- -, Author at AUTOCRYPT

16 March, 2026 . 5 mins read

How EURO 7 Reinforces WP.29 Cybersecurity Compliance

UN R155 is widely regarded as a critical compliance milestone for OEMs and Tier suppliers under the UNECE WP.29 framework. Without a certified Cybersecurity Management System (CSMS), vehicles cannot obtain type approval in contracting markets, making compliance essential for market access. By contrast, comparatively less attention has been given to the EURO 7 standards — EU’s latest vehicle emissions and durability regulatory framework set to begin application from November 2026.

The EURO 7 standards, embedded within Regulation (EU) 2024/1257 (Link) is commonly viewed as an environmental regulation introducing new pollutant limits, battery performance thresholds, anti-tampering provisions and lifecycle monitoring requirements under the EU type-approval framework. However, its significance extends beyond conventional emissions compliance and should be understood within an integrated regulatory architecture alongside UN R155.

This blog post aims to clarify why EURO 7 does not operate independently of WP.29 cybersecurity requirements and why, in practice, it functions as a structural reinforcement of vehicle type-approval obligations. Understanding how EURO 7 strengthens the operational relevance of UN R155 is essential to safeguarding type approval within an increasingly interconnected regulatory environment.

I. Understanding EURO 7

Role of the EURO Series in the Automotive Industry

The EURO regulatory framework has historically played a defining role in shaping automotive engineering priorities across Europe. From its earliest iterations, its core objectives have centered on reducing harmful pollutants, protecting public health and air quality, and providing predictable compliance pathways for manufacturers operating within the European market.

From EURO 1 through EURO 6, each iteration progressively tightened emissions limits, expanded testing methodologies, and increased alignment with real-world driving conditions. However, despite these advancements, the underlying regulatory logic remained largely certification-based and event-driven. Vehicles were validated under defined laboratory and real-driving emissions (RDE) test conditions, and once type-approval was granted, they were presumed compliant unless defects emerged during operation.

Transition from EURO 6 to EURO 7

Up until EURO 6, the standards were designed to evaluate predominantly mechanical vehicle architectures, where emissions behavior was largely hardware-determined and relatively stable over time. The turning point came with the Dieselgate corporate scandal, in which automakers engaged in the large-scale, deliberate use of defeat devices to manipulate emissions testing outcomes. Although vehicles passed defined regulatory testing conditions, their emissions performance diverged under real-world driving conditions, exposing the vulnerability of a certification-centered regulatory model.

This incident revealed a structural misalignment between regulatory design and vehicle behavior, where compliance was assessed in a static manner while modern emissions performance had become dynamic and increasingly software-driven.

II. EURO 7 within the WP.29 Cybersecurity Architecture

How EURO 7 Reflects the Software-Defined Nature of Modern Vehicles

EURO 7 redesigns the regulatory architecture to reflect the software-defined nature of modern vehicles, recognizing that emissions behavior can be influenced by software logic and data modifications occurring throughout the vehicle lifecycle.

Through amendments to Regulation (EU) 2018/858 (Link) Article 84, EURO 7 explicitly incorporates anti-tampering provisions, security and cybersecurity measures, enhanced market surveillance enforcement and a strengthened penalty framework. Under Article 3 (45), tampering is broadly defined to include disabling or modifying engine control systems, battery systems, OBD/OBM/OBFCM systems, odometers, software and logical control elements, and related data pathways.

At its core, EURO 7 reflects a regulatory realization: emissions compliance is inseparable from software integrity. As emissions-critical systems become software-governed, regulatory compliance structurally intersects with the cybersecurity governance framework established under UN R155, which remains essential for vehicle type approval.

Intersection of EURO 7 and WP.29

The intersection between Euro 7 and the WP.29 cybersecurity framework becomes evident when examining how emissions compliance is structured in software-defined vehicles.

UN R155 governs software integrity within the WP.29 framework, and EURO 7 mandates long-term emissions and battery durability performance that depends on software-controlled systems.

Together, these requirements establish a structural dependency in which sustained emissions compliance relies on effective cybersecurity governance.

This dependency is not merely conceptual. It is reinforced through explicit references to UN R155 within EURO 7, particularly in relation to cybersecurity measures, security requirements, and Threat Analysis and Risk Assessment (TARA) obligations.

Article 4(11)

- Requires manufacturers to ensure the secure transmission of emissions and battery durability data by applying cybersecurity measures in accordance with UN R155

Annex XIV

- Defines anti-tampering, security, and cybersecurity requirements

- Incorporates UN R155 definitions of attacks

- Requires vulnerability minimization based on best available knowledge

- Mandates TARA processes that reflect EURO 7 objectives

- Provides conformity declaration templates for type approval submission

These provisions demonstrate that EURO 7 does not operate independently of the WP.29 cybersecurity architecture; rather it integrates cybersecurity governance directly into emissions-related compliance obligations.

III. Need for Digital Regulatory Convergence

In a software-defined vehicle environment, emissions compliance depends on the integrity, resilience, and governance of digital systems. As vehicles evolve into configurable, updateable and connected platforms, the ability to demonstrate sustained compliance throughout the vehicle’s operational life becomes essential.

Manufacturers must therefore move beyond documentation-based certification toward engineering-based accountability. Emissions-critical systems must be cyber-resilient, monitoring data must be protected against manipulation and overall system architecture must be secure-by-design.

Within this regulatory landscape, the convergence of EURO 7 and the WP.29 cybersecurity framework establishes the need for integrated digital regulatory governance — aligning cybersecurity governance, environmental engineering and type approval strategy within a unified compliance architecture.

At AUTOCRYPT, we support OEMs and Tier suppliers in navigating this regulatory convergence. Through our WP.29 consulting services (Link), we support firms in establishing and optimizing UN R155 Cybersecurity Management Systems (CSMS), conducting AI-powered Threat Analysis and Risk Assessments (TARA), and integrating cybersecurity governance into emissions-critical system architectures under a holistic regulatory strategy.

Our objective extends beyond securing type approval. We help manufacturers sustain compliance throughout the vehicle lifecycle within an evolving regulatory landscape.

Additional Resources

Learn more about our WP.29 Consulting Service: https://autocrypt.io/services/wp-29/
Explore our WP.29 Whitepaper: https://autocrypt.io/downloads/abstract-white-paper-seamless-wp-29-implementation/
To learn more about our end-to-end mobility solutions, visit https://autocrypt.io/

24 February, 2026 . 5 mins read

AI-Driven DevSecOps in Next-Generation Mobility

Vehicle architecture is rapidly evolving into software-defined platforms that are continuously updated via OTA, connected to cloud ecosystems, and increasingly powered by AI-driven functionality. Most critically, mobility infrastructure now evolves post-deployment, with trust boundaries shifting dynamically across in-vehicle networks, backend systems, and third-party integrations.

To maintain security in these continuously evolving systems, automotive cybersecurity engineering has had to evolve. In response, the industry has progressed through three distinct stages: Cybersecurity Engineering, DevSecOps and AI-Defined DevSecOps.

Cybersecurity Engineering: Defining what must be protected and why

The first stage begins with Cybersecurity Engineering, which defines what components must be protected and why. Security is structured as engineers identify critical assets, define potential threats, assess risk levels, and design appropriate mitigations. This process transforms abstract security concerns into formalized risk models and enforceable security requirements.

Cybersecurity Engineering spans the full vehicle ecosystem. Within the vehicle, it covers embedded systems such as ECUs and domain controllers, as well as in-vehicle communication networks including CAN and Automotive Ethernet. Across the software lifecycle, it governs secure boot, firmware integrity, and over-the-air (OTA) validation mechanisms to ensure software authenticity. Beyond the vehicle boundary, it addresses V2X authentication, vehicle-to-cloud APIs and secure backend communications.

Core outputs include asset identification, threat modeling, Threat Analysis and Risk Assessment (TARA) and risk classification. These activities enable compliance with global standards such as UNECE R155 and ISO/SAE 21434, forming the backbone of Cybersecurity Management Systems (CSMS).

Industry implementations such as AutoCrypt CSTP (Cybersecurity Testing Platform) (Link) and TARA consulting services (Link) reflect the scope of this layer, combining regulatory alignment frameworks with technical validation practices that strengthen risk modeling across OEM and supplier environments.

Cybersecurity Engineering defined what required protection, but it did not ensure that protection would keep pace with change. Risk models were built on the assumption of relative architectural stability, and validation occurred at scheduled intervals. As vehicles became continuously updateable and trust boundaries shifted dynamically, periodic enforcement was no longer sufficient. Security logic had to move beyond definition, marking the transition to DevSecOps(Development, Security, and Operations).

DevSecOps: Ensuring Security is Continuously Enforced

As vehicle architectures evolved beyond static release cycles and periodic validation, security controls had to be embedded directly within development and deployment workflows.

DevSecOps — a software engineering framework that integrates security into development and operational processes — emerged to address this requirement. Rather than treating security as a downstream validation step, DevSecOps embeds automated security controls into CI/CD pipelines to ensure continuous enforcement throughout the vehicle software lifecycle.

Security testing became integrated into automated build processes, resulting in faster validation cycles and improved audit readiness. Secure build templates reduced configuration errors, firmware signing workflows were automated, and key provisioning systems became embedded into production processes. Defined security requirements became programmatically enforced, ensuring traceability at scale.

AUTOCRYPT’s launch of Automotive-CIS (Cybersecurity Infrastructure Standard) (Link) supports this stage by providing a unified framework for lifecycle governance through the integration of CSMS, SUMS, vSOC and TARA. This enables security activities to remain aligned across development, production and operational phases, strengthening end-to-end lifecycle consistency.

While Stage 2 marked a significant evolution in continuous enforcement, it retained a critical assumption: that the underlying risk model remained valid. DevSecOps enforces predefined controls, but it does not inherently detect when architectural changes invalidate original risk assumptions. In environments where OTA updates introduce new communication paths and AI models evolve post-deployment, risk landscapes shift dynamically. In such conditions, continuous enforcement must evolve into adaptive intelligence, paving the way for AI-Defined DevSecOps.

AI-Defined DevSecOps: Adaptive Security Across the Lifecycle

If Stage 1 defined security logic and Stage 2 automated its enforcement, Stage 3 introduces intelligence into the lifecycle.

AI-Defined DevSecOps addresses the core limitation of rule-based automation by continuously assessing system state, detecting architectural change, and validating whether existing risk assumptions remain relevant. Rather than simply enforcing predefined controls, this stage enables adaptive orchestration, ensuring security mechanisms evolve alongside system behavior.

At this stage, security becomes a closed-loop adaptive system. When an engineering change occurs, the system performs automated risk impact analysis, recalculates risk, triggers required revalidation and regenerates compliance evidence. In doing so, it ensures that the impact of changes is assessed in real time and that enforcement mechanisms remain synchronized with evolving architectures.

AUTOCRYPT’s advancements in AI-Defined DevSecOps, first introduced at CES 2026 (Link) — including AI-powered TARA automation and automated test case generation within AutoCrypt CSTP — demonstrate this evolution in practice. By enhancing threat modeling completeness and deepening validation coverage within DevSecOps pipelines, these capabilities elevate security from automated enforcement to intelligent lifecycle orchestration.

As mobility ecosystems are no longer fixated at design time, adaptive security becomes a structural necessity. In this environment, AI-Defined DevSecOps is not merely an enhancement, but a foundational layer for securing next-generation mobility systems.

Evolutionary Stages of Automotive Cybersecurity Engineering

Automotive cybersecurity engineering has evolved from structured risk definition to automated enforcement and now toward intelligent adaptation.

As automotive systems become increasingly intelligent, the security layer must become equally intelligent. Adaptive security is foundational in next-generation mobility, where architectures shift dynamically and AI-driven functionality evolves over time.

AUTOCRYPT is committed to proactively expanding AI-Defined DevSecOps across its portfolio, strengthening adaptive cybersecurity infrastructure as a core pillar of its research and development. Through this approach, we support OEMs and Tier 1 suppliers in maintaining continuous, resilient protection across rapidly evolving mobility ecosystems.

To learn more about our end-to-end mobility solutions, visit https://autocrypt.io/

19 January, 2026 . 4 mins read

CES 2026 Highlights: From Key Management to AI-Driven Vehicle Security

At the 2026 Consumer Electronics Show (CES) in Las Vegas, AUTOCRYPT showcased its foundational and future-ready security solutions designed to secure every layer of mobility. Through the launch of its Automotive-CIS solution, AUTOCRYPT presented a globally integrated industry benchmark for end-to-end key management, while also introducing next-generation security approaches powered by AI technologies and post-quantum cryptography. Together, these initiatives articulated AUTOCRYPT’s vision for addressing both today’s cybersecurity challenges and the demands of the future mobility ecosystem.

As the automotive industry accelerates towards the adoption of physical AI, robotics, and increasingly autonomous systems, regulatory requirements — such as the Cyber Resilience Act (CRA) (Link) — are expanding to cover all layers of connected mobility. In response, AUTOCRYPT aims to provide robust, scalable cybersecurity infrastructure that enables OEMs and Tier 1 suppliers to seamlessly embed security across this growing ecosystem.

Foundational Mobility Infrastructure

Throughout the vehicle lifecycle, key management remains one of the most fundamental yet critical security components. However, today’s automotive supply chain relies on a wide range of cryptographic keys, each serving different purposes, using distinct algorithms, and managed by multiple entities. Against this backdrop, the need for a unified key and certificate management system has become increasingly apparent.

On the first day of CES 2026, AUTOCRYPT introduced a standardized infrastructure designed to enable efficient deployment of key management systems across vehicles and adjacent industries, through the launch of “Automotive-CIS (Cybersecurity Infrastructure Standard) (Link).”

Designed to support the full vehicle lifecycle, from development and production to operation and inspection, the solution brings critical security functions into a single infrastructure framework. By unifying Cybersecurity Management System (CSMS), Software Update Management System (SUMS), Vehicle Security Operations Center (vSOC) and Threat Analysis and Risk Assessment (TARA), it provides a trusted foundation for continuous updates and lifecycle-based security enforcement.

On the show floor, Automotive-CIS drew strong interest not only from automotive stakeholders, but also from players in agricultural manufacturing, construction and robotics. This reflects how software-defined systems are dissolving traditional industry boundaries and connecting digital ecosystems across domains.

Future-Ready Vehicle Solutions

Across CES 2026, industry discussions emphasized the practical, measurable impact of next-generation technologies such as AI and quantum computing on operational efficiency and scalability. AUTOCRYPT showcased a deployable approach to applying AI in automotive cybersecurity, strengthening operational effectiveness and earning strong on-site recognition. The methodology demonstrated AI-driven automation across the DevSecOps process, including TARA and test-case generation within AutoCrypt CSTP (Link) — streamlining the creation of audit-ready evidence.

Preparing for Next-Gen Vehicle Security

CES 2026 provided an opportunity not only to showcase solutions, but also to actively listen to public thoughts. AUTOCRYPT gathered public perspectives on software-defined vehicles (SDVs), cybersecurity concerns surrounding automated driving, and expectations for the future evolution of mobility through a thought wall prepared on-site. These insights serve as a valuable reference point as we look ahead to securing the next layer of automotive cybersecurity.

The dominant perception of software-defined vehicles centered on the integration of vehicles and computation, enabling smarter, more adaptive mobility through autonomous and assisted driving capabilities.

At the same time, participants clearly highlighted unresolved concerns — particularly around data governance, AI reliability, system behavior in edge cases and vulnerability to external cyber threats. These perspectives underscored a shared understanding that innovation must be accompanied by strong, trustworthy security foundations.

Visitors also expressed optimism that future vehicles will become safer by design, combining intelligent software with robust engineering. More visionary ideas such as solar-powered mobility and aerial transportation illustrated how the public already views the boundaries of mobility expanding well beyond conventional road vehicles.

Reflecting on these insights, AUTOCRYPT is committed to identifying emerging gaps in automotive cybersecurity and collaborating closely with open-source communities and industry associations. Through these efforts, AUTOCRYPT aims to help build resilient, interoperable security infrastructure that supports the safe and scalable advancement of AI-driven, software-defined mobility.

To learn more about our end-to-end mobility solutions, visit https://autocrypt.io/all-products-and-offerings/.

7 January, 2026 . 2 mins read

AUTOCRYPT Unveils “Automotive-CIS,” a Global Integrated Cybersecurity Infrastructure Standard for Vehicles, at CES 2026

AUTOCRYPT, a leading automotive and AI cybersecurity solutions provider, announced at CES 2026 the launch of “Automotive-CIS (Cybersecurity Infrastructure Standard),” presenting a new global benchmark for vehicle cybersecurity infrastructure to the international technology community.

Automotive-CIS is an advanced and expanded version of Autocrypt’s Software Security Infrastructure solution previously delivered to automotive manufacturers (OEMs). The new standard broadens its scope to include suppliers and establishes an integrated security architecture spanning the entire vehicle software lifecycle from development and production, all the way to driving and maintenance.

By integrating key functions like the Cybersecurity Management System (CSMS), Software Update Management System (SUMS), Vehicle Security Operations Center (vSOC), and Threat Analysis and Risk Assessment (TARA) into a single infrastructure standard, Automotive-CIS provides a core reference model for OEMs and suppliers as the industry shifts to software-defined vehicles (SDVs) and AI-driven mobility.

Autocrypt’s extensive proof-of-concept (PoC) projects with both domestic and international OEMs and suppliers have served as a foundation for the global vehicle cybersecurity standard, shown through inclusion of tailored deployment roadmaps, expert consulting, and comprehensive regulatory compliance strategies across the supply chain.

CEO and co-Founder, Seokwoo Lee remarked on the unveiling, “Automotive-CIS represents the essential foundations necessary for this new era of SDVs, AI mobility, and post-quantum computing.” He continued, “We are delighted to present this at CES 2026, as it provides OEMs and suppliers with an opportunity to collaboratively address evolving security challenges across the vehicle lifecycle.”

Autocrypt is currently showing its solutions at CES 2026, in Las Vegas from January 6-9. Visitors are welcome at the Las Vegas Convention Center, West Hall Booth #4667. Meetings are available on-site, by reservation only. Book a meeting at https://calendly.com/autocrypt_global/. To learn more, visit autocrypt.io.

About Autocrypt Co., Ltd.

AUTOCRYPT is the leading player in automotive cybersecurity. It specializes in the development and integration of security software and solutions for in-vehicle systems, V2X communications, Plug&Charge, and fleet management, paving the way towards a secure and reliable C-ITS ecosystem in the age of software-defined vehicles. Its comprehensive suite of automotive cybersecurity testing services and platforms includes the award-winning AutoCrypt CSTP, which supports automotive OEMs and suppliers in meeting regulatory standards ilke ISO/SAE 21434, UNECE WP.29 UN R155, and CRA.

29 December, 2025 . 4 mins read

Post Quantum PKI for Next-Gen Vehicle Security

The automotive ecosystem is rapidly transitioning into a fully software-defined environment, with vehicles relying on complex software stacks and deeply interconnected systems. Features such as OTA updates, V2X communications, and digital keys enable unprecedented convenience and personalization – yet they also heighten dependence on secure connectivity infrastructure, particularly Public Key Infrastructure (PKI).

As emerging technologies like quantum computing threaten to break the classical cryptographic foundations that secure software-defined vehicles (SDVs), reinforcing PKI has become essential to protecting next-generation mobility. In this blog, we explore how quantum computing introduces new risks to SDVs, why OEMs must strengthen the PKI trust layer in preparation for future threats, and how AUTOCRYPT is addressing this need through post-quantum solutions.

Rising Threat of Quantum Computing to Automotive PKI

Software-defined vehicles rely heavily on cryptographic trust. Every interaction between the vehicle and its environment – whether OTA updates, V2X messages, or digital key exchanges – requires authentication and verification. PKI sits at the heart of this trust layer, ensuring that all messages, components and services the vehicle interacts with are legitimate.

The emerging problem is that sufficiently powerful quantum computers can break cryptographic algorithms such as RSA* and ECDSA**, which currently form the backbone of today’s automotive PKI.

*RSA (Rivest–Shamir–Adleman): One of the most widely used public-key cryptographic algorithms

**ECDSA (Elliptic Curve Digital Signature Algorithm): A lightweight digital signature algorithm used extensively in automotive systems

In our previous blog post “Post-Quantum Cryptography, and the Future of Automotive Cybersecurity,” we addressed the growing necessity of PQC technology. Attackers are already employing Harvest Now, Decrypt Later (HNDL) tactics – capturing encrypted automotive data today with the intent to decrypt it once quantum capabilities mature. Given that vehicles remain in operation for 10-15 years, OEMs must proactively secure the trust layer before quantum risks materialize.

The Essential Need for Transition to Post-Quantum PKI

The foundation of future-ready vehicle security begins with adopting post-quantum cryptography (PQC) — algorithms designed to remain secure even against quantum-enabled attacks.

Global standardization efforts reflect this urgency. Most notably, the National Institute of Standards and Technology (NIST) published FIPS 204 (Link) in August 2024, formally defining the Module-Lattice Digital Signature Algorithm (ML-DSA) as a U.S. federal PQC standard. With this milestone, ML-DSA became one of the first globally recognized digital signature baselines for national security and critical infrastructure systems.

Unlike traditional IT systems which transition to PQC through software updates, the automotive domain faces structural challenges:

ECU Compute Constraints: ECUs operate with limited memory, CPU capacity, and power. PQC algorithms are larger and require more computation, necessitating optimized implementations for embedded automotive hardware.

Scalability Across Global Fleets: Modern vehicles depend on millions of certificates across ECUs, sensors, V2X modules, telematics units, and digital keys. Securing these at PQC scale demands a horizontally scalable PKI infrastructure capable of mass certificate issuance and rotation.

Hybrid Coexistence: Automotive systems must support classical and post-quantum algorithms concurrently during a multi-year transition, ensuring compatibility without disrupting manufacturing or aftersales systems.

These constraints make it essential for OEMs to have an automotive-grade, production-ready PKI ecosystem, capable of supporting PQC at scale.

Evolving Solutions for the Post-Quantum Era

Building on our long-standing expertise in automotive-grade PKI and cryptographic key management, AUTOCRYPT introduced AutoCrypt PKI-Vehicles, a next-generation solution designed to provide future-proof cryptographic resilience and establish a unified trust infrastructure across manufacturing, OTA, digital keys, and V2X.

As one of the earliest commercial solutions enabling ML-DSA-based certificate issuance, AutoCrypt PKI Vehicles arrives at a pivotal moment — aligning with NIST standards and offering OEMs a timely response to emerging quantum-era security demands. The solution enables post-quantum vehicle key management, supporting ML-DSA based X.509 certificate issuance, PQC-enhanced digital key workflows, secure ECU onboarding and lifecycle authentication.

AUTOCRYPT will showcase its future-proof solutions, including AutoCrypt PKI-Vehicles at the 2026 Consumer Electronic Show (CES) in Las Vegas from January 6-9. Meetings are available by reservation only. Book a meeting at https://calendly.com/autocrypt_global/.

8 December, 2025 . 2 mins read

AUTOCRYPT Announces Product Release of Post-Quantum PKI Product, Pioneering PQC-enabled Solutions for Automotive OEMs

Leading automotive cybersecurity solutions provider AUTOCRYPT announced on December 8, 2025, the launch of “AutoCrypt PKI-Vehicles,” a new next-generation Public Key Infrastructure (PKI) solution supporting ML-DSA, a post-quantum digital signature algorithm. With its announcement, Autocrypt is among the early leaders to commercialize ML-DSA-enabled PKI that can be applied to automotive systems and OEM-specific environments.

The product launch arrives at a critical time as many global industries prepare for the National Institute of Standards and Technology (NIST) standards for post-quantum cryptography (PQC) and evolving security challenges posed by emerging quantum computing technologies.

Autocrypt’s new product supports ML-DSA, and is among the first to be ready for real-world issuance under this certificate framework across automotive environments. ML-DSA was selected by NIST as part of the FIPS 204 Post-Quantum Digital Signature Standard in 2024, and is considered widely as the global cryptographic baseline. The company is affirming its position as a standard-ready security provider for automotive companies who seek to be future-ready.

“The automotive industry is facing an unprecedented shift in cybersecurity,” said Seokwoo Lee, CEO and Co-Founder of Autocrypt. “Quantum computing is redefining the threat landscape, and the industry must act now to future-proof all vehicles. By bringing this product to automotive manufacturers and suppliers, we are optimizing the process of post-quantum adoption without disrupting existing infrastructure. This launch is the beginning of a new standard for quantum-safe automotive cybersecurity.”

AUTOCRYPT plans on showing its future-proof solutions, including AutoCrypt PKI-Vehicles at the 2026 Consumer Electronic Show (CES) in Las Vegas from January 6-9. Meetings are available by reservation only. Book a meeting at https://calendly.com/autocrypt_global/. To learn more, visit autocrypt.io.

About Autocrypt Co., Ltd.