logo
stripes
logo
stripes

UNECE R155 – Scope

UNECE Regulation No. 155 (R155) defines the scope for cybersecurity requirements applicable to manufacturers seeking vehicle type approval . Its focus is organizational capability (CSMS) and the consistent application of cybersecurity risk management to vehicle types placed on the market.

Who Is in Scope

  • Vehicle manufacturers (OEMs) applying for type approval.
  • Vehicle types covered by UN regulations and submitted for approval.
  • Suppliers and service providers to the extent that their products or services affect the vehicle’s cybersecurity posture (managed through OEM processes and evidence).

What Is in Scope

R155 addresses the management of cybersecurity risks across the vehicle lifecycle and the evidence that those risks are treated in practice:

  • Electrical/electronic (E/E) systems and in-vehicle networks.
  • Interfaces for diagnostics, maintenance, and external connectivity (e.g., telematics, wireless, wired service tools).
  • Software, firmware, and configuration data that impact cybersecurity.
  • Processes for monitoring, incident/vulnerability handling, and continuous improvement.

Lifecycle Coverage

R155 requires cybersecurity to be considered throughout the full lifecycle:

  • Concept & development – risk identification, requirements, and design.
  • Production – secure manufacturing, provisioning, and release controls.
  • Operation & maintenance – monitoring, vulnerability management, incident response.
  • Decommissioning – secure end-of-life handling for data and components.

What Is Out of Scope (Boundary Clarification)

R155 is a type-approval regulation for vehicles. It does not prescribe specific technologies or algorithms, and it does not replace detailed engineering standards. Backend or external infrastructure is considered insofar as it affects the vehicle’s cybersecurity and should be addressed through the manufacturer’s CSMS and evidence packages.

Relationship to Other Instruments

  • ISO/SAE 21434 – widely used to implement R155 expectations for engineering processes and work products.
  • UNECE R156 – complementary regulation for software updates (SUMS), often referenced alongside R155 for in-field management.
  • ISO 24089 – software update engineering practices that support SUMS.

Outputs / Evidence Within Scope

  • CSMS description and organizational controls (policies, roles, competence).
  • Risk management artifacts applied to the vehicle type (TARA outcomes, requirements, tests).
  • Operational records (monitoring, vulnerability intake, incident handling).
  • Supplier integration evidence (requirements flow-down, assessments, exchanged artifacts).
Disclaimer: This page summarizes the scope of UNECE R155 for awareness. For authoritative requirements and formal definitions, consult the official regulation text and your approval authority’s guidance.