Tag: #AutomotiveCybersecurity

19 January, 2026 . 4 mins read

CES 2026 Highlights: From Key Management to AI-Driven Vehicle Security

At the 2026 Consumer Electronics Show (CES) in Las Vegas, AUTOCRYPT showcased its foundational and future-ready security solutions designed to secure every layer of mobility. Through the launch of its Automotive-CIS solution, AUTOCRYPT presented a globally integrated industry benchmark for end-to-end key management, while also introducing next-generation security approaches powered by AI technologies and post-quantum cryptography. Together, these initiatives articulated AUTOCRYPT’s vision for addressing both today’s cybersecurity challenges and the demands of the future mobility ecosystem.

[AUTOCRYPT] CES 2026 Themes

As the automotive industry accelerates towards the adoption of physical AI, robotics, and increasingly autonomous systems, regulatory requirements — such as the Cyber Resilience Act (CRA) (Link) — are expanding to cover all layers of connected mobility. In response, AUTOCRYPT aims to provide robust, scalable cybersecurity infrastructure that enables OEMs and Tier 1 suppliers to seamlessly embed security across this growing ecosystem.  

Foundational Mobility Infrastructure

Throughout the vehicle lifecycle, key management remains one of the most fundamental yet critical security components. However, today’s automotive supply chain relies on a wide range of cryptographic keys, each serving different purposes, using distinct algorithms, and managed by multiple entities. Against this backdrop, the need for a unified key and certificate management system has become increasingly apparent.  

On the first day of CES 2026, AUTOCRYPT introduced a standardized infrastructure designed to enable efficient deployment of key management systems across vehicles and adjacent industries, through the launch of “Automotive-CIS (Cybersecurity Infrastructure Standard) (Link).” 

[AUTOCRYPT] Solution Launch of Automotive-CIS (Cybersecurity Infrastructure Standard)

Designed to support the full vehicle lifecycle, from development and production to operation and inspection, the solution brings critical security functions into a single infrastructure framework. By unifying Cybersecurity Management System (CSMS), Software Update Management System (SUMS), Vehicle Security Operations Center (vSOC) and Threat Analysis and Risk Assessment (TARA), it provides a trusted foundation for continuous updates and lifecycle-based security enforcement.  

On the show floor, Automotive-CIS drew strong interest not only from automotive stakeholders, but also from players in agricultural manufacturing, construction and robotics. This reflects how software-defined systems are dissolving traditional industry boundaries and connecting digital ecosystems across domains.

Future-Ready Vehicle Solutions 

Across CES 2026, industry discussions emphasized the practical, measurable impact of next-generation technologies such as AI and quantum computing on operational efficiency and scalability. AUTOCRYPT showcased a deployable approach to applying AI in automotive cybersecurity, strengthening operational effectiveness and earning strong on-site recognition. The methodology demonstrated AI-driven automation across the DevSecOps process, including TARA and test-case generation within AutoCrypt CSTP (Link) streamlining the creation of audit-ready evidence. 

[AUTOCRYPT] AI-driven automation across the DevSecOps process

Preparing for Next-Gen Vehicle Security 

CES 2026 provided an opportunity not only to showcase solutions, but also to actively listen to public thoughts. AUTOCRYPT gathered public perspectives on software-defined vehicles (SDVs), cybersecurity concerns surrounding automated driving, and expectations for the future evolution of mobility through a thought wall prepared on-site. These insights serve as a valuable reference point as we look ahead to securing the next layer of automotive cybersecurity.  

[AUTOCRYPT] Public Perspectives on Future Mobility

  • The dominant perception of software-defined vehicles centered on the integration of vehicles and computation, enabling smarter, more adaptive mobility through autonomous and assisted driving capabilities.  
  • At the same time, participants clearly highlighted unresolved concerns — particularly around data governance, AI reliability, system behavior in edge cases and vulnerability to external cyber threats. These perspectives underscored a shared understanding that innovation must be accompanied by strong, trustworthy security foundations.  
  • Visitors also expressed optimism that future vehicles will become safer by design, combining intelligent software with robust engineering. More visionary ideas such as solar-powered mobility and aerial transportation illustrated how the public already views the boundaries of mobility expanding well beyond conventional road vehicles.   

Reflecting on these insights, AUTOCRYPT is committed to identifying emerging gaps in automotive cybersecurity and collaborating closely with open-source communities and industry associations. Through these efforts, AUTOCRYPT aims to help build resilient, interoperable security infrastructure that supports the safe and scalable advancement of AI-driven, software-defined mobility.   

To learn more about our end-to-end mobility solutions, visit https://autocrypt.io/all-products-and-offerings/.

27 June, 2025 . 5 mins read

Relationship between UN R155, UN R156 and ISO/SAE 21434, ISO 24089

As autonomous, connected vehicles evolve, so do risks associated with cybersecurity and software update management. Maintaining public safety being a top regulatory priority, certain regions like the European Union have introduced stringent compliance requirements for vehicle manufacturers and suppliers. Most notably, the UNECE Regulation No. 155 and UNECE Regulation No. 156  now mandate that automotive stakeholders demonstrate their ability to manage cyber risks and ensure secure software update processes.  

To meet these legally binding requirements, industry players increasingly turn to internationally recognized standards such as ISO/SAE 21434 and ISO 24089 that delineate technical implementation measures. This blog post explores how ISO standards help translate UNECE requirements into actionable steps – focusing on the relationship between UN R155, UN R156 and technical standards, ISO/SAE 21434 and ISO 24089.  

UN R155, UN R156 Regulation  

As the name denotes, the UN R155, UN R156 “regulations” are legally binding requirements developed by UNECE WP.29, defining what must be done for vehicle type approval for passenger cars (M category), commercial vehicles (N category) and certain trailers (O category).  

The foundational requirements for UN R155 and UN R156 differ based on their primary objectives. Under UN R155, vehicles with networked electronic components are required to establish a Cybersecurity Management System (CSMS), an organizational-level risk-management framework designed to maintain vehicle cybersecurity throughout the lifecycle. In contrast, UN R156 mandates the implementation of Software Update Management System (SUMS) for vehicles capable of receiving software updates, ensuring updates are secure, traceable and properly managed.  

While these regulations give guidance on what to do, how to execute the guidelines is not provided, which is where technical standards like ISO/SAE 21434 and ISO 24089 come into play as implementation blueprints.  

ISO/SAE 21434, ISO 24089 Standard  

Unlike “regulations,” ISO/SAE 21434 and ISO 24089 are voluntary “standards” developed by ISO and SAE working groups. While not legally binding, they are widely adopted as technical frameworks to demonstrate compliance with UNECE requirements.  

ISO/SAE 21434 focuses on managing cybersecurity risks across the vehicle lifecycle, detailing methods for identifying, evaluating and mitigating threats. Aligned with UN R155 which mandates the establishment of a Cybersecurity Management System (CSMS), the standard outlines core system capabilities, including governance, resource management and organizational responsibility. While the UN R155 regulation defines what must be established for vehicle cybersecurity, the ISO/SAE 21434 standard provides the framework for how to implement it.  

Similarly, the ISO 24089 standard centers on the secure management of software updates, ensuring both functional performance and cybersecurity integrity are maintained. Following the mandate of UN R156 to establish a Software Update Management System (SUMS), the standard illustrates methods for software configuration tracking, secure update delivery, and validated installation procedures. Parallel to the relationship between UN R155 and ISO 21434, the UN R156 regulation defines what components are required for secure software updates, while the ISO 24089 standard outlines how to structure it.ISO/SAE 21434, ISO 24089

Mapping ISO Standards to Cybersecurity and Software Update Requirements 

Although ISO/SAE 21434 and ISO 24089 were not legally derived from UN R155 and UN R156, they share a common foundation. Both the standards and regulations emerged from the same regulatory push to mitigate cybersecurity threats associated with increasingly software-driven vehicles, which explains their current alignment. However, due to natural overlaps between cybersecurity and software update management, it would be an oversimplification to claim that ISO/SAE 21434 solely supports UN R155, or vice-versa.

ISO/SAE 21434 Support for UN R156  

While ISO/SAE 21434 is not specifically a software update standard, it addresses cybersecurity considerations that arise in software update processes, particularly where secure deployment and threat mitigation intersect. This can be observed in ‘Clause 13. Operations and maintenance which covers cybersecurity activities during vehicle operation, including incident response, vulnerability monitoring, and post-production software updates. In this way, ISO/SAE 21434 partially supports components of a Software Update Management System (SUMS) relevant to UN R156, while primarily serving the requirements of UN R155.  

ISO 24089 Support for UN R155  

Similarly, ISO 24089, though not a cybersecurity standard, acknowledges the critical role of cybersecurity in software update workflows. For example, ‘Clause  5. Project level’ outlines roles, responsibilities, and planning processes that overlap with Cybersecurity Management System (CSMS) framework principles. As such, ISO 24089 partially supports operational requirements of the Cybersecurity Management System (CSMS) aligned with UN R155, and cannot be viewed in isolation from cybersecurity needs.  

Taken together, while ISO/SAE 21434 is closely aligned with UN R155 for cybersecurity control and ISO 24089 with UN R156 for software updates, the distinction between the two is not clear-cut. Given the interconnected nature of both domains, areas of overlap exist where the two standards work in tandem to support shared regulatory objectives.  

Streamlining Automotive Compliance  

While the range of standards and regulations in automotive cybersecurity may seem complex, understanding how they interconnect allows stakeholders to navigate compliance with greater clarity and control.  

AUTOCRYPT’s suite of in-vehicle cybersecurity solutions covering testing and consulting services is designed to align with the requirements of UN R155 and UN R156 and technical guidelines set by ISO/SAE 21434 and ISO 24089 standards. Supporting secure software update processes and cybersecurity control across the vehicle’s lifecycle, our services are positioned to help simplify compliance and improve informed decision-making.  

Visit our UNECE WP.29 Consulting page to learn more about how OEMs and Tier suppliers can control cybersecurity measures for vehicle type approval.  

To contact our team about how your company can get started, contact global@autocrypt.io.