logo
stripes
logo
stripes

Vehicle Type Approval (R155)

For markets adopting UN regulations, vehicle type approval under UNECE R155 requires manufacturers to demonstrate an effective Cybersecurity Management System (CSMS) and provide objective evidence that cybersecurity risk management has been applied to the specific vehicle type.

Objectives

  • Show that a CSMS exists, is operated, and is continually improved.
  • Provide vehicle-type evidence that risks are identified, treated, and monitored.
  • Demonstrate traceability across lifecycle activities and the supply chain.
  • Confirm operational readiness (monitoring, vulnerability intake, incident response).

What Authorities Typically Examine

  • CSMS assessment: policies, roles, competence, process ownership, improvement loop.
  • Application to the type: TARA results, requirements/claims, design controls, tests.
  • Supplier coverage: flow-down of requirements, exchanged evidence, assessment results.
  • Operations: monitoring plans, PSIRT processes, incident playbooks, update readiness.
  • Records & governance: approvals, deviations/waivers, risk acceptance rationale.

Conformance Evidence (By Theme)

Process & Organization

  • CSMS description, scope, org chart, responsibilities.
  • Approved risk management method (TARA) & templates.
  • Competence/training records; tool approval/qualification.
  • Internal audit findings, KPIs, corrective actions.

Vehicle-Type Application

  • Type scoping: configurations, variants, interfaces, dependencies.
  • TARA outcomes & risk treatment decisions for the type.
  • Requirements & traceability (risks → reqs → design → tests).
  • V&V evidence: reviews, static/dynamic tests, fuzz/pentest reports.

Suppliers & Interfaces

  • Contractual flow-down, interface specs, acceptance criteria.
  • Supplier assessments/audits and exchanged artifacts.
  • Evidence for third-party components (crypto, boot, IDS, comms).

Operations & SUMS Alignment

  • Monitoring & telemetry plan, thresholds, escalation.
  • PSIRT/vulnerability handling workflow and SLAs.
  • Update readiness (aligned with R156/ISO 24089): signing, anti-rollback, rollout.

Approval Process – At a Glance

  1. Preparation: finalize evidence set; map to authority checklist.
  2. CSMS assessment: organization-level capability review.
  3. Type application: submit vehicle-specific evidence package.
  4. Authority review & Q&A: clarifications, demos, spot checks.
  5. Granting & surveillance: approvals with conditions; periodic reviews/renewals.

Handling Variants & Changes

  • Variant strategy: document applicability of TARA and controls across trims/regions.
  • Change control: re-assess cybersecurity impact for design/software/config updates.
  • Legacy platforms: define compensating controls and monitoring where full parity isn’t feasible.
  • Evidence reuse: reuse artifacts with clear versioning; highlight delta analyses.

Practical Do / Don’t

Do

  • Provide a single, navigable index of evidence with stable IDs.
  • Show risk-based rationale for test depth and treatments.
  • Include supplier evidence and responsibility splits.
  • Demonstrate SUMS alignment (R156) for corrective actions.

Don’t

  • Submit uncontrolled documents without versioning.
  • Claim coverage without traceable links to tests and results.
  • Ignore field feedback or incident learnings in re-assessment.

Typical Submission Artifacts

  • CSMS description; process set; competence/training records; internal audit results.
  • Vehicle-type TARA, requirements, design controls, test reports, residual risk log.
  • Supplier evidence packages; interface contracts/specifications.
  • Monitoring & PSIRT procedures; update/signing policy; campaign plan (R156 link).
  • Traceability matrices and document index with versioning and approvals.
Disclaimer: This page summarizes vehicle type approval expectations under UNECE R155. For authoritative requirements, consult the regulation text and your approval authority’s guidance.