Connected Vehicles

UNECE R155: Cybersecurity Regulation for Vehicles Explained

UNECE R155 is the binding cybersecurity regulation for vehicles. See the requirements, 2021–2024 deadlines, CSMS steps, and how it differs from ISO/SAE 21434.

Doc McConnell

Doc McConnell

Head of Policy and Compliance

April 9, 2026

TL;DR — The UNECE R155 cybersecurity regulation for vehicles is the first binding international rule requiring every manufacturer to run a certified Cybersecurity Management System (CSMS) and pass a cybersecurity type approval before sale. It has been mandatory for all new vehicles produced in UNECE markets since July 2024. The hardest part isn't the paperwork — it's proving you can see and monitor the third-party and open-source code buried inside your vehicle's software supply chain.

What is the UNECE R155 cybersecurity regulation for vehicles?

UNECE R155 is the first binding international regulation requiring vehicle manufacturers to run a certified Cybersecurity Management System and pass cybersecurity type approval before sale.

Developed by the United Nations Economic Commission for Europe under the WP.29 World Forum, R155 establishes uniform cybersecurity provisions for vehicle type approval. It moves cybersecurity from a "nice to have" engineering goal to a hard market-access requirement: no valid CSMS certificate, no approval, no sale. The regulation was adopted in 2020 and formally entered into force in January 2021, making vehicle cybersecurity a legal obligation across more than 50 contracting parties.

Who must comply with UN R155, and which vehicles does it cover?

UN R155 binds vehicle manufacturers seeking type approval in UNECE markets and covers category L, M, N and O vehicles fitted with electronic control units.

In practice that means passenger cars, vans, trucks, buses, trailers, and — under a proposed expansion — motorcycles, wherever they carry ECUs or automated-driving functions. Although the regulation directly obligates the OEM, its weight cascades down the value chain: Tier-1 and Tier-2 suppliers must supply cybersecurity evidence and participate in risk assessments, because the OEM is held accountable for components it didn't write. Any manufacturer selling into the EU, UK, Japan, or South Korea is in scope, including US- and Canada-based companies exporting to those markets.

When did UN R155 take effect, and what are the deadlines?

UN R155 entered into force in January 2021, became mandatory for new vehicle types in July 2022, and for all new vehicles from July 2024.

The rollout followed a two-phase model so OEMs could adapt: first new designs, then the entire production fleet. Regions outside the EU adopted the same framework on their own timelines, and the scope is still widening. The table below summarizes the global picture as it stands.

Region / scopeMandatory for new vehicle typesMandatory for all new vehiclesNotes
EU & UNECE 1958 partiesJuly 2022July 2024Two-phase rollout; CSMS certificate valid up to 3 years
JapanJuly 2022 (Jan 2024 if no OTA)July 2024 (May 2026 if no OTA)Transposed into type-approval system in 2021
South KoreaAug 14, 2025Phased thereafterUses a self-certification model
Motorcycles (Category L, proposed)July 1, 2029 (proposed)-Expansion initiated via UNECE/CLEPA proposal

What are the core requirements of a CSMS under R155?

A compliant CSMS must identify, assess and mitigate cyber risks across design, production and post-production, monitor vehicles in the field, and manage supplier dependencies.

R155 is built on cybersecurity-by-design and full-lifecycle accountability. The manufacturer has to prove its processes are real, repeatable, and continuously applied — not a one-time document produced for an audit. The seven core obligations break down as follows.

RequirementWhat the manufacturer must demonstrate
Cybersecurity Management SystemRisk identification, assessment, and mitigation processes spanning development, production, and post-production
Risk assessment (TARA)Analysis of software, hardware, and network architecture against the threats catalogued in Annex 5
Security measuresAppropriate controls (secure coding, encryption, access control, vulnerability management) tied to assessed risk
Threat monitoringOngoing detection of new threats and vulnerabilities in vehicles already on the road
Incident responseDefined procedures to detect, investigate, and respond to attacks within a reasonable time
Supply-chain managementVerified cybersecurity practices across suppliers, service providers, and sub-organizations
Type approvalEvidence of compliance submitted to a designated Approval Authority before market entry

Where do most R155 compliance programs actually fall short?

Most programs pass the paperwork but lose visibility into third-party and open-source code inside ECUs, the software supply chain where unmanaged vulnerabilities actually ship.

This is the part the glossy compliance decks skip. A modern vehicle runs over 100 million lines of code across 100-plus ECUs, and the majority of it is not written by the OEM. It's open-source libraries and binary blobs passed up from Tier-N suppliers. R155 makes the OEM accountable for vulnerabilities in all of it, including code it has no source for and can't easily inspect. A clean Threat Analysis and Risk Assessment (TARA) document proves you thought about risk; it does nothing to prove the firmware you're actually shipping is free of a known CVE in an embedded component three suppliers deep.

That gap, between paper compliance and binary truth, is where audits get uncomfortable and where real attacks land. Closing it requires component-level visibility into shipped binaries (not just source you happen to own) and continuous monitoring that keeps watching long after type approval is granted. Treat R155 as a documentation exercise and you'll pass the audit while remaining genuinely exposed.

How does R155 affect automotive product security teams?

R155 shifts product security teams from functional testing toward continuous vulnerability management, evidence gathering for type approval, and verifying cybersecurity across the entire supplier chain.

Three pressures land at once. Priorities move from "does it work" to "is it secure throughout its life," demanding vulnerability assessments, penetration testing, and secure coding as standing practices. The compliance burden is heavy: teams become the engine that produces and maintains the audit evidence. And the supply-chain clause makes them responsible for verifying security in software they didn't author, which is impossible without tooling that reads binaries and generates a software bill of materials (SBOM).

How can teams prepare for and stay compliant with R155?

Embed security by design, automate vulnerability scanning and SBOM generation, monitor shipped software continuously, and build an audit-ready evidence trail across every supplier tier.

The organizations that handle R155 well treat it as an operating model, not a project with an end date. Invest in security expertise, shift security left into design so issues are caught before costly rework, and lean on automation so a 100-ECU platform doesn't drown a small team in manual TARAs. Most importantly, make monitoring continuous: a vehicle compliant the day it ships can be exposed the day a new CVE drops in one of its open-source components.

How Finite State helps you meet R155

Finite State's automotive product security platform is built for exactly the blind spot above: the software inside connected devices and vehicles that traditional source-code tools never see:

  • Deep binary & source analysis. Binary SAST plus source analysis with strong coverage of the languages common in embedded systems, so assessments reach the firmware you actually ship, not just the code you wrote.
  • High-fidelity SBOMs. Auto-generated SBOMs in required formats (SPDX, CycloneDX), including transitive dependencies and their associated vulnerabilities, the evidence base R155's supply-chain clause demands.
  • DevSecOps integration. SBOM generation at any stage of the SDLC with remediation guidance, embedding security from the first build rather than bolting it on before an audit.
  • Continuous monitoring. Daily alerting on newly reported vulnerabilities in your deployed components, turning post-production monitoring from a checkbox into a live capability.

By pairing a real CSMS with binary-level visibility, product security teams can satisfy R155 and close the supply-chain gap it exposes. On the road to hyper-connected vehicles, cybersecurity isn't optional. It's the price of market access.

Frequently asked questions

What are the main requirements of UNECE R155 for vehicle manufacturers?

Manufacturers must operate a certified CSMS, run a TARA against the Annex 5 threat catalog, implement risk-based security controls, monitor and respond to threats over the vehicle's life, manage cybersecurity across their supply chain, and obtain type approval from a designated authority before sale.

What is the timeline and effective dates for UNECE R155 implementation globally?

R155 entered into force in January 2021. In the EU and UNECE markets it became mandatory for new vehicle types in July 2022 and for all new vehicles in July 2024. Japan and South Korea follow comparable timelines, and a proposed extension would bring motorcycles into scope around July 2029.

Which cybersecurity risk assessment methods are accepted for UNECE R155?

R155 requires a structured Threat Analysis and Risk Assessment (TARA) that examines a vehicle's software, hardware, and network architecture against the threats listed in the regulation's Annex 5 catalog. The regulation does not mandate one specific method, but the TARA methodology defined in ISO/SAE 21434 (Clause 15) is the most widely accepted way to produce acceptable evidence.

What is the relationship between UNECE R155 and UNECE R156?

They are complementary sister regulations adopted together under WP.29. R155 governs cybersecurity through a Cybersecurity Management System (CSMS), while R156 governs over-the-air and other software updates through a Software Update Management System (SUMS). Type approval generally requires valid certificates of compliance for both.

How do you implement a Cybersecurity Management System (CSMS) for R155 compliance?

Start by defining cybersecurity policy and governance, then build repeatable processes for risk identification, TARA, security requirements, vulnerability management, and incident response across design, production, and post-production. Add supplier interface agreements to push and verify requirements down the chain, generate continuous evidence (including SBOMs), and have an accredited technical service audit the system before approval.

What are the differences between UNECE R155 and the ISO/SAE 21434 standard?

R155 is a binding regulation that defines what must be achieved and is legally enforced through type approval. ISO/SAE 21434 is a voluntary technical standard that defines how to achieve it. R155 references 21434 as a suitable framework and a conformant 21434 implementation supplies most R155 evidence, but 21434 compliance alone does not guarantee approval, because R155 carries its own Annex 5 threat-catalog requirements.

Doc McConnell

Doc McConnell

Head of Policy and Compliance

Doc McConnell is a public policy and cybersecurity leader with over a decade of experience shaping national technology policy within the U.S. government. Prior to joining Finite State, he led strategic policy development for federal cybersecurity at the Cybersecurity and Infrastructure Security Agency and served as a policy advisor within the White House Office of Management and Budget.

Doc holds a Master of Information and Cybersecurity from the University of California, Berkeley, and a Master of Public Policy from the University of Virginia. He is a Certified Information Systems Security Professional (CISSP).

Ready to Level Up Your Security Knowledge?

Join thousands of security professionals learning from the best in the industry

Start Learning TodayStart Learning Today
Finite StateFinite State

Finite State is the Product Security Automation Platform that functions as an autonomous Product Security OS: design → verify → prove, grounded in what you ship.

Platform

Platform Overview
Ground Truth Inventory
Exploitability-Based Prioritization
Design-Time Architecture Security
Automated Evidence-Backed Compliance

Solutions

Device Manufacturers
Automotive
Medical Devices
Energy & Utilities
Government
Industrial

Resources

Blog
Resource Library
Webinars & Videos
Events
Documentation

Company

About Us
CareersHIRING
Press & News
Contact Sales
Media Inquiries
X

© 2026 Finite State. All rights reserved.

Privacy PolicyTerms of UseCustomer Terms and Conditions
Finite StateFinite State
Finite StateFinite State