UN R155 Certification Service

Intelligent connected vehicles have become a core trend in the automotive industry. With the digitalization of in-vehicle systems, extended automotive IT architecture and iterative software applications, cyber security risks such as vehicle hacking have drawn global attention. UN R155 is a mandatory regulation formulated to strengthen automotive cyber security governance and standardize risk prevention capabilities across the industry.

What is UN R155

UNECE (United Nations Economic Commission for Europe) manages global vehicle regulation coordination through the WP.29 forum. In June 2020, WP.29 issued three key regulations for intelligent connected vehicles:

R155: Cyber Security Regulation

R156: Software Update & OTA Regulation

R157: Automated Lane-Keeping Systems Regulation

As a mandatory type approval standard officially enforced from July 2022, UN R155 focuses on vehicle cyber security management and risk control, serving as a compulsory market access threshold for vehicles exported to Europe and UNECE member states.

Understanding Vehicle Type Approval

Vehicle type approval is an official certification process to verify that vehicles and components comply with legal and technical regulations, equivalent to a market access permit. All vehicles sold in regional markets must pass local type approval. UNECE regulations are widely adopted in Europe and related member countries, and their technical requirements have become an important reference for global automotive compliance standards.

The Influence of UN R155 on the Automotive Industry

01
Domestic automotive mandatory certification such as 3C will gradually incorporate cyber security requirements with reference to UN R155, accelerating the improvement of China’s intelligent vehicle safety standard system.
02
A large number of domestic automakers and new energy vehicle brands are expanding European export business, and UN R155 compliance has become a necessary condition for overseas layout.
03
Global automotive supply chains adopt unified safety benchmark standards. Chip suppliers, component manufacturers and tier‑1 suppliers will coordinate design solutions based on international cyber security regulations.

UN R155 Official Effective Timeline

Two Core Compliance Deadlines

01July 1, 2022

New vehicle models and new electronic architecture platforms must complete UN R155 cyber security type approval as part of WVTA. Minor facelift models without electrical and electronic changes are temporarily exempted; models with changes to in‑vehicle systems or ADAS functions are deemed new platforms and must comply.
02July 1, 2024

All non-discontinued in-production vehicles must obtain UN R155 certification. Legacy models need to optimize electronic architecture and upgrade safety solutions to meet mandatory regulatory requirements for continuous sales.

Relationship Between UN R155 and ISO 21434

UN R155 regulation and ISO/SAE 21434 road vehicle cyber security engineering standards are developed synchronously and complementary to each other.

Standards VS Regulations

ISO/SAE 21434 is a recommended industry standard, providing systematic cyber security development frameworks, risk assessment methods and engineering guidelines for the automotive industry, with non-mandatory attributes.

UN R155 is a legally binding mandatory regulation. Vehicles cannot obtain European type approval and cannot be sold in regulated markets without compliance. The regulation cites ISO 21434 as the core implementation basis, and enterprises can efficiently meet regulatory requirements by following ISO 21434 engineering specifications.

In terms of application scope: ISO 21434 is applicable to the full life cycle research and development of OEMs and component suppliers; UN R155 targets complete vehicle manufacturers, focusing on complete vehicle type approval and market access supervision.

UN R155 Core Content Overview

UN R155 consists of main regulatory clauses and official appendices, covering certification rules, marking requirements, certificate management, threat analysis and mitigation measures. Chapter 7 and Appendix 5 are the core focus, defining two mandatory requirements:

1. Establish and maintain a complete Cybersecurity Management System (CSMS), applicable to the overall organizational management system.

2. Complete targeted cyber security risk identification, assessment and control for each vehicle model throughout the life cycle.

Different from ISO 21434, UN R155 focuses on systematic management and landing supervision. The CSMS system audit is the basic requirement for certification, covering organizational process formulation, responsibility division, full-life cycle threat management and network attack defense mechanisms. Each vehicle model must complete independent risk assessment, and demonstrate compliance with standardized threat mitigation measures in Appendix 5 during type approval.

Appendix 5 is divided into Part A and Part B: Part A lists common threat vulnerabilities and attack vectors such as cloud server unauthorized access, background data leakage and remote control intrusion; Part B provides unified reference mitigation strategies for typical risks such as communication data tampering and illegal node forgery.

Figure 4: UN R155 Threat Catalogue Excerpt

Corresponding mitigation measures include identity authentication, data encryption, communication verification, access restriction and fault monitoring, which form a closed-loop safety protection system for vehicle networking terminals, channels and background platforms.

Figure 5: UN R155 Mitigation Measure Excerpt

UN R155 Compliance Implementation Plan

01CSMS System Audit

Optimize the enterprise cyber security management system in accordance with UN R155 requirements, sort out process documents, division of responsibilities and risk management mechanisms, and pass official institutional audits to obtain CSMS qualification certificate, which is valid for long-term use by the organization.
02Vehicle Model Compliance Certification

Combine vehicle electronic and electrical architecture characteristics to carry out full-dimensional threat analysis, complete safety function development and performance testing, verify the effectiveness of anti-attack measures, and provide test reports and risk assessment materials for complete vehicle type approval to meet UN R155 model certification requirements.

Summary

With the rapid development of intelligent connected vehicles, automotive cyber security has become a global regulatory focus. UN R155, as the first mandatory vehicle cyber security regulation, has fully covered the European market and will continue to radiate and affect the iteration of domestic and international standards.

China is accelerating the formulation of localized automotive cyber security regulations with reference to UN R155. Complete intelligent vehicle safety standard systems such as vehicle networking, smart gateway and data security are being improved. For export-oriented automakers and supporting suppliers, advancing UN R155 compliance layout in advance is the key to expanding overseas markets and enhancing core competitiveness.