R155/R156 - a quick guide to the updated cybersecurity regulations for automotive

What are the R155 and R156 regulations all about? What are the business impacts of these changes, and when should they be addressed? What steps should automotive companies take to implement them? In this article, we will cover these issues and outline what consequences await those who fail to adapt.

Watch our webinar: 10 questions about cybersecurity in automotive

What exactly are R155/R156?

Automation, digitalization, and the rapid growth of the automotive industry are making us crack down on cybersecurity issues with urgency. Vehicles are becoming smarter – we equip them with advanced IT systems, and autonomous cars are already available. These elements are all potential targets for hackers.

The Global Forum for Harmonisation of Vehicle Regulations of the United Nations Economic Commission for Europe (UNECE or UNECE) in 2020 has adopted two standards to help build automotive cybersecurity frameworks.

UNECE R155 and R156 were published in 2021:

• R155 Cyber Security and Cyber Security Management System (CSMS)
• R156 Software Update and Software Update Management System (SUMS)

European Economic Commission (ECE) regulations R155 and R156 are intended to pressure vehicle manufacturers to counter cybersecurity threats. As a result, the automotive industry in each of the 64 UNECE countries will be bound by the same cybersecurity guidelines. They address, among others, car software and system security, personal data protection, and cybersecurity incident management. The security culture of the companies that manufacture individual automotive components is also outlined.

Is your company required to implement R155/R156?

Who is subject to the cybersecurity regulations of the European Economic Commission (UN R155/R156)? The standard is primarily relevant to vehicle manufacturers (OEMs), but the standard must also be borne in mind by:

• automotive electronics manufacturing companies,
• tier 1 and tier 2 suppliers,
• engineers specializing in systems integration and software development,
• manufacturers of connected and automated vehicle components and systems.

The regulation applies to any vehicle intended for private or commercial use, regardless of whether it boasts advanced driver assistance systems (ADAS), connectivity features, or even a single line of code. Companies subject to UN R155 and R156 must comply with the regulations to ensure that their vehicles meet minimum cybersecurity standards. OEMs must have well-structured and documented cybersecurity processes under the revised regulations. This brings us to another vital point.

Are R155/R156 regulations to be immediately implemented?

For R155 and R156, the requirements in the member states have been in force for the approval of new vehicle types since July 2022. The requirements will be applied to all vehicles produced starting in July 2024. 7 July 2026 is the cut-off date for R156 implementation for a special purpose or small series vehicles.

UNECE’s regulations are intended to standardize vehicle cybersecurity systems across countries and regions. All of which yield tangible business benefits. Among these are easier entry into previously untapped markets and speedier product introductions. It is also worth noting that the revised regulations break down cybersecurity responsibility across the supply chain. Cooperation between manufacturers will be more consistent as a result of these standards.

It goes without saying that the adoption of the regulations bolsters the image of a security-conscious and trustworthy company.

How will failing to comply with R155/R156 impact your business?

If you fail to adapt to cybersecurity regulations in time, you will face the consequences. Failure to implement the mandatory regulation could result in penalties, fines, or even sales suspension in some countries. When products are sold in 64 markets where UNECE regulations apply, this can pose quite a problem. Intangible costs must also be taken into account – this may lead to your company’s reputation taking a hit and customers losing faith in your brand in no time.

Disregarding UN R155/156 will have several legal and business consequences detrimental to your company’s bottom line.

July 2024 is the deadline for manufacturers in Poland to implement this regulation. While it might seem like there is still plenty of time left, it is crucial to take into account the total implementation time and certification process, as these may turn out to be lengthy endeavors. Even more so when one considers:

• A cybersecurity process must be in place not just at the project level but also at the company level.
• It is incumbent on us to ensure that subcontractors also comply with regulations.
• The availability of auditors just before the maturity date can be severely limited.

Are there any steps that can be taken to enhance the implementation of this standard?

With UNECE R155/R156, your company can evaluate its cybersecurity and personal data privacy commitments. Using established pathways and relying on industry standards such as ISO 21434 and ISO 24089, as well as the support of an experienced technology partner, a company with a portfolio of automotive industry projects in software development and testing, including embedded software, can help you move quickly and smoothly through the process of adapting to the new rules.

Over the past decade, Solwit has worked with automotive companies to develop software quality testing processes and implement stringent testing procedures (ISO 26262, ISO 21434, SAE J3061, R155, and R156). We are experienced in auditing and preparing for automotive industry changes. Our domain is software testing.

Get in touch with us if you need help implementing R155/R156!