Connected Vehicles

ISO 21434 Compliance: What It Requires and How Finite State Helps

Explore ISO/SAE 21434, the key standard for cybersecurity in road vehicles, and how the Finite State Next Generation Platform can help

Doc McConnell

Doc McConnell

Head of Policy and Compliance

January 21, 2026
TL;DR: ISO/SAE 21434 is the international standard for building cybersecurity into road vehicles across their whole lifecycle. It tells automotive OEMs and suppliers how to manage cyber risk, run threat analysis, and document the proof. The hard part isn't the process. It's proving that what you actually shipped matches what you designed, and that's where Finite State comes in.

Modern vehicles are computers on wheels. They run on connected software, take over-the-air updates, and talk to everything around them. That connectivity is also an attack surface, and the industry now has one standard that defines how to engineer against it. This guide explains what ISO 21434 requires, how compliance is assessed, and how to back it all up with evidence grounded in what you ship.

What is the ISO/SAE 21434:2021 standard?

ISO/SAE 21434:2021 is the international standard for automotive cybersecurity engineering. It defines how to manage cyber risk across a vehicle's entire lifecycle, from concept to decommissioning.

Published in August 2021 by ISO and SAE International, a worldwide association of over 128,000 engineers, the standard carries the official title "Road Vehicles: Cybersecurity Engineering." It targets the electrical and electronic (E/E) systems inside road vehicles: their components, their interfaces, and the software running on them. It supersedes the earlier SAE J3061 guidebook and gives the whole supply chain a shared vocabulary and a shared set of requirements. For the wider regulatory picture, see our primer on automotive cybersecurity standards.

Who needs to comply with ISO 21434?

ISO 21434 applies to automotive OEMs and their suppliers: any organization designing, developing, or maintaining the electrical and electronic systems inside road vehicles.

The standard isn't a law on its own, but it has become a practical requirement. Regulations like the UNECE WP.29 framework and UN Regulation No. 155 (R155) effectively require a Cyber Security Management System (CSMS) of the kind ISO 21434 describes. [verify outbound URL before publishing] If you build or supply anything that ships inside a connected vehicle, this standard reaches you. Our connected vehicles industry page walks through where it lands across the supply chain.

What's the difference between ISO 26262 and ISO 21434?

ISO 26262 covers functional safety: failures that happen by accident. ISO 21434 covers cybersecurity: failures caused on purpose by an attacker. They are complementary and usually run together.

For years the automotive industry managed safety through ISO 26262, which handles the risk of a system malfunctioning on its own. It was never built to handle an attacker who makes a system fail deliberately. ISO 21434 fills that gap. The two standards share a lot of structure, which is why teams often implement them side by side.

ISO 26262ISO/SAE 21434
FocusFunctional safetyCybersecurity engineering
Risk sourceAccidental faults and malfunctionsDeliberate attacks
Core risk methodHARA (Hazard Analysis and Risk Assessment)TARA (Threat Analysis and Risk Assessment)
ScopeE/E systems, safety lifecycleE/E systems, full cybersecurity lifecycle
First published2011 (2nd edition 2018)2021
RelationshipComplementary; concept phases alignComplementary; references 26262 at concept phase

What is the ISO 21434 TARA methodology?

TARA, or Threat Analysis and Risk Assessment, is the core method in ISO 21434. It identifies assets, threats, and attack paths, then scores the risk so teams know what to treat first.

TARA lives in Clause 15 of the standard and feeds the concept phase. The job of TARA is to figure out how badly a road user could be affected by a given threat, then decide what to do about it. The steps are well known to anyone who has run one:

  1. Asset identification: list what needs protecting (data, functions, interfaces).
  2. Threat scenario identification: derive how each asset could be attacked. Methods like STRIDE apply here.
  3. Impact rating: judge the safety, financial, operational, and privacy impact if the threat lands.
  4. Attack path analysis: map how an attacker would actually reach the asset.
  5. Attack feasibility rating: judge how hard that path is to pull off.
  6. Risk determination: combine impact and feasibility into a risk value.
  7. Risk treatment: decide to reduce, share, retain, or avoid each risk.

Most TARA noise comes from threats that look scary on paper but aren't reachable in the shipped build. Reachability analysis cuts that noise by showing which vulnerable code an attacker can actually get to, so your team spends its time on real exposure instead of theoretical findings.

How do you implement ISO 21434 across the automotive supply chain?

Implementing ISO 21434 means assigning cybersecurity responsibilities between OEMs and suppliers in writing, then verifying every party's work against the standard's clauses and work products.

No single company builds an entire vehicle. The standard handles that reality in Clause 7 with distributed cybersecurity activities: OEMs and suppliers spell out who owns what in a Cybersecurity Interface Agreement, and each party evaluates the cybersecurity capability of the parties below it. The standard is modular on purpose. A Tier 2 supplier can't validate a component at the vehicle level, so it implements the clauses that apply to its role and hands defensible evidence up the chain. The practical work is the same at every tier: define responsibilities, do the engineering, and produce the work products that prove it.

What are the benefits of ISO 21434 certification for Tier 1 suppliers?

For Tier 1 suppliers, ISO 21434 certification proves cybersecurity maturity to OEMs, shortens supplier audits, and turns security into a competitive reason to win contracts.

OEMs are under regulatory pressure, and they push that pressure down to their suppliers. A Tier 1 that can show certified processes and product-level evidence gets through supplier assessments faster and with less back-and-forth. The benefits stack up quickly:

  • Faster onboarding: less time spent answering OEM security questionnaires from scratch.
  • Fewer surprises late in a program: risk is found in the concept phase, not at vehicle validation.
  • Stronger negotiating position: security becomes a reason to win the business, not a box to check.
  • Regulatory readiness: alignment with UN R155 and related rules is already in place.

What's on an ISO 21434 compliance checklist?

An ISO 21434 checklist covers organizational controls, project planning, TARA, requirements, verification, and post-production monitoring, each backed by documented work products for assessors.

The standard organizes everything into clauses, and each clause produces "work products," its term for the evidence you'll be asked to show. Here's how the core obligations and deliverables map out.

Area (Clause)What you must doWork product / evidence
Organizational management (Cl. 5)Set cybersecurity policy, rules, roles, and competenceCybersecurity policy and governance records
Project management (Cl. 6)Plan project-level cybersecurity activitiesCybersecurity plan, cybersecurity case
Distributed activities (Cl. 7)Assign responsibilities between OEM and suppliersCybersecurity Interface Agreement
Continual activities (Cl. 8)Monitor, triage, and manage vulnerabilitiesVulnerability analysis and triage records
Concept (Cl. 9)Run TARA, set cybersecurity goals and requirementsTARA, cybersecurity goals
Product development (Cl. 10)Implement and verify cybersecurity requirementsSpecifications and verification reports
Validation (Cl. 11)Validate cybersecurity at the vehicle levelValidation report
Production (Cl. 12)Secure manufacturing and assemblyProduction control plan
Operations & maintenance (Cl. 13)Run incident response and updatesIncident response plan, update records
End of support (Cl. 14)Define support end date and decommissioningSupport-end communication
TARA methods (Cl. 15)Apply the modular TARA methodsTARA work products

How is ISO 21434 compliance assessed?

ISO 21434 compliance is assessed two ways: an audit of your cybersecurity management system, and a product-level assessment of a specific item or component.

The CSMS audit checks that your organization has the policies, roles, and processes in place. The product-level assessment checks one actual item against the standard. Both depend on the same thing: evidence. You can describe a perfect process in a binder, but an assessor wants proof that the product in front of them was engineered and verified the way you say it was. That's the difference between a process that looks compliant and a product that demonstrably is.

How does Finite State help with ISO 21434?

Finite State supports ISO 21434 by analyzing the firmware you actually ship, prioritizing real vulnerabilities for TARA, and generating audit-ready evidence mapped to the standard.

Here's the gap most teams hit. ISO 21434 tells you how to manage risk, but it leaves the what to you, and a lot of compliance work is built on design documents and source code. The software that rolls off the line is the binary inside the ECU, and that's what an attacker sees. If your evidence describes the design but never checks the shipped build, you have a process story without a product story.

Finite State closes that gap by grounding compliance in what actually ships:

  • Analysis of the real build. Our ground-truth software inventory analyzes firmware, binaries, and supplier SBOMs to show what's truly inside the component, including the parts no one documented.
  • Prioritization that matches TARA. Instead of drowning teams in raw findings, we use reachability and exploit context to surface the vulnerabilities that represent real exposure, which is exactly the judgment TARA asks for.
  • Evidence that maps to the standard. We produce reporting that lines up with ISO/SAE 21434 work products and supports your CSMS, with custom export formats built to match your specific reporting needs.

We work in lock-step with your team. Give us your reporting requirements and we'll productize an export format that meets them, then keep it current as the standard and your program evolve. The goal is simple: not a binder that looks compliant, but a product you can prove is secure.

Want to see what's really inside your firmware before an assessor does? Request a demo and we'll walk through it with your own build.

Related reading on automotive cybersecurity

Standards and regulations

  • A primer on automotive cybersecurity standards
  • Exploring standards and regulations for automotive cybersecurity
  • Navigating automotive regulatory compliance in the age of connected devices
  • What's next for automotive cybersecurity
  • China GB 44495 and GB 44496 compliance guide

UN R155 and the U.S. Connected Vehicle Rule

  • A look at the UN R155 regulation for connected vehicles
  • Understanding the Connected Vehicle Rule
  • Connected Vehicle Rule compliance

SBOMs in automotive

  • SBOMs and their role in connected automotive cybersecurity
  • Requesting, acquiring, and getting value from SBOMs in automotive
  • The role of SBOMs in CASE vehicles

Broader connected-device security

  • Connected device security challenges

Datasheets and resources

  • Automotive compliance and security management datasheet
  • Supply chain transparency, risk management, and compliance for the auto sector
Doc McConnell

Doc McConnell

Head of Policy and Compliance

Doc McConnell is a public policy and cybersecurity leader with over a decade of experience shaping national technology policy within the U.S. government. Prior to joining Finite State, he led strategic policy development for federal cybersecurity at the Cybersecurity and Infrastructure Security Agency and served as a policy advisor within the White House Office of Management and Budget.

Doc holds a Master of Information and Cybersecurity from the University of California, Berkeley, and a Master of Public Policy from the University of Virginia. He is a Certified Information Systems Security Professional (CISSP).

Ready to Level Up Your Security Knowledge?

Join thousands of security professionals learning from the best in the industry

Start Learning TodayStart Learning Today
Finite StateFinite State

Finite State is the Product Security Automation Platform that functions as an autonomous Product Security OS: design → verify → prove, grounded in what you ship.

Platform

Platform Overview
Ground Truth Inventory
Exploitability-Based Prioritization
Design-Time Architecture Security
Automated Evidence-Backed Compliance

Solutions

Device Manufacturers
Automotive
Medical Devices
Energy & Utilities
Government
Industrial

Resources

Blog
Resource Library
Webinars & Videos
Events
Documentation

Company

About Us
CareersHIRING
Press & News
Contact Sales
Media Inquiries
X

© 2026 Finite State. All rights reserved.

Privacy PolicyTerms of UseCustomer Terms and Conditions
Finite StateFinite State
Finite StateFinite State
Get a DemoGet a Demo