Cybersecurity Management System for UNECE Regulation 155

The automotive industry is entering an important stage of cybersecurity implementation. In July of 2024, UNECE Regulation 155 (UN R155) about vehicle cybersecurity and Cybersecurity Management Systems (CSMS) is coming into full force. What does this mean for the larger automotive industry?

Vehicle manufacturers across the 64 WP.29 member countries will be required to adhere to regulatory compliance measures outlined in UNECE Regulation 155. Vehicles that do not comply with the regulations will not be eligible for registration starting July 2024. We can already see how the regulation is affecting the industry in the recent Porsche announcement. The company stated that they will be discontinuing the combustion-powered 718 Boxster convertible and the 718 Cayman models in certain countries, due to not meeting the cybersecurity standards outlined in UN R155 legislation.

UN R155 is a set of regulations developed by the United Nations Economic Commission for Europe (UNECE) pertaining to cybersecurity in vehicles. The regulation establishes cybersecurity requirements for the vehicle manufacturing process and vehicle type approval, aimed at enhancing the security of connected vehicles and increasing resilience against cyber threats.

Essential Approval Requirements

The essential UN R155 approval requirements for automotive cybersecurity, address standards and protocols for securing connected vehicles against cyber threats. However, UN R155 does not only focus on vehicle cybersecurity. The regulation oversees the entire vehicle manufacturing process, enforcing cybersecurity measures to be incorporated on an organizational level and throughout the vehicle’s entire lifecycle.

OEMs wishing to receive UN R155 approval must implement a cybersecurity management system that verifies secure operations throughout the vehicle development, production, and post-production phases.

Upon CSMS implementation OEMs must go through a CSMS assessment process, also known as a CSMS audit, that will be conducted by an appointed Approval Authority. During a CSMS audit, the Approval Authority assesses and verifies the manufacturer’s compliance with the requirements outlined in UN R155. If the assessment deems cybersecurity management system implementation successful, the OEM obtains the Certificate of Compliance for CSMS. The Certificate of Compliance is valid for three years and can be extended upon expiration.

Requirements for CSMS

The requirements for the Cybersecurity Management System are holistic in nature and call for vehicle manufacturers to follow cybersecurity-by-design principles. From a grander organizational perspective to granular vehicle attack vector assessments, the CSMS requirements seek appropriate cybersecurity measures that continuously monitor, detect, and respond to cyber threats across the vehicle development lifecycle According to UN R155, vehicle manufacturers should ensure that their Cybersecurity Management System complies with the following stipulations:

1. The vehicle manufacturer shall demonstrate that their CSMS applies to the vehicle development, production, and post-production stages.

2. The vehicle manufacturer shall demonstrate that the processes used within their CSMS to ensure security is adequately considered and implemented continuously. This requirement entails cybersecurity management processes, risk identification, assessment, and mitigation.

3. OEMs are expected to stay on top of new cyber threats and vulnerabilities, keeping their security measures current.

4. Vehicle manufacturers must be able to provide relevant data to support analysis of attempted or successful cyberattacks to their designated Approval Authority.

5. OEMs shall demonstrate that the processes used within their CSMS will ensure that cyber threats and vulnerabilities are addressed and mitigated within a reasonable time frame.

6. Vehicle manufacturers must be able to demonstrate how their CSMS will manage dependencies that may exist with suppliers, service providers, or manufacturer’s sub-organizations. This means that OEMs are accountable for implementing and verifying cybersecurity practices along their supply chains.

Requirements beyond the CSMS

Meeting cybersecurity management system requirements and obtaining the CSMS Certificate of Compliance is the first step of the regulatory compliance process. UN Regulation 155 also includes an array of cybersecurity requirements for vehicle type approval. The type approval process focuses on the effectiveness of the security measures implemented in the actual vehicle and its components.

Our latest ebook delves into the key vehicle components to focus on for UN R155 type approval and can offer insight into how different vehicle components require different types of cybersecurity measures. 

Download eBook

Automotive cybersecurity implementation cannot be done in a one-size-fits-all manner. Different OEMs will have different cybersecurity and testing needs based on their organizational structures, vehicle manufacturing processes, and supply chains. With industry-leading expertise accumulated through years of experience in cybersecurity implementation, AUTOCRYPT offers professional consulting services for automotive OEMs and suppliers in establishing the CSMS.

To learn more about our CSMS Consulting Services and cybersecurity regulation compliance, contact global@autocrypt.io.

AUTOCRYPT Releases Plug&Charge Upgrade for Charging Station Management System

SEOUL, KOREA, July 27, 2023 — Automotive cybersecurity and mobility solutions provider AUTOCRYPT expanded the scope of its EV charging station management system (CSMS) through the release of “EVIQ CSMS for Plug&Charge,” an add-on that will seamlessly guide the deployment and management of Plug&Charge (PnC) operations, available for charge point operators (CPO) and e-mobility service providers (EMSP). Defined in ISO 15118 for vehicle-to-grid (V2G) communications, Plug&Charge allows vehicles and chargers to automatically authenticate one another once plugged in, enabling a fully automated charging and billing process.

Certificate management through EVIQ CSMS for Plug&Charge

Compliant with ISO 15118-2 and ISO 15118-20, EVIQ CSMS for Plug&Charge provides customers with a comprehensive set of components necessary for the adoption of PnC technology as well as the management of PnC-capable chargers. These include the establishment of a PnC server on the backend and a frontend admin dashboard for certificate key management. The PnC server is integrated into the existing server of the CPO, while the admin dashboard can be integrated into their existing CSMS frontend or AUTOCRYPT’s EVIQ CSMS dashboard.

More importantly, the PnC add-on is interoperable across multiple V2G root environments. Due to the wide variety of V2G roots used by different CPOs and EMSPs, many service operators have found it challenging to enable Plug&Charge across different vehicle models and charging stations. AUTOCRYPT facilitates this interoperability by enabling validation across multiple root certificates.

“Given the growing number of regulations in Europe and Asia mandating V2G interoperability in public charging stations, we expect Plug&Charge to become the mainstream method for EV charging and billing,” said Daniel ES Kim, CEO of AUTOCRYPT. “The growing adoption of NACS will also simplify PnC deployment across North America. We look forward to helping more operators implement and manage the technology.”

The North American Charging Standard (NACS), formerly known as the Tesla charging connector specification, is now gaining popularity across the continent after Tesla opened the technology to other OEMs in late 2022.

Offering full compatibility with NACS, AUTOCRYPT’s EVIQ lineup of EV charging-related solutions also encompasses the establishment of the PKI needed for secure PnC authentication. The company has deployed its PnC PKI for some best-selling EV models across the globe and the largest PnC charging network in South Korea.

ABOUT AUTOCRYPT

AUTOCRYPT is the leading player in automotive cybersecurity and smart mobility technologies. It specializes in the development and integration of security software and processes for in-vehicle systems, V2X communications, Plug&Charge, and fleet management, paving the way toward a secure and reliable C-ITS ecosystem. AUTOCRYPT is a pioneer in integrating trusted execution environments (TEE) into automotive systems, for which it received ASPICE CL2 certification. The company is also accredited by WebTrust as a root CA for V2X PKI.

AUTOCRYPT also provides management and service platforms for the operators and end users of e-mobility and MaaS. By building customized platforms tailored to individual needs, AUTOCRYPT contributes to sustainable and universal mobility.

More Public Chargers? Not Too Fast: The Growing Need to Securely Manage EV Charging Infrastructure

Electric vehicles (EV) are some of the hottest items today across the automotive and tech industries. With EV adoption accelerating year by year, there is no doubt now that EVs are on their way to take over the automotive market. However, with new EV releases and feature updates gathering all the spotlights, a complementary market — the market for EV charging infrastructure — is often overlooked.

EV charging infrastructure, or EV supply equipment (EVSE), refers to the charging stations and charging points that supply electricity to an EV’s battery. Clearly, the development and commercialization of EVs and EV charging infrastructure must go hand in hand. Knowing that EVs cannot thrive without decent charging infrastructure, automotive OEMs are constantly working with charger manufacturers and charge point operators (CPO) to bring smarter and faster charging infrastructure to the market, creating an environment that enables EVs to reach their maximum potential.

The question is: is the EVSE industry prepared to fulfill the massive influx of EVs over the coming years?

Private vs. Public Charging Infrastructure

Although a privately owned home charger is most likely the primary charger for the average EV owner, the long-term sustainability of the EV market depends heavily on the availability of public charging infrastructure. With a significant portion of urban residents living in apartments and condos with shared parking garages, public chargers must be adequately established to fulfill the growing charging demands. Moreover, for the times when longer trips are made, public EV chargers must be easily accessible en route. Therefore, to enable a seamless EV user experience, public charging infrastructure must be established on a wide scale.

The development and deployment process for private and public chargers vary significantly. Unlike a home charger, which simply contains electrical conductors and their related equipment, a public charger is much more complex, containing software for processing account information and billing, and communication protocols that deliver data between the vehicle and the charger. These software-enabled features make them more expensive and time-consuming to deploy and maintain.

The Current State of Public Charging Infrastructure

Overall, the market for public EV charging infrastructure has been growing at a steady rate. As of 2021, the United States has about 115,000 publicly accessible EV charging points, just surpassing its number of gas stations. Realizing that public charging infrastructure is crucial to EV adoption and achieving carbon emission targets, President Biden’s Bipartisan Infrastructure Law has dedicated $7.5 billion to developing publicly accessible EV charging points, with the goal of installing 500,000 additional public EV chargers compatible with all kinds of vehicles by 2030.

However, are 500,000 additional public chargers enough to fulfill the forecasted growth of EVs? To put the numbers in perspective, the US has a goal of cutting its road transport carbon emission by half in 2030. To reach this target, roughly one in every two new cars sold in 2030 must be an EV. However, according to research by McKinsey, if half of all new vehicles sold were to be EVs in 2030, the US would need 1.2 million public EV chargers by that year, meaning that even with 500,000 additional public chargers deployed, the total number will still fall short by nearly 600,000 units.

Then is it time to further accelerate public charger deployment? Ideally, yes. But not too fast.

The Challenges of Deploying Public Charging Infrastructure

A critical flaw of the current charging infrastructure development plan is that it puts too much emphasis on numbers, neglecting an important fact—the number of chargers isn’t all that matters. In fact, a recent survey conducted by J.D. Power revealed that among the 11,550 American EV drivers surveyed, one in five people reported not being able to charge their car during their visit to a public charging station. Among all the failed cases, 72% of them were attributed to nonfunctional equipment.

This clearly demonstrates that chasing numbers won’t guarantee promising results. It is pointless to have 500,000 chargers if 100,000 of them don’t work. Imagine the frustration of running low on battery and coming to the only available charger within range, only to discover that it does not work. If a one-in-five failure rate is not significant enough to raise an alarm, remember that most public EV chargers are built within the last several years; if nothing is done to address this issue, it is only a matter of time before more chargers end up dysfunctional.

Additionally, it is important to acknowledge that operating and maintaining an EV charging station is completely different from operating a gas station. Since charging takes much longer than filling gas, a much greater number of charging stations are needed than gas stations, making it impossible to staff them all. This makes it difficult for CPOs to monitor and maintain their charging points. A wide range of issues may arise in poorly maintained EV chargers, such as broken connectors, power failures, network failures, payment system failures, and unresponsive screens.

How a Charging Station Management System Can Help

A Charging Station Management System (CSMS) is a system software that connects to the Charge Point Operation Server (CPOS), which hosts all the applications built into the chargers. The CSMS collects real-time information on all chargers within the charging network. By doing so, it allows the CPO to monitor all its public chargers in real-time and respond to any errors or malfunctions immediately to guarantee service satisfaction. System and security updates can also be performed remotely on a timely basis. Depending on the service scope of the CSMS provider, CPOs can also utilize a CSMS to manage their customer accounts and billing information.

Additionally, the CSMS offers more potential benefits beyond charging station management. The charger data it collects can be used to provide a variety of customer-oriented EV charging information services. For instance, AUTOCRYPT has utilized the data it collected from its CSMS to operate a charger locator map in South Korea that provides real-time charger information such as location, availability, plug type, and price.

With the help of a CSMS, CPOs can deploy larger numbers of charging points across a wide range of locations without sacrificing service quality, while saving costs in the long run. By providing a secure and seamless charging experience for EV users, it helps create an EV-friendly environment that encourages continuous adoption.


AUTOCRYPT’s EVIQ is an EV charging and management solution centered around its CSMS, providing a comprehensive management platform for CPOs. At the same time, AUTOCRYPT offers a Plug&Charge (PnC) security module in compliance with ISO 15118, ready to be integrated with the PnC server, bringing security and convenience to both the CPO and its customers.

To learn more about AUTOCRYPT’s EV charging security and management solutions, contact global@autocrypt.io.

To stay informed and updated on the latest news about AUTOCRYPT and mobility tech, subscribe to AUTOCRYPT’s quarterly newsletter.