Frequently Asked Questions – UNECE R155

This FAQ addresses common questions raised during implementation and type-approval preparation for UNECE Regulation No. 155 (Cybersecurity). It complements the main chapters and the Evidence Checklist.

Does R155 apply to all vehicle types?

R155 applies to vehicles under the UN type-approval framework (categories M, N, and O — passenger and goods vehicles, trailers, etc.) in countries that have adopted the regulation. Off-highway, motorcycles, and legacy vehicles may be excluded unless the jurisdiction extends the scope locally.

What is the difference between the CSMS assessment and type approval?

The CSMS assessment evaluates the manufacturer's organizational capability (policies, processes, roles, governance) to manage cybersecurity. Type approval verifies that those processes have been applied to a specific vehicle type and that evidence supports its conformity.

How does R155 relate to ISO/SAE 21434?

ISO/SAE 21434 provides the technical framework to implement the cybersecurity processes that R155 requires. It defines the engineering work products, lifecycle activities, and risk assessment practices that underpin compliance.

Is R155 compliance a one-time activity?

No. The CSMS must be maintained and audited periodically. Continuous monitoring, vulnerability handling, incident management, and lessons learned are part of an ongoing improvement cycle. Approval authorities may conduct surveillance audits to verify continued compliance.

How are suppliers and third parties handled under R155?

OEMs are responsible for managing supplier-related risks within their CSMS. They must flow down cybersecurity requirements, obtain and verify evidence, and ensure incidents and vulnerabilities are coordinated through shared interfaces. Suppliers are not directly type-approved, but their inputs form part of the OEM’s evidence.

What happens if a vulnerability is discovered after approval?

The manufacturer’s PSIRT must assess, contain, and correct the issue. Updates are typically delivered under R156 (SUMS) processes. Authorities expect transparent reporting, corrective updates, and post-incident reviews feeding into the CSMS improvement cycle.

What documentation should be ready for an R155 audit?

Authorities generally expect:

CSMS description and process documentation
TARA results, requirements, and verification reports
Monitoring/PSIRT procedures and records
Supplier agreements and assessments
Traceability and evidence index for the type under approval

Disclaimer: This FAQ is for awareness only. For official guidance, refer to the UNECE R155 regulation text and your national approval authority’s documentation.