Relationship between UN R155, UN R156 and ISO/SAE 21434, ISO 24089

As autonomous, connected vehicles evolve, so do risks associated with cybersecurity and software update management. Maintaining public safety being a top regulatory priority, certain regions like the European Union have introduced stringent compliance requirements for vehicle manufacturers and suppliers. Most notably, the UNECE Regulation No. 155 and UNECE Regulation No. 156  now mandate that automotive stakeholders demonstrate their ability to manage cyber risks and ensure secure software update processes.  

To meet these legally binding requirements, industry players increasingly turn to internationally recognized standards such as ISO/SAE 21434 and ISO 24089 that delineate technical implementation measures. This blog post explores how ISO standards help translate UNECE requirements into actionable steps – focusing on the relationship between UN R155, UN R156 and technical standards, ISO/SAE 21434 and ISO 24089.  

UN R155, UN R156 Regulation  

As the name denotes, the UN R155, UN R156 “regulations” are legally binding requirements developed by UNECE WP.29, defining what must be done for vehicle type approval for passenger cars (M category), commercial vehicles (N category) and certain trailers (O category).  

The foundational requirements for UN R155 and UN R156 differ based on their primary objectives. Under UN R155, vehicles with networked electronic components are required to establish a Cybersecurity Management System (CSMS), an organizational-level risk-management framework designed to maintain vehicle cybersecurity throughout the lifecycle. In contrast, UN R156 mandates the implementation of Software Update Management System (SUMS) for vehicles capable of receiving software updates, ensuring updates are secure, traceable and properly managed.  

While these regulations give guidance on what to do, how to execute the guidelines is not provided, which is where technical standards like ISO/SAE 21434 and ISO 24089 come into play as implementation blueprints.  

ISO/SAE 21434, ISO 24089 Standard  

Unlike “regulations,” ISO/SAE 21434 and ISO 24089 are voluntary “standards” developed by ISO and SAE working groups. While not legally binding, they are widely adopted as technical frameworks to demonstrate compliance with UNECE requirements.  

ISO/SAE 21434 focuses on managing cybersecurity risks across the vehicle lifecycle, detailing methods for identifying, evaluating and mitigating threats. Aligned with UN R155 which mandates the establishment of a Cybersecurity Management System (CSMS), the standard outlines core system capabilities, including governance, resource management and organizational responsibility. While the UN R155 regulation defines what must be established for vehicle cybersecurity, the ISO/SAE 21434 standard provides the framework for how to implement it.  

Similarly, the ISO 24089 standard centers on the secure management of software updates, ensuring both functional performance and cybersecurity integrity are maintained. Following the mandate of UN R156 to establish a Software Update Management System (SUMS), the standard illustrates methods for software configuration tracking, secure update delivery, and validated installation procedures. Parallel to the relationship between UN R155 and ISO 21434, the UN R156 regulation defines what components are required for secure software updates, while the ISO 24089 standard outlines how to structure it.ISO/SAE 21434, ISO 24089

Mapping ISO Standards to Cybersecurity and Software Update Requirements 

Although ISO/SAE 21434 and ISO 24089 were not legally derived from UN R155 and UN R156, they share a common foundation. Both the standards and regulations emerged from the same regulatory push to mitigate cybersecurity threats associated with increasingly software-driven vehicles, which explains their current alignment. However, due to natural overlaps between cybersecurity and software update management, it would be an oversimplification to claim that ISO/SAE 21434 solely supports UN R155, or vice-versa.

ISO/SAE 21434 Support for UN R156  

While ISO/SAE 21434 is not specifically a software update standard, it addresses cybersecurity considerations that arise in software update processes, particularly where secure deployment and threat mitigation intersect. This can be observed in ‘Clause 13. Operations and maintenance which covers cybersecurity activities during vehicle operation, including incident response, vulnerability monitoring, and post-production software updates. In this way, ISO/SAE 21434 partially supports components of a Software Update Management System (SUMS) relevant to UN R156, while primarily serving the requirements of UN R155.  

ISO 24089 Support for UN R155  

Similarly, ISO 24089, though not a cybersecurity standard, acknowledges the critical role of cybersecurity in software update workflows. For example, ‘Clause  5. Project level’ outlines roles, responsibilities, and planning processes that overlap with Cybersecurity Management System (CSMS) framework principles. As such, ISO 24089 partially supports operational requirements of the Cybersecurity Management System (CSMS) aligned with UN R155, and cannot be viewed in isolation from cybersecurity needs.  

Taken together, while ISO/SAE 21434 is closely aligned with UN R155 for cybersecurity control and ISO 24089 with UN R156 for software updates, the distinction between the two is not clear-cut. Given the interconnected nature of both domains, areas of overlap exist where the two standards work in tandem to support shared regulatory objectives.  

Streamlining Automotive Compliance  

While the range of standards and regulations in automotive cybersecurity may seem complex, understanding how they interconnect allows stakeholders to navigate compliance with greater clarity and control.  

AUTOCRYPT’s suite of in-vehicle cybersecurity solutions covering testing and consulting services is designed to align with the requirements of UN R155 and UN R156 and technical guidelines set by ISO/SAE 21434 and ISO 24089 standards. Supporting secure software update processes and cybersecurity control across the vehicle’s lifecycle, our services are positioned to help simplify compliance and improve informed decision-making.  

Visit our UNECE WP.29 Consulting page to learn more about how OEMs and Tier suppliers can control cybersecurity measures for vehicle type approval.  

To contact our team about how your company can get started, contact global@autocrypt.io. 

Cybersecurity Management System for UNECE Regulation 155

The automotive industry is entering an important stage of cybersecurity implementation. In July of 2024, UNECE Regulation 155 (UN R155) about vehicle cybersecurity and Cybersecurity Management Systems (CSMS) is coming into full force. What does this mean for the larger automotive industry?

Vehicle manufacturers across the 64 WP.29 member countries will be required to adhere to regulatory compliance measures outlined in UNECE Regulation 155. Vehicles that do not comply with the regulations will not be eligible for registration starting July 2024. We can already see how the regulation is affecting the industry in the recent Porsche announcement. The company stated that they will be discontinuing the combustion-powered 718 Boxster convertible and the 718 Cayman models in certain countries, due to not meeting the cybersecurity standards outlined in UN R155 legislation.

UN R155 is a set of regulations developed by the United Nations Economic Commission for Europe (UNECE) pertaining to cybersecurity in vehicles. The regulation establishes cybersecurity requirements for the vehicle manufacturing process and vehicle type approval, aimed at enhancing the security of connected vehicles and increasing resilience against cyber threats.

Essential Approval Requirements

The essential UN R155 approval requirements for automotive cybersecurity, address standards and protocols for securing connected vehicles against cyber threats. However, UN R155 does not only focus on vehicle cybersecurity. The regulation oversees the entire vehicle manufacturing process, enforcing cybersecurity measures to be incorporated on an organizational level and throughout the vehicle’s entire lifecycle.

OEMs wishing to receive UN R155 approval must implement a cybersecurity management system that verifies secure operations throughout the vehicle development, production, and post-production phases.

Upon CSMS implementation OEMs must go through a CSMS assessment process, also known as a CSMS audit, that will be conducted by an appointed Approval Authority. During a CSMS audit, the Approval Authority assesses and verifies the manufacturer’s compliance with the requirements outlined in UN R155. If the assessment deems cybersecurity management system implementation successful, the OEM obtains the Certificate of Compliance for CSMS. The Certificate of Compliance is valid for three years and can be extended upon expiration.

Requirements for CSMS

The requirements for the Cybersecurity Management System are holistic in nature and call for vehicle manufacturers to follow cybersecurity-by-design principles. From a grander organizational perspective to granular vehicle attack vector assessments, the CSMS requirements seek appropriate cybersecurity measures that continuously monitor, detect, and respond to cyber threats across the vehicle development lifecycle According to UN R155, vehicle manufacturers should ensure that their Cybersecurity Management System complies with the following stipulations:

1. The vehicle manufacturer shall demonstrate that their CSMS applies to the vehicle development, production, and post-production stages.

2. The vehicle manufacturer shall demonstrate that the processes used within their CSMS to ensure security is adequately considered and implemented continuously. This requirement entails cybersecurity management processes, risk identification, assessment, and mitigation.

3. OEMs are expected to stay on top of new cyber threats and vulnerabilities, keeping their security measures current.

4. Vehicle manufacturers must be able to provide relevant data to support analysis of attempted or successful cyberattacks to their designated Approval Authority.

5. OEMs shall demonstrate that the processes used within their CSMS will ensure that cyber threats and vulnerabilities are addressed and mitigated within a reasonable time frame.

6. Vehicle manufacturers must be able to demonstrate how their CSMS will manage dependencies that may exist with suppliers, service providers, or manufacturer’s sub-organizations. This means that OEMs are accountable for implementing and verifying cybersecurity practices along their supply chains.

Requirements beyond the CSMS

Meeting cybersecurity management system requirements and obtaining the CSMS Certificate of Compliance is the first step of the regulatory compliance process. UN Regulation 155 also includes an array of cybersecurity requirements for vehicle type approval. The type approval process focuses on the effectiveness of the security measures implemented in the actual vehicle and its components.

Our latest ebook delves into the key vehicle components to focus on for UN R155 type approval and can offer insight into how different vehicle components require different types of cybersecurity measures. 

Download eBook

Automotive cybersecurity implementation cannot be done in a one-size-fits-all manner. Different OEMs will have different cybersecurity and testing needs based on their organizational structures, vehicle manufacturing processes, and supply chains. With industry-leading expertise accumulated through years of experience in cybersecurity implementation, AUTOCRYPT offers professional consulting services for automotive OEMs and suppliers in establishing the CSMS.

To learn more about our CSMS Consulting Services and cybersecurity regulation compliance, contact global@autocrypt.io.

The Role of Penetration Testing in the Automotive Industry

The esteemed hackathon Pwn2Own has had its first ever automotive-focused event in Tokyo, Japan this January. At the end of the three-day hackathon, hackers identified 49 unique zero-day exploits, accumulating over a million dollars in awarded bounties. Hackathons like this have been common practice in the tech industry for years, however, they are just getting popular in the automotive sector.

During these hackathons, white-hat hackers gather to uncover zero-day vulnerabilities in vehicles and their systems. While hacking may have its negative connotations, ethical hacking performed in these events is better defined by the term penetration testing.

As technology advances, vehicles become increasingly vulnerable to cyber threats. Securing vehicles from these cyber threats requires extensive and proactive cyber security practices that not only protect vehicles but also actively search for new vulnerabilities in constantly developing systems. In this blog, we delve into the realm of automotive penetration testing, a critical practice aimed at identifying weaknesses in vehicle security systems.

Understanding Automotive Penetration Testing

Automotive penetration testing, or pentesting, is a process designed to identify vehicle vulnerabilities by means of hacking into specific components of a vehicle. This proactive way of cybersecurity testing allows for the uncovering of security gaps in a controlled environment. 

Penetration tests can be conducted internally by cybersecurity experts employed by an OEM, as well as externally, by independent ethical hackers. Upon successful identification of a vehicle vulnerability, hackers share their findings with an OEM for further investigation and remediation.

Besides vulnerability assessment, penetration testing provides positive feedback that can be used for attack surface analysis and compliance assessment.

Attack surface analysis allows cybersecurity experts to evaluate potential entry points that malicious actors could exploit to breach a vehicle’s system. The adoption of connected features in vehicles, such as IoT devices, telematics systems, and infotainment units, has opened up new avenues for cyber attacks. The exponential growth in vehicle technology multiplies the avenues hackers can exploit to gain unauthorized access to vehicle systems, compromise safety features, or steal sensitive data. Hence, penetration testing can be used to uncover the vulnerabilities within the system and also the various entry points and attack vectors that can be used to exploit said vulnerability.

For instance, to identify security gaps in a vehicle’s external communications a hacker may conduct a penetration test on ECUs responsible for a vehicle’s connectivity functions like Wi-Fi or V2X. Hacking into these individual ECUs allows cybersecurity experts to generate a threat model that lays out the potential entryways, threats, and influences that may impact an ECU.

Why Automotive Penetration Testing Matters

By conducting thorough security assessments manufacturers can identify vulnerabilities in vehicle systems and address them proactively. This not only enhances the overall security of vehicles but also helps meet regulatory obligations effectively.

Vehicle security regulations have evolved to include robust cybersecurity measures as compliance requirements. UN Regulation No. 155 (UN R155), aimed at ensuring the cybersecurity of vehicles, mandates manufacturers to implement measures to protect against unauthorized access, manipulation, and theft of data.

To comply with the regulations manufacturers must conduct and document risk assessment tests, implement appropriate cybersecurity measures, detect, and respond to possible cyber attacks, as well as log data to support the detection of cyber attacks. Considering the extent of risk assessment required, it is clear that automotive penetration testing serves as a crucial tool in achieving and maintaining compliance with UN R155 requirements.

The Importance of Collaboration for Cybersecurity Testing

Compliance with regulations may be time-consuming and costly for vehicle manufacturers. Therefore, collaboration between automotive manufacturers, cybersecurity experts, and regulatory bodies is essential for effective security assessments. Comprehensive solutions that allow for continuous testing, threat intelligence gathering, and integrating security measures into the development process are crucial to ensure cybersecurity best practices.

AutoCrypt CSTP serves as a comprehensive cybersecurity testing platform that enables automotive OEMs to conduct cybersecurity testing for regulatory compliance and share integrated results for vehicle type approval. The newly launched platform runs a variety of vulnerability testing techniques, like penetration testing, engineering specification testing, and fuzz testing, using test cases mapped out for UN R155/156 and GB (GB/T).


As vehicles become increasingly connected, securing them against cyber threats is paramount. Automotive penetration testing emerges as a vital practice in safeguarding vehicles and ensuring the safety and security of drivers and passengers. By adhering to best practices, collaborating with industry stakeholders, and staying on top of regulatory requirements, automotive manufacturers can build resilient vehicles capable of withstanding the challenges of the digital age.