WP.29 Background Overview

As we near the end of 2020, the term “WP.29” has become an oft-discussed topic for those of us in the automotive industry, especially when it comes to compliance and the need for universal regulations for vehicles and security. Although we throw this term around quite a bit when it comes to discussion of the new regulations, WP.29 is not the name or title of the regulations, but the shorthand title of the working party – World Forum for Harmonization of Vehicle Regulations. This working party is part of the United Nations Economic Commission for Europe (UNECE). 

Though this working party has been established for over 50 years, the concept of transportation has evolved and continues to develop. With the rise of autonomous vehicles, a new working party within WP.29 was commissioned – the GRVA, Working Party on Automated/Autonomous and Connected Vehicles – which began its work on drafting up a new UN regulation for cyber security management systems for these vehicles. 

In June 2020, WP.29 released two new regulations for the industry, and while the regulations themselves are quite complex in terms of all the details, generally it divides up into the implementation of a Cybersecurity Management System (CSMS) and Software Update Management System (SUMS).

Of the two, the CSMS compliance regulation is what may take people off-guard as it’s quite a large, umbrella term. While “system” in terms of computing refers to a hardware or software system handled by a server, in this case a “system” is merely the people, products, and processes that one goes through in order to ensure that cybersecurity needs are being met.

Delving further, a CSMS should cover the entire lifecycle of a vehicle from development, production, and even post-production. Security is to be prioritized in all areas, not merely to monitor and detect abnormal activity, but to prevent it from even happening in the first place as well as risk identification and assessment.  

What does this mean for the automotive industry?

Firstly, manufacturers will be held to a much higher standard, as they will have to hold a valid Certificate of Compliance for proper implementation of the aforementioned CSMS. The documentation that they submit will have to provide information on the supply chain of all parts and software, risk assessment, test results, mitigations, and treatment/management history. The manufacturers will also have to demonstrate that vehicles are protected against the risks and describe future testing and security measures in comprehensive detail.

The regulations enter into force in January 2021. However, this does not mean that at the stroke of midnight all regulations will become mandated. This is simply the date when countries that have signed the 1958 UNECE agreement can begin to integrate the regulations into national legislation. For example, in the European Union, the regulations will be mandatory beginning in July 2022. This means automotive manufacturers will have to consider the region in which their automotive business operations take place. Though their headquarters may be in one country, if sales and software providers are located in another region, jurisdiction will take precedent.

Therefore, this regulation not only affects vehicle manufacturers but also suppliers, software-providers, and service providers who will also have to comply with the cybersecurity management system requirements to be able to work with manufacturers. After all, the term “system” is all-encompassing when it comes to securing the vehicles on the road.

For cybersecurity companies, this means being able to provide products and solutions that ensures compliance of manufacturers, suppliers, and providers with the WP.29 regulations. However, although CSMS seeks to be comprehensive in terms of security solutions, the number of companies that can provide comprehensive solutions are quite limited.

Here at AUTOCRYPT, we believe that security should not be a complex, or multi-stop issue. From V2X to in-vehicle systems, we ensure that all points of the vehicle environment are covered in terms of security, and are here to work with companies who are looking to meet the compliance requirements for the new WP.29 regulations.

For more information about AUTOCRYPT’s solutions, visit our official WP.29 page.

However, as keys become more connected and less physical, there is yet another element to consider: cybersecurity. It is crucial that we consider that the more connectivity we usher in, the more enticing it can be for attackers to look for a way to infiltrate. This is why it is also essential to incorporate security technology like Public Key Infrastructure (PKI) into the system to guarantee security even in its convenience.

While we will ultimately get to a point in vehicle evolution where a physical key does not necessarily need to be carried around, the reality is that though the idea of the traditional key will change, ultimately the concept will remain. A key’s purpose is to help its owner access different entry points, but to also keep them safe by locking out unwanted intruders. Therefore, no matter the form of the key, digital or physical, security will remain essential.

For more information about AUTOCRYPT and its digital key, learn more here.

Infographic: Global Regulations on Autonomous Vehicles

In 1939, the idea of the autonomous vehicle (AV) was brought to life by Norman Bel Geddes when he introduced the concept of a self-driving car in a futuristic exhibit hosted by General Motors (GM). Geddes conceptualized the car to be able to “drive” by radio-controlled electromagnetic fields generated with magnetized spikes that were embedded in the roadway. Although it may have been a bit early for realizing his AV dreams, the actual technology used in building vehicles with the potential of reaching full autonomy has developed rapidly in the past decade. Although we are yet to produce fully autonomous vehicles (level 4 or above), the AV landscape is expanding at a faster-than-ever pace. With this growing landscape comes wider adoption – more and more countries are allowing AVs on the roads, though they vary in terms of regulation and guidelines. Here are some global regulations on autonomous vehicles.

South Korea

South Korea allows AVs with government issued licenses to operate on public roads. As one of the leading countries in the AV industry, it announced the opening of K-City in 2017, which is an unpopulated town model built solely for autonomous-driving testing. The test-bed is the first of its kind in the nation and the second largest in the world. AUTOCRYPT is the security leader of the ITS-project, and the security company also manages V2X security for smart roads in Sejong, Yeoju, Seoul, and Jeju.

United States

The United States has a unique governing system where each state can publish its own legislation; as such, each US state is responsible for its own autonomous driving laws. There were no set rules about driver-less AVs operating on public roads before 2018 when California and Arizona passed legislation allowing for AV operation. Many other states have followed since then.


China has released a then-updated road safety laws that cover driver-less vehicles on a nationwide scale. The Ministry of Industry and Information Technology, the Ministry of Public Security, and the Ministry of Transport created regulations on the “Administration of Road Testing of Autonomous Vehicles.” In addition, local governments added their own regulations accordingly.


As one of the leading countries in autonomous transportation, alongside China, the US, and South Korea, Germany has a strategy in place for AVs on a national level and allows autonomous driving on public roads. Additionally, it allows companies to test drive autonomous cars on public roadways. However, the new transportation legislation requires all AVs on public roads to have a black box equipped, a counterpart data recorder.

The Netherlands

The autonomous transportation laws of the Netherlands allow for autonomous driving on public roads, and it also opened the public roads to large-scale tests with autonomous passenger cars and trucks. In the future, the Netherlands will allow experiments with driver-less AVs.


Sweden, too, allows autonomous driving on public roads. Moreover, The Swedish Transport Agency can authorize permits and supervise trials at all levels of automation on Swedish roads. To ensure the issue of trial permits, however, the trial activity should be governed by a specific act and comply with numerous conditions specified further on the agreement form.


In Australia, each state and territory has its own road safety laws, and this has resulted in some inconsistencies across state lines in the past. The National Transport Commission introduced Australian Road Rules (ARRs) for nationwide implementation.

Many more countries have introduced AV regulations, but with the rise of level 3+ autonomous vehicles, we also see an increase in the reported number of accidents caused by and involving vehicles that are put on the autonomous-driving mode. With such differing regulations across the world in terms of testing and driving regulations, jurisdiction, or even liability, it brings up the question of whether a centralized regulatory system needs to be implemented.

Global regulations may continue to change as technology evolves and develops. What are your thoughts?