UNECE R155 – Cybersecurity (Overview)

UNECE Regulation No. 155 (R155) establishes requirements for a Cybersecurity Management System (CSMS) and for demonstrating that vehicle cybersecurity risks are systematically managed across the full lifecycle. R155 is a prerequisite for type approval in regions adopting UN regulations (e.g., EU, UK, JP, KR).

Purpose

R155 ensures manufacturers can identify, assess, and treat cybersecurity risks for vehicles and can monitor and respond to threats and vulnerabilities throughout operation. It focuses on organizational capability (CSMS) and evidence that the capability is applied consistently to vehicle types.

Key Concepts

CSMS: Governance, policies, roles, competence, and processes to manage cybersecurity across projects and suppliers.
Risk Management: Structured identification of assets, threats, vulnerabilities, and treatments (aligned in practice with ISO/SAE 21434).
Lifecycle Coverage: Concept → development → production → operation/maintenance → decommissioning.
Type Approval Evidence: Objective records that the CSMS and risk management are actually used for the vehicle type under approval.

Relationship to Standards

While R155 is a regulation, many manufacturers implement its expectations using ISO/SAE 21434 (cybersecurity engineering) for processes/work products, and coordinate with ISO 26262 (functional safety) as needed. Software update aspects are handled together with UNECE R156 and ISO 24089.

What Authorities Typically Expect

Documented and operational CSMS (policies, roles, training, procedures).
Evidence that risk management is performed and maintained (threat/vulnerability handling, treatment decisions, verification/validation).
Supplier/third-party integration (requirements flow-down, evidence exchange).
Field monitoring, vulnerability intake, incident response, and continuous improvement.
Traceability from risks → goals/requirements → design → tests → deployment → operations.

Typical Outputs / Evidence

CSMS description (scope, governance, roles, competence management).
Process documents and templates (risk management, verification, incident response).
Project/application evidence (TARA results, requirements, test reports, conformity statements).
Operational records (monitoring reports, vulnerability handling, incident post-mortems).
Supplier agreements/assessments and evidence packages.

Disclaimer: This page provides an introductory summary of UNECE R155. For authoritative requirements, consult the official regulation text and guidance from your approval authority.