Skip to main content
UNECE R155 / WP.29

UNECE R155: The Automotive
Cybersecurity Regulation

UNECE Regulation No. 155 is the world’s first binding vehicle cybersecurity regulation. Adopted under the WP.29 framework, it mandates that every new vehicle sold in over 60 countries must have a certified Cybersecurity Management System and pass cybersecurity type approval. This guide covers everything you need to know — from CSMS certification and Annex 5 threat categories to compliance timelines and how ThreatZ accelerates your path to R155 approval.

Read the Guide
UNECE R155
ISO/SAE 21434
WP.29
60+ Countries
The Regulation

What Is UNECE R155?

Understanding the global regulation that made vehicle cybersecurity a legal prerequisite for market access.

The Regulation Defined

UNECE Regulation No. 155 — commonly referred to as R155 or UN R155 — is a binding cybersecurity regulation adopted by the World Forum for Harmonization of Vehicle Regulations (WP.29) in June 2020. It establishes uniform provisions for the approval of vehicles with regard to cybersecurity and cybersecurity management systems.

R155 applies to passenger cars (M1), buses (M2/M3), trucks (N1/N2/N3), and trailers (O3/O4) equipped with at least one electronic control unit. It does not currently cover L-category vehicles (motorcycles) or agricultural vehicles.

Enforcement Timeline

R155 has been enforced in two phases. Since July 2022, all new vehicle types submitted for type approval must comply with R155 requirements. Since July 2024, compliance is mandatory for all new vehicles produced and sold in contracting parties — including existing vehicle types.

This means that as of today, no new vehicle can be registered in R155 contracting parties (over 60 countries including the EU, UK, Japan, South Korea, and Australia) without a valid CSMS certificate and vehicle-level cybersecurity type approval.

Who Is Affected?

R155 directly obligates vehicle manufacturers (OEMs), but its impact cascades through the entire supply chain.

OEMs

Vehicle manufacturers must obtain a CSMS Certificate of Compliance and secure type approval for every vehicle type. They bear primary regulatory responsibility and must demonstrate cybersecurity risk management across the entire vehicle architecture.

Tier-1 Suppliers

System integrators and component suppliers must provide cybersecurity evidence, participate in TARA processes, and comply with Cybersecurity Interface Agreements. OEMs increasingly require ISO/SAE 21434 compliance as a contractual obligation.

Technical Services

Accredited technical services audit CSMS implementations and vehicle-level cybersecurity evidence on behalf of type approval authorities. They evaluate compliance using ISO/SAE 21434 as the recognized engineering framework.

Two Pillars

R155 Requirements:
The Two Pillars of Compliance

UNECE R155 requires manufacturers to satisfy two distinct but interlinked compliance levels: an organizational CSMS certificate and vehicle-level type approval.

Pillar 1: CSMS Certificate

The Cybersecurity Management System (CSMS) Certificate demonstrates that the manufacturer has adequate organizational processes, governance, and capabilities to manage cybersecurity across the vehicle lifecycle. It is issued by a type approval authority and is valid for up to three years.

  • Cybersecurity governance, policies, and documented processes
  • Risk assessment processes for vehicle development and post-production
  • Monitoring, detection, and response capabilities for cyber threats
  • Supply chain cybersecurity management and interface agreements
  • Continuous improvement and management review cycles

Pillar 2: Vehicle Type Approval

Each individual vehicle type must receive cybersecurity type approval, demonstrating that cybersecurity risks have been systematically identified, assessed, and treated for that specific vehicle. A valid CSMS certificate is a prerequisite for vehicle type approval.

  • Comprehensive threat analysis and risk assessment (TARA)
  • Coverage of all Annex 5 threat categories and mitigations
  • Evidence of security testing and verification activities
  • Post-production monitoring and incident response plans
  • Traceability from risks through controls to verification evidence
Annex 5

Annex 5:
Threat Categories

Annex 5 of R155 defines seven high-level threat categories that manufacturers must address during their TARA process. Each category contains specific threat examples that serve as a minimum checklist for risk assessment.

1. Back-End Servers

Threats related to back-end servers used to support vehicles in the field, including abuse of privileges by staff, unauthorized internet access to servers, and attacks via compromised back-end infrastructure that affect vehicle fleets.

2. Communication Channels

Threats regarding vehicle communication channels including spoofing of messages, man-in-the-middle attacks, eavesdropping, and interference with vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), and in-vehicle network communications.

3. Update Procedures

Threats targeting software update mechanisms, including compromised over-the-air (OTA) update processes, manipulation of update packages, denial of legitimate updates, and exploitation of update infrastructure to deploy malicious firmware.

4. Unintended Human Actions

Threats arising from unintended human actions that facilitate cyberattacks, including social engineering targeting vehicle owners or dealership staff, inadvertent actions that compromise vehicle security, and failure to follow defined security procedures.

5. External Connectivity

Threats related to external connectivity and connections, including attacks via Wi-Fi, Bluetooth, cellular, USB, OBD-II, and other external interfaces. Also covers threats from third-party applications and aftermarket devices that connect to vehicle systems.

6. Data and Code

Threats regarding vehicle data and code, including extraction of proprietary software, unauthorized access to privacy-sensitive data (driver profiles, location data), manipulation of vehicle parameters, and exploitation of software vulnerabilities in ECU firmware.

7. Physical Vulnerability

Threats exploiting physical access to the vehicle, including manipulation through hardware interfaces (debug ports, diagnostic connectors), unauthorized physical modifications to ECUs, and extraction of cryptographic material from hardware security modules.

Timeline

R155 Compliance Timeline

Key milestones in the adoption and enforcement of UNECE R155 and related automotive cybersecurity regulations.

June 2020
WP.29 Adopts R155
The World Forum for Harmonization of Vehicle Regulations (WP.29) formally adopts UN Regulation No. 155 on Cybersecurity and Cybersecurity Management Systems, making it the world’s first binding vehicle cybersecurity regulation.
January 2021
R155 Enters into Force
The regulation officially enters into force for all UNECE 1958 Agreement contracting parties that have adopted it, starting the countdown to mandatory compliance deadlines.
August 2021
ISO/SAE 21434 Published
ISO and SAE International jointly publish ISO/SAE 21434 “Road vehicles — Cybersecurity engineering,” providing the technical framework that manufacturers use to implement and demonstrate CSMS compliance under R155.
July 2022
Mandatory for New Types
R155 compliance becomes mandatory for all new vehicle types submitted for type approval. Manufacturers can no longer obtain type approval for a new vehicle type without a valid CSMS certificate and vehicle-level cybersecurity assessment.
July 2024
Mandatory for All Vehicles
R155 compliance becomes mandatory for all new vehicles produced and sold in contracting parties, including existing vehicle types. This is the key enforcement milestone — no new vehicle can be registered without R155 type approval.
2025 – 2026
China GB 44495 & Global Expansion
China introduces its own automotive cybersecurity standard (GB 44495), creating parallel requirements for the world’s largest automotive market. Additional countries continue adopting R155, expanding the global regulatory landscape.
Ongoing
CSMS Renewal Cycles
CSMS certificates must be renewed every three years, requiring manufacturers to demonstrate continuous improvement in their cybersecurity management processes. Type approval authorities may conduct surveillance audits at any time.
Comparison

R155 vs Other Regulations

How UNECE R155 compares with other automotive cybersecurity standards and regulations across the global landscape.

Aspect UNECE R155 ISO/SAE 21434 EU Cyber Resilience Act China GB 44495
Scope & Nature
Type Binding regulation Voluntary standard Binding regulation National standard
Scope Vehicles (M, N, O categories) Road vehicle E/E systems All products with digital elements Vehicles (Chinese market)
Geography 60+ UNECE contracting parties Global (voluntary) European Union China
Requirements
CSMS required Yes (certified) Yes (process framework) No (different mechanism) Yes
Type approval Yes (per vehicle type) No No (CE marking) Yes
TARA required Yes Yes (Clause 15) Yes (risk assessment) Yes
SBOM requirement Implicit Implicit Yes (explicit) Yes
Enforcement
Enforcement start July 2022 / July 2024 N/A (voluntary) 2027 (expected) 2025 – 2026
Non-compliance impact No market access Loss of OEM contracts Fines up to €15M or 2.5% revenue No market access (China)
Relationship to R155 Engineering framework for CSMS Complementary (non-vehicle products) Parallel regulation (China-specific)
ThreatZ Platform

How ThreatZ Supports
R155 Compliance

ThreatZ is purpose-built for automotive cybersecurity compliance. It maps directly to R155 requirements, automating the evidence chain from TARA through type approval documentation.

AI-Powered TARA

Automated threat analysis aligned with R155 Annex 5 categories. ThreatZ generates comprehensive threat scenarios, attack paths, and risk ratings — covering all seven Annex 5 threat categories with full traceability to mitigations.

  • Annex 5 threat category coverage tracking
  • Automated threat scenario generation with AI
  • Attack feasibility and risk determination
Explore TARA Module

Type Approval Documentation

Generate audit-ready R155 evidence packages at any time. ThreatZ produces living documentation that updates automatically as your project evolves — from CSMS process evidence to vehicle-level cybersecurity cases accepted by technical services worldwide.

  • R155 compliance report generation
  • CSMS evidence packaging for auditors
  • Versioned exports with full change history
Explore Compliance Module

SBOM & Vulnerability Monitoring

Continuous vulnerability monitoring for your software supply chain. ThreatZ integrates with CVE databases, NVD feeds, and vendor advisories to ensure your post-production cybersecurity obligations under R155 are continuously met.

  • Centralized SBOM management and tracking
  • Automated CVE/NVD vulnerability correlation
  • Post-production monitoring evidence
Explore BOM Module

Knowledge Graph Traceability

ThreatZ’s knowledge graph connects every cybersecurity artifact — assets, threats, risks, controls, requirements, and test results — in a semantically linked model. Auditors can trace any R155 requirement through the complete evidence chain.

  • Semantic artifact linking across the lifecycle
  • Impact analysis for design changes
  • Audit-ready traceability reports
Explore Knowledge Graph

Incident & Testing Management

Manage cybersecurity incidents, security test campaigns, and penetration test findings within a unified platform. R155 requires ongoing incident response capability — ThreatZ provides structured workflows that generate the evidence auditors expect.

  • Structured incident response workflows
  • Security test campaign management
  • Test-to-TARA traceability linking
Explore Operations Module

Multi-OEM & Supply Chain

For Tier-1 suppliers working with multiple OEMs across R155-regulated markets, ThreatZ provides dedicated project workspaces and configurable compliance templates. Map TARA evidence to different OEM requirements without duplicating work.

  • Multi-OEM project workspace management
  • Cybersecurity Interface Agreement tracking
  • OEM-specific compliance templates
Explore Multi-OEM Support
Explore ThreatZ View Pricing
FAQ

Frequently Asked Questions About
UNECE R155

Answers to the most common questions about the vehicle cybersecurity regulation.

What is UNECE R155?

UNECE R155 (UN Regulation No. 155) is a binding cybersecurity regulation adopted by the World Forum for Harmonization of Vehicle Regulations (WP.29). It requires vehicle manufacturers to implement and maintain an approved Cybersecurity Management System (CSMS) as a prerequisite for obtaining vehicle type approval. The regulation applies to passenger cars, vans, trucks, and buses in over 60 contracting parties, including the entire European Union, United Kingdom, Japan, and South Korea. Since July 2024, R155 compliance is mandatory for all new vehicles sold in these markets.

What is the difference between CSMS certification and vehicle type approval under R155?

R155 operates on two levels. First, the manufacturer must obtain a CSMS Certificate of Compliance from a type approval authority, demonstrating that the organization has adequate cybersecurity processes, governance, and capabilities in place. This certificate is valid for up to three years. Second, each individual vehicle type must receive a type approval demonstrating that cybersecurity risks have been identified, assessed, and mitigated for that specific vehicle. The CSMS certificate is a prerequisite for vehicle type approval — without it, no vehicle type can be approved under R155.

Does R155 apply to my organization if we are not an OEM?

While R155 type approval obligations fall directly on the vehicle manufacturer (OEM), the regulation has significant downstream effects on the entire supply chain. OEMs are required to manage cybersecurity risks across their suppliers, which means Tier-1 and Tier-2 suppliers must demonstrate cybersecurity engineering capabilities, provide TARA evidence, and participate in cybersecurity interface agreements. In practice, suppliers who cannot demonstrate ISO/SAE 21434 compliance risk losing contracts with OEMs operating in R155-regulated markets.

What are the Annex 5 threat categories in R155?

Annex 5 of UNECE R155 lists seven high-level threat categories that manufacturers must consider during risk assessment: (1) threats regarding back-end servers, (2) threats regarding communication channels, (3) threats regarding update procedures, (4) threats regarding unintended human actions, (5) threats regarding external connectivity, (6) threats regarding data and code, and (7) threats regarding vehicle physical vulnerability. Each category contains specific threat examples that serve as a minimum checklist for the manufacturer’s TARA process.

Related Resources

Explore more guides and articles on automotive cybersecurity compliance.

Compliance

UNECE R155 Type Approval: What OEMs Need to Know

Deep dive into R155 type approval requirements, the CSMS audit process, and practical steps for OEMs and Tier-1 suppliers.

Read Article
Tutorial

ISO/SAE 21434 TARA: Step-by-Step Implementation Guide

A practical, hands-on guide to implementing Threat Analysis and Risk Assessment per ISO/SAE 21434 with real automotive examples.

Read Article
Best Practice

SBOM Management Best Practices for Automotive

Build, maintain, and leverage Software Bills of Materials across the automotive supply chain for compliance and security.

Read Article

Related Standards & Resources

ISO/SAE 21434 Compliance

Learn more →

GB 44495 Compliance

Learn more →

Glossary

Learn more →

Cybersecurity Management System

Build the CSMS that R155 type approval authorities require.

Learn more →

Automotive TARA Tool

Automate the TARA process required for R155 vehicle type approval.

Learn more →
R155 Compliance

Achieve R155 Compliance
with ThreatZ.

Stop managing automotive cybersecurity compliance in spreadsheets. ThreatZ is the purpose-built platform that automates TARA, generates audit-ready R155 type approval evidence, and provides end-to-end traceability — accelerating your path from CSMS certification to vehicle type approval.

UNECE R155 ISO/SAE 21434 GB 44495