UNECE R155: Cybersecurity Regulation for Vehicles Explained
UNECE R155 is the binding cybersecurity regulation for vehicles. See the requirements, 2021–2024 deadlines, CSMS steps, and how it differs from ISO/SAE 21434.

Doc McConnell
Head of Policy and Compliance
TL;DR — The UNECE R155 cybersecurity regulation for vehicles is the first binding international rule requiring every manufacturer to run a certified Cybersecurity Management System (CSMS) and pass a cybersecurity type approval before sale. It has been mandatory for all new vehicles produced in UNECE markets since July 2024. The hardest part isn't the paperwork — it's proving you can see and monitor the third-party and open-source code buried inside your vehicle's software supply chain.
What is the UNECE R155 cybersecurity regulation for vehicles?
UNECE R155 is the first binding international regulation requiring vehicle manufacturers to run a certified Cybersecurity Management System and pass cybersecurity type approval before sale.
Developed by the United Nations Economic Commission for Europe under the WP.29 World Forum, R155 establishes uniform cybersecurity provisions for vehicle type approval. It moves cybersecurity from a "nice to have" engineering goal to a hard market-access requirement: no valid CSMS certificate, no approval, no sale. The regulation was adopted in 2020 and formally entered into force in January 2021, making vehicle cybersecurity a legal obligation across more than 50 contracting parties.
Who must comply with UN R155, and which vehicles does it cover?
UN R155 binds vehicle manufacturers seeking type approval in UNECE markets and covers category L, M, N and O vehicles fitted with electronic control units.
In practice that means passenger cars, vans, trucks, buses, trailers, and — under a proposed expansion — motorcycles, wherever they carry ECUs or automated-driving functions. Although the regulation directly obligates the OEM, its weight cascades down the value chain: Tier-1 and Tier-2 suppliers must supply cybersecurity evidence and participate in risk assessments, because the OEM is held accountable for components it didn't write. Any manufacturer selling into the EU, UK, Japan, or South Korea is in scope, including US- and Canada-based companies exporting to those markets.
When did UN R155 take effect, and what are the deadlines?
UN R155 entered into force in January 2021, became mandatory for new vehicle types in July 2022, and for all new vehicles from July 2024.
The rollout followed a two-phase model so OEMs could adapt: first new designs, then the entire production fleet. Regions outside the EU adopted the same framework on their own timelines, and the scope is still widening. The table below summarizes the global picture as it stands.
| Region / scope | Mandatory for new vehicle types | Mandatory for all new vehicles | Notes |
|---|---|---|---|
| EU & UNECE 1958 parties | July 2022 | July 2024 | Two-phase rollout; CSMS certificate valid up to 3 years |
| Japan | July 2022 (Jan 2024 if no OTA) | July 2024 (May 2026 if no OTA) | Transposed into type-approval system in 2021 |
| South Korea | Aug 14, 2025 | Phased thereafter | Uses a self-certification model |
| Motorcycles (Category L, proposed) | July 1, 2029 (proposed) | - | Expansion initiated via UNECE/CLEPA proposal |
What are the core requirements of a CSMS under R155?
A compliant CSMS must identify, assess and mitigate cyber risks across design, production and post-production, monitor vehicles in the field, and manage supplier dependencies.
R155 is built on cybersecurity-by-design and full-lifecycle accountability. The manufacturer has to prove its processes are real, repeatable, and continuously applied — not a one-time document produced for an audit. The seven core obligations break down as follows.
| Requirement | What the manufacturer must demonstrate |
|---|---|
| Cybersecurity Management System | Risk identification, assessment, and mitigation processes spanning development, production, and post-production |
| Risk assessment (TARA) | Analysis of software, hardware, and network architecture against the threats catalogued in Annex 5 |
| Security measures | Appropriate controls (secure coding, encryption, access control, vulnerability management) tied to assessed risk |
| Threat monitoring | Ongoing detection of new threats and vulnerabilities in vehicles already on the road |
| Incident response | Defined procedures to detect, investigate, and respond to attacks within a reasonable time |
| Supply-chain management | Verified cybersecurity practices across suppliers, service providers, and sub-organizations |
| Type approval | Evidence of compliance submitted to a designated Approval Authority before market entry |
Where do most R155 compliance programs actually fall short?
Most programs pass the paperwork but lose visibility into third-party and open-source code inside ECUs, the software supply chain where unmanaged vulnerabilities actually ship.
This is the part the glossy compliance decks skip. A modern vehicle runs over 100 million lines of code across 100-plus ECUs, and the majority of it is not written by the OEM. It's open-source libraries and binary blobs passed up from Tier-N suppliers. R155 makes the OEM accountable for vulnerabilities in all of it, including code it has no source for and can't easily inspect. A clean Threat Analysis and Risk Assessment (TARA) document proves you thought about risk; it does nothing to prove the firmware you're actually shipping is free of a known CVE in an embedded component three suppliers deep.
That gap, between paper compliance and binary truth, is where audits get uncomfortable and where real attacks land. Closing it requires component-level visibility into shipped binaries (not just source you happen to own) and continuous monitoring that keeps watching long after type approval is granted. Treat R155 as a documentation exercise and you'll pass the audit while remaining genuinely exposed.
How does R155 affect automotive product security teams?
R155 shifts product security teams from functional testing toward continuous vulnerability management, evidence gathering for type approval, and verifying cybersecurity across the entire supplier chain.
Three pressures land at once. Priorities move from "does it work" to "is it secure throughout its life," demanding vulnerability assessments, penetration testing, and secure coding as standing practices. The compliance burden is heavy: teams become the engine that produces and maintains the audit evidence. And the supply-chain clause makes them responsible for verifying security in software they didn't author, which is impossible without tooling that reads binaries and generates a software bill of materials (SBOM).
How can teams prepare for and stay compliant with R155?
Embed security by design, automate vulnerability scanning and SBOM generation, monitor shipped software continuously, and build an audit-ready evidence trail across every supplier tier.
The organizations that handle R155 well treat it as an operating model, not a project with an end date. Invest in security expertise, shift security left into design so issues are caught before costly rework, and lean on automation so a 100-ECU platform doesn't drown a small team in manual TARAs. Most importantly, make monitoring continuous: a vehicle compliant the day it ships can be exposed the day a new CVE drops in one of its open-source components.
How Finite State helps you meet R155
Finite State's automotive product security platform is built for exactly the blind spot above: the software inside connected devices and vehicles that traditional source-code tools never see:
- Deep binary & source analysis. Binary SAST plus source analysis with strong coverage of the languages common in embedded systems, so assessments reach the firmware you actually ship, not just the code you wrote.
- High-fidelity SBOMs. Auto-generated SBOMs in required formats (SPDX, CycloneDX), including transitive dependencies and their associated vulnerabilities, the evidence base R155's supply-chain clause demands.
- DevSecOps integration. SBOM generation at any stage of the SDLC with remediation guidance, embedding security from the first build rather than bolting it on before an audit.
- Continuous monitoring. Daily alerting on newly reported vulnerabilities in your deployed components, turning post-production monitoring from a checkbox into a live capability.
By pairing a real CSMS with binary-level visibility, product security teams can satisfy R155 and close the supply-chain gap it exposes. On the road to hyper-connected vehicles, cybersecurity isn't optional. It's the price of market access.
Frequently asked questions
What are the main requirements of UNECE R155 for vehicle manufacturers?
Manufacturers must operate a certified CSMS, run a TARA against the Annex 5 threat catalog, implement risk-based security controls, monitor and respond to threats over the vehicle's life, manage cybersecurity across their supply chain, and obtain type approval from a designated authority before sale.
What is the timeline and effective dates for UNECE R155 implementation globally?
R155 entered into force in January 2021. In the EU and UNECE markets it became mandatory for new vehicle types in July 2022 and for all new vehicles in July 2024. Japan and South Korea follow comparable timelines, and a proposed extension would bring motorcycles into scope around July 2029.
Which cybersecurity risk assessment methods are accepted for UNECE R155?
R155 requires a structured Threat Analysis and Risk Assessment (TARA) that examines a vehicle's software, hardware, and network architecture against the threats listed in the regulation's Annex 5 catalog. The regulation does not mandate one specific method, but the TARA methodology defined in ISO/SAE 21434 (Clause 15) is the most widely accepted way to produce acceptable evidence.
What is the relationship between UNECE R155 and UNECE R156?
They are complementary sister regulations adopted together under WP.29. R155 governs cybersecurity through a Cybersecurity Management System (CSMS), while R156 governs over-the-air and other software updates through a Software Update Management System (SUMS). Type approval generally requires valid certificates of compliance for both.
How do you implement a Cybersecurity Management System (CSMS) for R155 compliance?
Start by defining cybersecurity policy and governance, then build repeatable processes for risk identification, TARA, security requirements, vulnerability management, and incident response across design, production, and post-production. Add supplier interface agreements to push and verify requirements down the chain, generate continuous evidence (including SBOMs), and have an accredited technical service audit the system before approval.
What are the differences between UNECE R155 and the ISO/SAE 21434 standard?
R155 is a binding regulation that defines what must be achieved and is legally enforced through type approval. ISO/SAE 21434 is a voluntary technical standard that defines how to achieve it. R155 references 21434 as a suitable framework and a conformant 21434 implementation supplies most R155 evidence, but 21434 compliance alone does not guarantee approval, because R155 carries its own Annex 5 threat-catalog requirements.