. Compliance with ISO\/SAE 21434 does not automatically imply UN-R155 certification, but it is the de facto recognised path to demonstrate conformity.<\/p>\n\n<div class=\"fig\">\n<div class=\"fig-head\"><span><span class=\"dots\"><span>\u25cf<\/span><span>\u25cf<\/span><span>\u25cf<\/span><\/span>FIGURE 01 \u00b7 REGULATORY ARCHITECTURE \u00b7 UN-R155 &#038; ISO\/SAE 21434<\/span><span class=\"fig-tag\">WP.29 \u00b7 UNECE<\/span><\/div>\n<div class=\"pyramid\">\n<div class=\"pyr-tier t1\" style=\"background:#1F4863;width:260px\"><div><div class=\"label\">UN-R155<\/div><div class=\"article\">UNECE WP.29 \u00b7 Type Approval<\/div><\/div><div class=\"ex\">Market access obligation<\/div><\/div>\n<div class=\"pyr-tier t2\" style=\"background:#1F7A8C;width:400px\"><div><div class=\"label\">ISO\/SAE 21434<\/div><div class=\"article\">Engineering Standard<\/div><\/div><div class=\"ex\">Cybersecurity lifecycle \u00b7 TARA \u00b7 controls<\/div><\/div>\n<div class=\"pyr-tier t3\" style=\"background:#22D3EE;width:520px;color:#0A1A2F\"><div><div class=\"label\">UN-R156<\/div><div class=\"article\">Software Update Management System<\/div><\/div><div class=\"ex\">OTA update security \u00b7 SUMS certification<\/div><\/div>\n<div class=\"pyr-tier t4\" style=\"width:640px\"><div><div class=\"label\">CSMS + SUMS<\/div><div class=\"article\">Certified by Accredited Technical Service<\/div><\/div><div class=\"ex\">T\u00dcV \u00b7 DEKRA \u00b7 Bureau Veritas \u00b7 SGS<\/div><\/div>\n<\/div>\n<div class=\"fig-foot\">Source: UNECE WP.29 \u00b7 UN Regulation No. 155 (2021) and UN Regulation No. 156 (2021)<\/div>\n<\/div>\n\n<h2>2. Stakes and Market Figures<\/h2>\n\n<p>The strategic and financial stakes of automotive cybersecurity have reached a scale that removes any ambiguity about the priority it deserves in OEM and supplier investment plans.<\/p>\n\n<div class=\"fig\">\n<div class=\"fig-head\"><span><span class=\"dots\"><span>\u25cf<\/span><span>\u25cf<\/span><span>\u25cf<\/span><\/span>FIGURE 02 \u00b7 KEY FIGURES \u00b7 AUTOMOTIVE CYBERSECURITY 2026<\/span><span class=\"fig-tag\">MARKET DATA<\/span><\/div>\n<div class=\"stat-grid\">\n<div class=\"stat-card\"><div class=\"stat-val\">\u00d76<\/div><div class=\"stat-lbl\">Automotive cyberattacks in 5 years (2018\u20132023)<\/div><\/div>\n<div class=\"stat-card\"><div class=\"stat-val\">$800B<\/div><div class=\"stat-lbl\">Connected vehicle market size by 2035<\/div><\/div>\n<div class=\"stat-card\"><div class=\"stat-val\">85%<\/div><div class=\"stat-lbl\">Of new vehicles will embed AI systems by 2030<\/div><\/div>\n<div class=\"stat-card\"><div class=\"stat-val\">$1.5B<\/div><div class=\"stat-lbl\">Average cost of a software-related recall campaign<\/div><\/div>\n<\/div>\n<div class=\"fig-foot\">Sources: Upstream Security Global Automotive Cybersecurity Report 2024 \u00b7 McKinsey Mobility 2035 \u00b7 Gartner Automotive AI Survey 2025<\/div>\n<\/div>\n\n<p>Beyond market figures, the liability dimension is critical. Under EU product liability reform and the NIS2 Directive, OEMs operating connected vehicle fleets are now classified as operators of essential services in the transport sector. A cyber incident resulting in injury or infrastructure disruption triggers both regulatory and civil liability exposure that no CSMS certificate alone can fully shield. But its absence makes the situation catastrophically worse.<\/p>\n\n<h1 style=\"margin-top:64px\">II. Detailed Analysis: Obligations, Attack Surface and TARA<\/h1>\n<div class=\"aiact-divider\"><\/div>\n\n<h2>1. Regulatory Calendar and Enforcement Timeline<\/h2>\n\n<div class=\"fig\">\n<div class=\"fig-head\"><span><span class=\"dots\"><span>\u25cf<\/span><span>\u25cf<\/span><span>\u25cf<\/span><\/span>FIGURE 03 \u00b7 UN-R155 ENFORCEMENT TIMELINE<\/span><span class=\"fig-tag\">TIMELINE<\/span><\/div>\n<div class=\"timeline\">\n<div class=\"tl-item\"><div class=\"tl-dot done\"><\/div><div class=\"tl-date\">MAR 2021<\/div><div class=\"tl-title\">UN-R155 adopted by WP.29 <span class=\"tl-pill done\">DONE<\/span><\/div><div class=\"tl-desc\">Publication of the regulation. 54 signatory countries. Start of the transition period for manufacturers.<\/div><\/div>\n<div class=\"tl-item\"><div class=\"tl-dot done\"><\/div><div class=\"tl-date\">JUL 2022<\/div><div class=\"tl-title\">New type approvals, mandatory CSMS <span class=\"tl-pill done\">DONE<\/span><\/div><div class=\"tl-desc\">Any new vehicle type submitted for approval after this date requires a valid CSMS certificate from an accredited technical service.<\/div><\/div>\n<div class=\"tl-item\"><div class=\"tl-dot done\"><\/div><div class=\"tl-date\">JUL 2024<\/div><div class=\"tl-title\">All new vehicles, full scope <span class=\"tl-pill done\">ENFORCED<\/span><\/div><div class=\"tl-desc\">Extension to all new vehicles including existing model variants. No grandfather clause. Production without CSMS = illegal type approval.<\/div><\/div>\n<div class=\"tl-item\"><div class=\"tl-dot urgent\"><\/div><div class=\"tl-date\">2026\u20132027<\/div><div class=\"tl-title\">\u26a1 Enforcement intensification <span class=\"tl-pill urgent\">NOW<\/span><\/div><div class=\"tl-desc\">National type-approval authorities increasing audit frequency. Technical services conducting deeper CSMS evidence reviews. Tier-1 contractual cascade accelerating.<\/div><\/div>\n<div class=\"tl-item\"><div class=\"tl-dot\"><\/div><div class=\"tl-date\">2030+<\/div><div class=\"tl-title\">CSMS revision cycle expected <span class=\"tl-pill\">HORIZON<\/span><\/div><div class=\"tl-desc\">WP.29 working groups already examining AI-specific cybersecurity requirements for autonomous driving systems (L3+).<\/div><\/div>\n<\/div>\n<div class=\"fig-foot\">Source: UNECE WP.29. UN-R155 application schedule and national implementation status<\/div>\n<\/div>\n\n<h2>2. The Modern Vehicle Attack Surface<\/h2>\n\n<p>A vehicle produced in 2026 is not a mechanical system with embedded electronics. It is a distributed computing platform on wheels, permanently connected, continuously updated, and interfacing with an ecosystem of cloud services, mobile applications, roadside infrastructure and third-party APIs. Understanding the attack surface is the mandatory prerequisite to any meaningful TARA.<\/p>\n\n<div class=\"fig\">\n<div class=\"fig-head\"><span><span class=\"dots\"><span>\u25cf<\/span><span>\u25cf<\/span><span>\u25cf<\/span><\/span>FIGURE 04 \u00b7 VEHICLE ATTACK SURFACE \u00b7 100+ ECU ARCHITECTURE<\/span><span class=\"fig-tag\">ECU \u00b7 V2X \u00b7 OTA<\/span><\/div>\n<div class=\"ecu-grid\">\n<div class=\"ecu-card\"><div class=\"ecu-icon\">\ud83d\ude97<\/div><div class=\"ecu-title\">Powertrain ECU<\/div><div class=\"ecu-desc\">Engine, transmission, battery management. Safety-critical<\/div><\/div>\n<div class=\"ecu-card\"><div class=\"ecu-icon\">\ud83d\udede<\/div><div class=\"ecu-title\">Chassis &#038; ADAS<\/div><div class=\"ecu-desc\">ABS, ESP, autonomous driving. Physical harm potential<\/div><\/div>\n<div class=\"ecu-card\"><div class=\"ecu-icon\">\ud83d\udce1<\/div><div class=\"ecu-title\">Telematics Unit<\/div><div class=\"ecu-desc\">4G\/5G, V2X, fleet management. Primary remote entry point<\/div><\/div>\n<div class=\"ecu-card\"><div class=\"ecu-icon\">\ud83d\udd35<\/div><div class=\"ecu-title\">Infotainment &#038; BT<\/div><div class=\"ecu-desc\">Bluetooth, Wi-Fi, USB, smartphone integration<\/div><\/div>\n<div class=\"ecu-card\"><div class=\"ecu-icon\">\ud83d\udd11<\/div><div class=\"ecu-title\">Access Control<\/div><div class=\"ecu-desc\">Keyless entry, immobiliser, digital key. Physical security<\/div><\/div>\n<div class=\"ecu-card\"><div class=\"ecu-icon\">\ud83d\udd04<\/div><div class=\"ecu-title\">OTA Gateway<\/div><div class=\"ecu-desc\">Software update orchestration. Integrity critical<\/div><\/div>\n<div class=\"ecu-card\"><div class=\"ecu-icon\">\ud83c\udfed<\/div><div class=\"ecu-title\">Diagnostic Port<\/div><div class=\"ecu-desc\">OBD-II. Physical access, dongle vulnerabilities<\/div><\/div>\n<div class=\"ecu-card\"><div class=\"ecu-icon\">\ud83c\udf10<\/div><div class=\"ecu-title\">Backend APIs<\/div><div class=\"ecu-desc\">Cloud services, manufacturer APIs, third-party apps<\/div><\/div>\n<\/div>\n<div class=\"fig-foot\">Each communication interface represents a potential attack vector. UN-R155 Annex 5 lists 69 threats across 7 categories<\/div>\n<\/div>\n\n<div class=\"warning-box\">\n<h4>\u2298 CRITICAL: THE LATERAL MOVEMENT RISK<\/h4>\n<p>The most severe attack scenarios documented by Upstream Security and ENISA involve <strong>lateral movement<\/strong>: an attacker gains initial access through a low-security ECU (infotainment, OBD dongle) and pivots through the internal vehicle network (CAN bus, Ethernet) to reach safety-critical systems (braking, steering). UN-R155 explicitly requires OEMs to demonstrate network segmentation controls preventing this pivot.<\/p>\n<\/div>\n\n<h2>3. TARA Methodology: Threat Analysis and Risk Assessment<\/h2>\n\n<p>The Threat Analysis and Risk Assessment (TARA) is the analytical engine of ISO\/SAE 21434. It is not optional: UN-R155 Annex 5 explicitly requires documented evidence of threat identification and risk treatment decisions for each vehicle type. A TARA that cannot be produced on demand during a technical service audit is a certification blocker.<\/p>\n\n<div class=\"fig\">\n<div class=\"fig-head\"><span><span class=\"dots\"><span>\u25cf<\/span><span>\u25cf<\/span><span>\u25cf<\/span><\/span>FIGURE 05 \u00b7 TARA PROCESS \u00b7 ISO\/SAE 21434 CLAUSE 15<\/span><span class=\"fig-tag\">ISO 21434<\/span><\/div>\n<div class=\"tara-grid\">\n<div class=\"tara-card\"><div class=\"tara-num\">01<\/div><div class=\"tara-title\">Asset Identification<\/div><div class=\"tara-desc\">Identify cybersecurity-relevant assets (ECUs, interfaces, data) and their damage scenarios<\/div><\/div>\n<div class=\"tara-card\"><div class=\"tara-num\">02<\/div><div class=\"tara-title\">Threat Scenario Analysis<\/div><div class=\"tara-desc\">Map threats to each asset using STRIDE or EVITA model. Reference UN-R155 Annex 5 threat list (69 threats)<\/div><\/div>\n<div class=\"tara-card\"><div class=\"tara-num\">03<\/div><div class=\"tara-title\">Impact Rating<\/div><div class=\"tara-desc\">Rate impact across 4 dimensions: Safety \u00b7 Financial \u00b7 Operational \u00b7 Privacy (S-F-O-P)<\/div><\/div>\n<div class=\"tara-card\"><div class=\"tara-num\">04<\/div><div class=\"tara-title\">Attack Path Analysis<\/div><div class=\"tara-desc\">Identify feasible attack paths for each threat scenario. Attack Feasibility Rating (AFR)<\/div><\/div>\n<div class=\"tara-card\"><div class=\"tara-num\">05<\/div><div class=\"tara-title\">Risk Determination<\/div><div class=\"tara-desc\">Combine impact and feasibility to determine CAL (Cybersecurity Assurance Level) 1\u20134<\/div><\/div>\n<div class=\"tara-card\"><div class=\"tara-num\">06<\/div><div class=\"tara-title\">Risk Treatment Decision<\/div><div class=\"tara-desc\">Avoid \u00b7 Reduce \u00b7 Share \u00b7 Accept. Documented, justified and linked to cybersecurity goals<\/div><\/div>\n<\/div>\n<div class=\"fig-foot\">Source: ISO\/SAE 21434:2021, Clause 15 \u00b7 Threat analysis and risk assessment<\/div>\n<\/div>\n\n<h2>4. OTA Security and V2X: The New Frontiers<\/h2>\n\n<p>Over-the-Air (OTA) software updates have become the primary vehicle lifecycle management mechanism for every major OEM. They also represent one of the highest-risk attack surfaces: a compromised OTA channel provides an attacker with authenticated, manufacturer-signed access to every ECU in a vehicle fleet simultaneously.<\/p>\n\n<div class=\"attack-row\">\n<div class=\"atk\"><div class=\"atk-label\">\u26a0 ATTACK VECTOR<\/div><div class=\"atk-title\">Malicious OTA Package Injection<\/div><div class=\"atk-desc\">Attacker intercepts or replaces a legitimate update package. Without cryptographic signature verification at ECU level, arbitrary code executes with full system privileges.<\/div><\/div>\n<div class=\"atk green\"><div class=\"atk-label\">\u2713 UN-R156 CONTROL<\/div><div class=\"atk-title\">End-to-End Cryptographic Integrity<\/div><div class=\"atk-desc\">UN-R156 requires: authenticated update servers, signed packages (HSM-verified), rollback protection, update campaign logging and post-update integrity verification.<\/div><\/div>\n<div class=\"atk\"><div class=\"atk-label\">\u26a0 ATTACK VECTOR<\/div><div class=\"atk-title\">V2X Message Spoofing<\/div><div class=\"atk-desc\">Attacker broadcasts falsified V2X messages (fake obstacles, emergency braking triggers). ADAS systems relying on V2X inputs react to non-existent threats at highway speed.<\/div><\/div>\n<div class=\"atk green\"><div class=\"atk-label\">\u2713 ETSI ITS CONTROL<\/div><div class=\"atk-title\">PKI-Based V2X Authentication<\/div><div class=\"atk-desc\">ETSI TS 103 097 mandates pseudonymous certificates for V2X messages. Certificate revocation infrastructure (CPOC) must be operational before V2X deployment.<\/div><\/div>\n<\/div>\n\n<h2>5. Concrete Cases by OEM Profile<\/h2>\n\n<div class=\"case c1\">\n<h4>\ud83c\udfed CASE 1. Volume OEM: The Supplier Cascade Challenge<\/h4>\n<p>A volume manufacturer producing 1.5 million vehicles per year works with 400+ Tier-1 suppliers. UN-R155 requires demonstrating cybersecurity controls across the entire supply chain. Without a structured Cybersecurity Interface Agreement (CIA) framework imposed contractually on all suppliers, the OEM&#8217;s CSMS audit will fail on supply chain governance. Regardless of the quality of internal controls.<\/p>\n<\/div>\n\n<div class=\"case c2\">\n<h4>\u26a1 CASE 2. EV Startup: OTA as a Business Model Risk<\/h4>\n<p>A direct-to-consumer EV manufacturer relies entirely on OTA updates to deliver new features and fix defects. Its backend infrastructure processes 50,000 update campaigns per month. A single vulnerability in the update orchestration layer, absent UN-R156 SUMS controls, creates a single point of compromise for the entire fleet. The business model and the attack surface are inseparable.<\/p>\n<\/div>\n\n<div class=\"case c3\">\n<h4>\u2713 CASE 3. Tier-1 Supplier: ISO 21434 as a Commercial Differentiator<\/h4>\n<p>A Tier-1 ECU supplier achieves ISO\/SAE 21434 certification for its gateway product line before OEM customers make it a mandatory procurement requirement. It becomes the preferred supplier for three new vehicle platforms, capturing an estimated 15% price premium on certified components versus non-certified equivalents from competitors.<\/p>\n<\/div>\n\n<h1 style=\"margin-top:64px\">III. The Certification Roadmap: 5 Steps to UN-R155 Compliance<\/h1>\n<div class=\"aiact-divider\"><\/div>\n\n<div class=\"fig\">\n<div class=\"fig-head\"><span><span class=\"dots\"><span>\u25cf<\/span><span>\u25cf<\/span><span>\u25cf<\/span><\/span>FIGURE 06 \u00b7 OVERVIEW \u00b7 5-STEP UN-R155 CERTIFICATION ROADMAP<\/span><span class=\"fig-tag\">PROCESS<\/span><\/div>\n<div class=\"process5\">\n<div class=\"proc-step\"><div class=\"step-circle s1c\">1<\/div><div class=\"name\">CSMS Governance<\/div><div class=\"desc\">Policy \u00b7 RACI \u00b7 Scope \u00b7 Budget<\/div><\/div>\n<div class=\"proc-arrow\">\u2192<\/div>\n<div class=\"proc-step\"><div class=\"step-circle s2c\">2<\/div><div class=\"name\">TARA<\/div><div class=\"desc\">Assets \u00b7 Threats \u00b7 CAL \u00b7 Treatment<\/div><\/div>\n<div class=\"proc-arrow\">\u2192<\/div>\n<div class=\"proc-step\"><div class=\"step-circle s3c\">3<\/div><div class=\"name\">Controls<\/div><div class=\"desc\">Security by design \u00b7 Penetration tests \u00b7 HSM<\/div><\/div>\n<div class=\"proc-arrow\">\u2192<\/div>\n<div class=\"proc-step\"><div class=\"step-circle s4c\">4<\/div><div class=\"name\">OTA &#038; Supply Chain<\/div><div class=\"desc\">SUMS \u00b7 CIA \u00b7 Supplier audit<\/div><\/div>\n<div class=\"proc-arrow\">\u2192<\/div>\n<div class=\"proc-step\"><div class=\"step-circle s5c\">5<\/div><div class=\"name\">Audit &#038; Approval<\/div><div class=\"desc\">Technical service \u00b7 Monitoring \u00b7 KPI<\/div><\/div>\n<\/div>\n<div class=\"fig-foot\">Each step produces auditable deliverables required by the technical service during CSMS certification assessment<\/div>\n<\/div>\n\n<h2>Step 1. Establish CSMS Governance<\/h2>\n<div class=\"step-card sc1\"><div class=\"step-num-box\"><div class=\"n\">1<\/div><div class=\"l\">STEP<\/div><\/div><div class=\"step-body\"><h4>Build the Cyber Security Management System (CSMS) governance framework<\/h4><p>Define organizational structure, policies, responsibilities and resources dedicated to vehicle cybersecurity across the full lifecycle.<\/p><\/div><\/div>\n\n<p>UN-R155 Clause 7.2 requires manufacturers to demonstrate that cybersecurity is managed as an organizational discipline with defined ownership, documented processes and verifiable evidence. Not as a project-by-project activity. The CSMS must cover the full vehicle lifecycle: concept, development, production, post-production and decommissioning.<\/p>\n\n<ul class=\"aiact-ul arrow\">\n<li><strong>Executive sponsor:<\/strong> CISO or VP Engineering. Cybersecurity must have P&#038;L visibility<\/li>\n<li><strong>Cybersecurity Manager:<\/strong> dedicated role per ISO\/SAE 21434 Clause 5.4, not combined with functional safety<\/li>\n<li><strong>Cross-functional team:<\/strong> Engineering, Procurement, Legal, After-Sales, IT\/OT Security<\/li>\n<li><strong>Supplier interface:<\/strong> dedicated team for Cybersecurity Interface Agreement (CIA) management<\/li>\n<li><strong>Budget line:<\/strong> cybersecurity investment must be documented as a standalone budget item<\/li>\n<\/ul>\n\n<p>The CSMS must be certified by an accredited technical service (T\u00dcV, DEKRA, Bureau Veritas, SGS) before any vehicle type using it can receive type approval. The certification assessment examines documented evidence of all processes. Not just their existence on paper.<\/p>\n\n<h2>Step 2. Conduct the TARA<\/h2>\n<div class=\"step-card sc2\"><div class=\"step-num-box\"><div class=\"n\">2<\/div><div class=\"l\">STEP<\/div><\/div><div class=\"step-body\"><h4>Execute the Threat Analysis and Risk Assessment for each vehicle type<\/h4><p>Apply ISO\/SAE 21434 Clause 15 methodology to systematically identify, rate and treat cybersecurity risks across the complete vehicle architecture.<\/p><\/div><\/div>\n\n<p>The TARA is vehicle-type specific. A TARA conducted for one platform cannot be reused for another without demonstrating architectural equivalence. The 69 threat categories listed in UN-R155 Annex 5 provide the mandatory starting taxonomy, which must be extended with vehicle-specific threats identified during asset analysis.<\/p>\n\n<ol class=\"aiact-ol\">\n<li><strong>Scope the analysis:<\/strong> define vehicle boundaries, external interfaces and operational scenarios (driving, parking, charging, servicing)<\/li>\n<li><strong>Identify cybersecurity assets:<\/strong> ECUs, communication buses (CAN, Ethernet, LIN), external interfaces, stored data, software components<\/li>\n<li><strong>Develop damage scenarios:<\/strong> what happens if this asset is compromised? Map to S-F-O-P impact dimensions<\/li>\n<li><strong>Enumerate threat scenarios:<\/strong> for each asset and damage scenario, identify plausible threat actors and attack methods<\/li>\n<li><strong>Rate Attack Feasibility (AFR):<\/strong> elapsed time, specialist expertise, knowledge of the item, window of opportunity, equipment required<\/li>\n<li><strong>Determine Cybersecurity Assurance Level (CAL 1\u20134):<\/strong> combine impact severity with attack feasibility<\/li>\n<li><strong>Select and document risk treatment:<\/strong> avoid, reduce (cybersecurity goals \u2192 requirements), share, accept with justification<\/li>\n<\/ol>\n\n<h2>Step 3. Implement Cybersecurity Controls<\/h2>\n<div class=\"step-card sc3\"><div class=\"step-num-box\"><div class=\"n\">3<\/div><div class=\"l\">STEP<\/div><\/div><div class=\"step-body\"><h4>Design and validate security controls derived from TARA cybersecurity goals<\/h4><p>Translate risk treatment decisions into verifiable technical and organizational controls, validated through penetration testing and security testing.<\/p><\/div><\/div>\n\n<p>Controls must be traceable from TARA risk treatment decisions through cybersecurity goals, cybersecurity requirements, design specifications and verification results. This traceability chain is what technical services examine during CSMS assessment.<\/p>\n\n<ul class=\"aiact-ul arrow\">\n<li><strong>Hardware Security Modules (HSM):<\/strong> mandatory for cryptographic key management in safety-critical ECUs<\/li>\n<li><strong>Secure Boot:<\/strong> cryptographic verification of software integrity at each boot stage<\/li>\n<li><strong>Network segmentation:<\/strong> gateway firewalling between infotainment and powertrain\/chassis domains<\/li>\n<li><strong>Intrusion Detection Systems (IDPS):<\/strong> in-vehicle and backend anomaly detection with defined response playbooks<\/li>\n<li><strong>Penetration testing:<\/strong> independent red team assessment of completed vehicle architecture before type approval submission<\/li>\n<li><strong>Vulnerability disclosure program:<\/strong> coordinated disclosure process per ISO\/IEC 30111 and ISO\/IEC 29147<\/li>\n<\/ul>\n\n<h2>Step 4. Secure OTA and Supply Chain<\/h2>\n<div class=\"step-card sc4\"><div class=\"step-num-box\"><div class=\"n\">4<\/div><div class=\"l\">STEP<\/div><\/div><div class=\"step-body\"><h4>Implement UN-R156 SUMS controls and enforce Cybersecurity Interface Agreements across the supplier base<\/h4><p>OTA and supply chain are the two most frequently cited deficiencies in CSMS assessments.<\/p><\/div><\/div>\n\n<p>UN-R156 (Software Update Management System, SUMS) is the companion regulation to UN-R155. It requires manufacturers to demonstrate that software updates can be delivered securely, that update history is logged, and that update failures trigger defined rollback procedures. SUMS certification is a separate audit from CSMS certification but both are required for type approval.<\/p>\n\n<p>For supply chain governance, every Tier-1 supplier providing a cybersecurity-relevant component must sign a Cybersecurity Interface Agreement (CIA) defining:<\/p>\n\n<ul class=\"aiact-ul arrow\">\n<li>Allocation of cybersecurity responsibilities between OEM and supplier<\/li>\n<li>Supplier&#8217;s TARA obligations for its component scope<\/li>\n<li>Vulnerability notification obligations (timeline: typically 72h for critical, 30 days for high)<\/li>\n<li>Evidence requirements for supplier&#8217;s own cybersecurity processes (ISO\/SAE 21434 or equivalent)<\/li>\n<li>Right-to-audit clause for OEM or delegated technical service<\/li>\n<\/ul>\n\n<h2>Step 5. Audit, Type Approval and Continuous Monitoring<\/h2>\n<div class=\"step-card sc5\"><div class=\"step-num-box\"><div class=\"n\">5<\/div><div class=\"l\">STEP<\/div><\/div><div class=\"step-body\"><h4>Prepare for technical service assessment, obtain CSMS certificate, and sustain compliance through post-production monitoring<\/h4><p>Certification is not the end state. It is the beginning of continuous cybersecurity operations.<\/p><\/div><\/div>\n\n<p>The CSMS certificate is valid for three years and subject to surveillance audits. Post-production obligations under UN-R155 require manufacturers to monitor cybersecurity threats and vulnerabilities for vehicles in operation, assess new threats against existing vehicle types, and implement remediation when risk thresholds are exceeded.<\/p>\n\n<ul class=\"aiact-ul arrow\">\n<li><strong>Pre-audit evidence package:<\/strong> CSMS documentation, TARA evidence, control verification reports, penetration test results, supplier CIA register<\/li>\n<li><strong>Technical service selection:<\/strong> accredited body in the type-approval country (EU: designated national authorities)<\/li>\n<li><strong>Cyber Threat Intelligence (CTI):<\/strong> subscription to automotive-specific threat feeds (AutoISAC, ENISA)<\/li>\n<li><strong>Incident response playbook:<\/strong> defined escalation paths for in-production vulnerabilities including recall decision criteria<\/li>\n<li><strong>KPI dashboard:<\/strong> mean time to detect (MTTD), mean time to respond (MTTR), open vulnerability backlog by severity<\/li>\n<\/ul>\n\n<div class=\"fig\">\n<div class=\"fig-head\"><span><span class=\"dots\"><span>\u25cf<\/span><span>\u25cf<\/span><span>\u25cf<\/span><\/span>FIGURE 07 \u00b7 POST-PRODUCTION MONITORING OBLIGATIONS \u00b7 UN-R155 CLAUSE 7.3.6<\/span><span class=\"fig-tag\">CONTINUOUS<\/span><\/div>\n<div class=\"sanctions\">\n<div class=\"sanc s3\"><div class=\"sanc-lbl\">THREAT MONITORING<\/div><div class=\"sanc-val\" style=\"font-size:24px;color:#22D3EE\">Ongoing<\/div><div class=\"sanc-pct\">For all vehicles in operation<\/div><div class=\"sanc-desc\">New vulnerabilities assessed against in-production vehicle architectures. Not just future models<\/div><\/div>\n<div class=\"sanc s2\"><div class=\"sanc-lbl\">CSMS SURVEILLANCE<\/div><div class=\"sanc-val\" style=\"font-size:24px;color:#FFA94D\">3 years<\/div><div class=\"sanc-pct\">Certificate validity cycle<\/div><div class=\"sanc-desc\">Surveillance audits by technical service during validity period. Evidence of continued CSMS operation required<\/div><\/div>\n<div class=\"sanc\"><div class=\"sanc-lbl\">INCIDENT REPORTING<\/div><div class=\"sanc-val\" style=\"font-size:24px\">72h<\/div><div class=\"sanc-pct\">Critical incident notification<\/div><div class=\"sanc-desc\">Notification to type-approval authority for incidents meeting defined severity thresholds. Similar to NIS2 obligations<\/div><\/div>\n<\/div>\n<div class=\"fig-foot\">Source: UN-R155 Clauses 7.3.6 and 7.3.7 \u00b7 post-production cybersecurity management obligations<\/div>\n<\/div>\n\n<h2>UN-R155 Compliance Checklist<\/h2>\n\n<div class=\"checklist-box\">\n<h3>\u2611 CSMS GOVERNANCE<\/h3>\n<ul>\n<li>Cybersecurity policy documented and approved at executive level<\/li>\n<li>Cybersecurity Manager role formally appointed (ISO 21434 Cl. 5.4)<\/li>\n<li>CSMS scope defined covering full vehicle lifecycle<\/li>\n<li>Cybersecurity budget documented as standalone line item<\/li>\n<li>Cybersecurity training program operational for all relevant staff<\/li>\n<\/ul>\n<\/div>\n\n<div class=\"checklist-box\">\n<h3>\u2611 TARA AND RISK MANAGEMENT<\/h3>\n<ul>\n<li>Asset identification completed for each vehicle type in scope<\/li>\n<li>Damage scenarios mapped to S-F-O-P impact dimensions<\/li>\n<li>All 69 UN-R155 Annex 5 threat categories reviewed and addressed<\/li>\n<li>Attack Feasibility Rating (AFR) documented for each threat scenario<\/li>\n<li>CAL 1\u20134 determined and risk treatment decisions documented with justification<\/li>\n<li>Cybersecurity goals derived from risk treatment decisions<\/li>\n<\/ul>\n<\/div>\n\n<div class=\"checklist-box\">\n<h3>\u2611 TECHNICAL CONTROLS AND VALIDATION<\/h3>\n<ul>\n<li>HSM implemented in all safety-critical and security-critical ECUs<\/li>\n<li>Secure boot chain validated across powertrain and chassis ECUs<\/li>\n<li>Network segmentation between infotainment and safety domains verified<\/li>\n<li>In-vehicle IDPS deployed with backend monitoring connectivity<\/li>\n<li>Independent penetration test conducted on final vehicle architecture<\/li>\n<li>Vulnerability disclosure program operational (ISO\/IEC 29147 compliant)<\/li>\n<\/ul>\n<\/div>\n\n<div class=\"checklist-box\">\n<h3>\u2611 OTA, SUPPLY CHAIN AND POST-PRODUCTION<\/h3>\n<ul>\n<li>UN-R156 SUMS documentation prepared for separate certification<\/li>\n<li>OTA package signing and verification chain implemented end-to-end<\/li>\n<li>Cybersecurity Interface Agreements signed with all Tier-1 suppliers<\/li>\n<li>Supplier cybersecurity evidence collected and archived<\/li>\n<li>Cyber Threat Intelligence subscription active (AutoISAC or equivalent)<\/li>\n<li>Incident response playbook documented including recall decision criteria<\/li>\n<\/ul>\n<\/div>\n\n<div class=\"cta-box\">\n<h3>Is your vehicle architecture UN-R155 ready?<\/h3>\n<p>Our automotive cybersecurity team conducts gap assessments against UN-R155 and ISO\/SAE 21434 requirements, from TARA methodology review to CSMS pre-audit preparation.<\/p>\n<p>Identify your certification gaps before your technical service does.<\/p>\n<a href=\"\/assess-my-ai-risk\/\" class=\"cta-btn\">\u2192 Request an ISO 21434 Audit<\/a>\n<\/div>\n\n<h1 style=\"margin-top:64px\">IV. Conclusion<\/h1>\n<div class=\"aiact-divider\"><\/div>\n\n<p>A modern vehicle is 100 ECUs, hundreds of millions of lines of code, and dozens of permanently active external interfaces. UN-R155 is no longer a future compliance requirement. It is the present legal condition for market access across 54 countries, and its enforcement is intensifying in 2026.<\/p>\n\n<p>The manufacturers and suppliers who treat UN-R155 certification as a documentation exercise will find themselves repeatedly failing technical service assessments. Those who treat it as an organizational transformation, building genuine CSMS governance, conducting rigorous TARA, implementing verifiable controls and sustaining post-production monitoring, will reach certification faster, at lower cost, and with a competitive advantage in an industry where cybersecurity is rapidly becoming a purchase criterion.<\/p>\n\n<p>The five-step roadmap presented in this article is not a theoretical framework. It is the operational sequence that emerges from the structure of UN-R155 itself: governance before analysis, analysis before controls, controls before audit, audit before operations. Each step produces auditable deliverables. Each deliverable reduces certification risk.<\/p>\n\n<p>The question is no longer whether to invest in automotive cybersecurity. The question is how much a failed type approval, a fleet recall, or a ransomware incident affecting your connected vehicle backend will cost compared to building the CSMS correctly from the start.<\/p>\n\n<h1 style=\"margin-top:64px\">V. Bibliographic References<\/h1>\n<div class=\"aiact-divider\"><\/div>\n\n<div class=\"refs\">\n<p><strong>[1]<\/strong> UNECE WP.29. <em>UN Regulation No. 155 \u00b7 Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system.<\/em> ECE\/TRANS\/WP.29\/2020\/79, adopted March 2021.<\/p>\n<p><strong>[2]<\/strong> UNECE WP.29. <em>UN Regulation No. 156 \u00b7 Uniform provisions concerning the approval of vehicles with regards to software update and software updates management system.<\/em> Adopted March 2021.<\/p>\n<p><strong>[3]<\/strong> ISO\/SAE International. <em>ISO\/SAE 21434:2021, Road vehicles, Cybersecurity engineering.<\/em> Geneva: ISO, August 2021.<\/p>\n<p><strong>[4]<\/strong> Upstream Security. <em>Global Automotive Cybersecurity Report 2024.<\/em> Tel Aviv: Upstream Security Ltd., 2024.<\/p>\n<p><strong>[5]<\/strong> ENISA. <em>Good Practices for Security of Smart Cars.<\/em> European Union Agency for Cybersecurity, 2021.<\/p>\n<p><strong>[6]<\/strong> McKinsey &#038; Company. <em>The future of mobility: Connected and autonomous vehicles 2035.<\/em> McKinsey Center for Future Mobility, 2024.<\/p>\n<p><strong>[7]<\/strong> Gartner, Inc. <em>Automotive AI Systems Survey 2025.<\/em> Gartner Research, 2025.<\/p>\n<p><strong>[8]<\/strong> ETSI. <em>TS 103 097 \u00b7 Intelligent Transport Systems (ITS); Security; Security header and certificate formats.<\/em> European Telecommunications Standards Institute, 2023.<\/p>\n<p><strong>[9]<\/strong> AutoISAC. <em>Automotive Cybersecurity Best Practices \u00b7 Executive Summary.<\/em> Automotive Information Sharing and Analysis Center, 2023.<\/p>\n<p><strong>[10]<\/strong> NHTSA. <em>Cybersecurity Best Practices for the Safety of Modern Vehicles.<\/em> National Highway Traffic Safety Administration, 2022.<\/p>\n<\/div>\n\n<\/div>\n<\/div>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>ART-AUTO \u00b7 Neo Coeur Intelligence \u00b7 Published: July 2026 \u00b7 Standards: UN-R155 (2021) \u00b7 ISO\/SAE&hellip;<\/p>","protected":false},"author":4,"featured_media":26730,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[107],"tags":[],"class_list":["post-26724","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai-risk-management"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Automotive Cybersecurity: UN-R155 - ISO\/SAE 21434 \u2013 The 2026 Guide for Manufacturers - NEO COEUR INTELLIGENCE<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/neocoeurintelligence.com\/fr\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:url\" content=\"https:\/\/neocoeurintelligence.com\/fr\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/\" \/>\n<meta property=\"og:site_name\" content=\"NEO COEUR INTELLIGENCE\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-12T10:10:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-07-13T13:26:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/neocoeurintelligence.com\/wp-content\/uploads\/2026\/06\/ChatGPT-Image-25-juin-2026-16_32_28-1-1024x562.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"562\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Herman NOUBOUM NOUBI\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/x.com\/NeoCoeurAII\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Herman NOUBOUM NOUBI\" \/>\n\t<meta name=\"twitter:label2\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data2\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/\"},\"author\":{\"name\":\"Herman NOUBOUM NOUBI\",\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/#\\\/schema\\\/person\\\/862d5ea0e68544036a095e14d8d6d43b\"},\"headline\":\"Automotive Cybersecurity: UN-R155 &#8211; ISO\\\/SAE 21434 \u2013 The 2026 Guide for Manufacturers\",\"datePublished\":\"2026-07-12T10:10:32+00:00\",\"dateModified\":\"2026-07-13T13:26:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/\"},\"wordCount\":2976,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/neocoeurintelligence.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/ChatGPT-Image-25-juin-2026-16_32_28-1.png\",\"articleSection\":[\"AI Risk Management\"],\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/\",\"url\":\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/\",\"name\":\"Automotive Cybersecurity: UN-R155 - ISO\\\/SAE 21434 \u2013 The 2026 Guide for Manufacturers - NEO COEUR INTELLIGENCE\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/neocoeurintelligence.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/ChatGPT-Image-25-juin-2026-16_32_28-1.png\",\"datePublished\":\"2026-07-12T10:10:32+00:00\",\"dateModified\":\"2026-07-13T13:26:28+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/#primaryimage\",\"url\":\"https:\\\/\\\/neocoeurintelligence.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/ChatGPT-Image-25-juin-2026-16_32_28-1.png\",\"contentUrl\":\"https:\\\/\\\/neocoeurintelligence.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/ChatGPT-Image-25-juin-2026-16_32_28-1.png\",\"width\":1693,\"height\":929},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/neocoeurintelligence.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Automotive Cybersecurity: UN-R155 &#8211; ISO\\\/SAE 21434 \u2013 The 2026 Guide for Manufacturers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/#website\",\"url\":\"https:\\\/\\\/neocoeurintelligence.com\\\/\",\"name\":\"NEO COEUR INTELLIGENCE\",\"description\":\"Artificial Neural Network\",\"publisher\":{\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/neocoeurintelligence.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/#organization\",\"name\":\"NEO COEUR INTELLIGENCE\",\"url\":\"https:\\\/\\\/neocoeurintelligence.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/neocoeurintelligence.com\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/cropped-logo-inline@0.5x.png\",\"contentUrl\":\"https:\\\/\\\/neocoeurintelligence.com\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/cropped-logo-inline@0.5x.png\",\"width\":350,\"height\":124,\"caption\":\"NEO COEUR INTELLIGENCE\"},\"image\":{\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/neocoeurintelligence.com\\\/#\\\/schema\\\/person\\\/862d5ea0e68544036a095e14d8d6d43b\",\"name\":\"Herman NOUBOUM NOUBI\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f2671da842f8d36ef2625566ace50ab9e8418575accb19c1c5eb18113bb95529?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f2671da842f8d36ef2625566ace50ab9e8418575accb19c1c5eb18113bb95529?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f2671da842f8d36ef2625566ace50ab9e8418575accb19c1c5eb18113bb95529?s=96&d=mm&r=g\",\"caption\":\"Herman NOUBOUM NOUBI\"},\"description\":\"Founder of Neo Coeur Intelligence, a Paris \\\/ London-based startup specializing in artificial intelligence applied to cybersecurity. Expert in AI-driven cybersecurity, regulatory compliance (EU AI Act, NIS2, DORA, UK GDPR, NIST AI RMF, SR 11-7), and secure systems architecture. Vision: Protect intelligence wherever it develops.\",\"sameAs\":[\"https:\\\/\\\/www.neocoeurintelligence.com\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/111622800\\\/admin\\\/dashboard\\\/\",\"https:\\\/\\\/x.com\\\/https:\\\/\\\/x.com\\\/NeoCoeurAII\"],\"url\":\"https:\\\/\\\/neocoeurintelligence.com\\\/fr\\\/author\\\/herman\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cybers\u00e9curit\u00e9 automobile : UN-R155 - ISO\/SAE 21434 \u2013 Le Guide 2026 pour les Constructeurs - NEO COEUR INTELLIGENCE","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/neocoeurintelligence.com\/fr\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/","og_locale":"fr_FR","og_type":"article","og_url":"https:\/\/neocoeurintelligence.com\/fr\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/","og_site_name":"NEO COEUR INTELLIGENCE","article_published_time":"2026-07-12T10:10:32+00:00","article_modified_time":"2026-07-13T13:26:28+00:00","og_image":[{"width":1024,"height":562,"url":"https:\/\/neocoeurintelligence.com\/wp-content\/uploads\/2026\/06\/ChatGPT-Image-25-juin-2026-16_32_28-1-1024x562.png","type":"image\/png"}],"author":"Herman NOUBOUM NOUBI","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/x.com\/NeoCoeurAII","twitter_misc":{"\u00c9crit par":"Herman NOUBOUM NOUBI","Dur\u00e9e de lecture estim\u00e9e":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/#article","isPartOf":{"@id":"https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/"},"author":{"name":"Herman NOUBOUM NOUBI","@id":"https:\/\/neocoeurintelligence.com\/#\/schema\/person\/862d5ea0e68544036a095e14d8d6d43b"},"headline":"Automotive Cybersecurity: UN-R155 &#8211; ISO\/SAE 21434 \u2013 The 2026 Guide for Manufacturers","datePublished":"2026-07-12T10:10:32+00:00","dateModified":"2026-07-13T13:26:28+00:00","mainEntityOfPage":{"@id":"https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/"},"wordCount":2976,"commentCount":0,"publisher":{"@id":"https:\/\/neocoeurintelligence.com\/#organization"},"image":{"@id":"https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/#primaryimage"},"thumbnailUrl":"https:\/\/neocoeurintelligence.com\/wp-content\/uploads\/2026\/06\/ChatGPT-Image-25-juin-2026-16_32_28-1.png","articleSection":["AI Risk Management"],"inLanguage":"fr-FR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/","url":"https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/","name":"Cybers\u00e9curit\u00e9 automobile : UN-R155 - ISO\/SAE 21434 \u2013 Le Guide 2026 pour les Constructeurs - NEO COEUR INTELLIGENCE","isPartOf":{"@id":"https:\/\/neocoeurintelligence.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/#primaryimage"},"image":{"@id":"https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/#primaryimage"},"thumbnailUrl":"https:\/\/neocoeurintelligence.com\/wp-content\/uploads\/2026\/06\/ChatGPT-Image-25-juin-2026-16_32_28-1.png","datePublished":"2026-07-12T10:10:32+00:00","dateModified":"2026-07-13T13:26:28+00:00","breadcrumb":{"@id":"https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/#primaryimage","url":"https:\/\/neocoeurintelligence.com\/wp-content\/uploads\/2026\/06\/ChatGPT-Image-25-juin-2026-16_32_28-1.png","contentUrl":"https:\/\/neocoeurintelligence.com\/wp-content\/uploads\/2026\/06\/ChatGPT-Image-25-juin-2026-16_32_28-1.png","width":1693,"height":929},{"@type":"BreadcrumbList","@id":"https:\/\/neocoeurintelligence.com\/automotive-cybersecurity-un-r155-iso-sae-21434-the-2026-guide-for-manufacturers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/neocoeurintelligence.com\/"},{"@type":"ListItem","position":2,"name":"Automotive Cybersecurity: UN-R155 &#8211; ISO\/SAE 21434 \u2013 The 2026 Guide for Manufacturers"}]},{"@type":"WebSite","@id":"https:\/\/neocoeurintelligence.com\/#website","url":"https:\/\/neocoeurintelligence.com\/","name":"NEO C\u0152UR INTELLIGENCE","description":"R\u00e9seau de neurones artificiels","publisher":{"@id":"https:\/\/neocoeurintelligence.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/neocoeurintelligence.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Organization","@id":"https:\/\/neocoeurintelligence.com\/#organization","name":"NEO C\u0152UR INTELLIGENCE","url":"https:\/\/neocoeurintelligence.com\/","logo":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/neocoeurintelligence.com\/#\/schema\/logo\/image\/","url":"https:\/\/neocoeurintelligence.com\/wp-content\/uploads\/2026\/05\/cropped-logo-inline@0.5x.png","contentUrl":"https:\/\/neocoeurintelligence.com\/wp-content\/uploads\/2026\/05\/cropped-logo-inline@0.5x.png","width":350,"height":124,"caption":"NEO COEUR INTELLIGENCE"},"image":{"@id":"https:\/\/neocoeurintelligence.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/neocoeurintelligence.com\/#\/schema\/person\/862d5ea0e68544036a095e14d8d6d43b","name":"Herman NOUBOUM NOUBI","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/secure.gravatar.com\/avatar\/f2671da842f8d36ef2625566ace50ab9e8418575accb19c1c5eb18113bb95529?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f2671da842f8d36ef2625566ace50ab9e8418575accb19c1c5eb18113bb95529?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f2671da842f8d36ef2625566ace50ab9e8418575accb19c1c5eb18113bb95529?s=96&d=mm&r=g","caption":"Herman NOUBOUM NOUBI"},"description":"Fondateur de Neo Coeur Intelligence, une startup bas\u00e9e \u00e0 Paris et Londres sp\u00e9cialis\u00e9e dans l'intelligence artificielle appliqu\u00e9e \u00e0 la cybers\u00e9curit\u00e9. Expert en cybers\u00e9curit\u00e9 pilot\u00e9e par l'IA, en conformit\u00e9 r\u00e9glementaire (RGAA UE, NIS2, DORA, RGPD Royaume-Uni, NIST AI RMF, SR 11-7) et en architecture de syst\u00e8mes s\u00e9curis\u00e9s. Vision : Prot\u00e9ger l'intelligence partout o\u00f9 elle se d\u00e9veloppe.","sameAs":["https:\/\/www.neocoeurintelligence.com","https:\/\/www.linkedin.com\/company\/111622800\/admin\/dashboard\/","https:\/\/x.com\/https:\/\/x.com\/NeoCoeurAII"],"url":"https:\/\/neocoeurintelligence.com\/fr\/author\/herman\/"}]}},"_links":{"self":[{"href":"https:\/\/neocoeurintelligence.com\/fr\/wp-json\/wp\/v2\/posts\/26724","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/neocoeurintelligence.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/neocoeurintelligence.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/neocoeurintelligence.com\/fr\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/neocoeurintelligence.com\/fr\/wp-json\/wp\/v2\/comments?post=26724"}],"version-history":[{"count":15,"href":"https:\/\/neocoeurintelligence.com\/fr\/wp-json\/wp\/v2\/posts\/26724\/revisions"}],"predecessor-version":[{"id":26765,"href":"https:\/\/neocoeurintelligence.com\/fr\/wp-json\/wp\/v2\/posts\/26724\/revisions\/26765"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/neocoeurintelligence.com\/fr\/wp-json\/wp\/v2\/media\/26730"}],"wp:attachment":[{"href":"https:\/\/neocoeurintelligence.com\/fr\/wp-json\/wp\/v2\/media?parent=26724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/neocoeurintelligence.com\/fr\/wp-json\/wp\/v2\/categories?post=26724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/neocoeurintelligence.com\/fr\/wp-json\/wp\/v2\/tags?post=26724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}