Korea Vehicle Cyber Security Regulation in 2026: New Standards for OEMs and Suppliers?

The Korea Vehicle Cyber Security Regulation has been in force in South Korea since August 14, 2025. It covers new vehicle types and marks an important move toward standardizing cybersecurity in the country’s automotive sector. The regulation falls under South Korea’s Ministry of Land, Infrastructure and Transport (MOLIT) and connects to the Motor Vehicle Management Act. It’s South Korea’s version of UN Regulation No. 155, and it’s now officially adopted and legally binding.

Brief Look at South Korea’s Unique Approach to Vehicle Cybersecurity Regulation

Just a quick side note: South Korea has a distinctive position in international vehicle cybersecurity regulation. While the country officially signed the 1958 UNECE Convention, it kept the right to opt out of specific UN regulations. This gives South Korea the flexibility to create its own cybersecurity regulations designed for its national market. These regulations build on UNR155 but can be much more detailed and specific.

That’s exactly what happened with the regulation that’s now in effect. It’s based on changes to the Motor Vehicle Control Act and sets mandatory requirements for the Cybersecurity Management System (CSMS).

What makes the Korean regulation different from other international standards is how incredibly detailed it is. The preliminary official audit checklist contains roughly 140 specific requirements drawn from UN R155, ISO/SAE 21434, and national specifications. Here’s what matters: The UNR155 interpretations (which are normally just informative guidance) are treated as mandatory requirements in Korea. This is why the regulation is so detailed, as we’ll discuss more below.

The timeline is already set: Starting in August 2025, new vehicle types must comply. By August 2027, all vehicles sold in the country must meet these requirements.

Key Success Factors for the Korea Vehicle Cyber Security Audit

Since the regulation came into force in August 2025, the first CSMS audits have been happening in South Korea. The experience from these early audits is already giving us valuable insights into how the audits work and what’s actually required. Despite initial concerns in the industry, Korean authorities are showing they’re willing to work cooperatively and flexibly, while still firmly enforcing the requirements they expect.

These first audits likely serve more than just a basic compliance check. They’re probably also being used to improve the existing audit checklist and work with industry to clarify how requirements should be interpreted. The emphasis is on realistic processes and established industry practices. This open conversation between regulators and industry shows that even though the regulation is extremely detailed (on paper), the approach allows enough flexibility for specific implementations.

Korean authorities are willing to accept existing company-specific processes, as long as OEMs can explain why they work in a clear, easy-to-understand, and logical way.

That said, it’s important to recognize that moving from a generic global CSMS based on UN R155 to a CSMS that meets Korean regulatory specifications is a significant challenge that shouldn’t be taken lightly.

The special characteristics and related recommendations outlined below are designed to give you an initial overview of the most critical areas you need to focus on for the Korea Vehicle Cyber Security Audit:

1. Know Your Documents as a Success Factor – Complete Understanding and Consistent Traceability are Essential

The most important success factor for passing a Korea Vehicle Cyber Security Regulation audit is systematic evidence management. This might sound obvious, but it’s absolutely critical for proving to authorities that you’ve implemented cybersecurity measures.

The days of surface-level evidence and documentation seem to be over in vehicle cybersecurity: What’s required now is complete traceability across all development phases and components. Since existing international UNR155 CSMS certification doesn’t replace Korean certification, OEMs are required to be able to consistently present, explain, and document the full scope and depth of their CSMS with all relevant artifacts.

OEMs need to understand that compliance isn’t just an organizational and certification matter—it’s an in-depth, document-driven verification process. The need for a consistent documentation landscape with a focus on real evidence is now more important than ever. The focus is not on the existence of the CSMS, but on its traceable, consistent, and verifiable documentation.

This includes the complete recording of guidelines, processes, risk analyses, responsibilities, and technical evidence. Every technical requirement, every design decision, and every security measure must be documented for the authorities and explained with appropriate evidence.

As a rule of thumb, a CSMS is only considered reliable from a regulatory perspective if its documents are understood in terms of content, kept up to date, and linked to each other without contradictions.

Traceability as a Continuous Chain of Explanation

In the Korean understanding of CSMS, traceability is not a formal property of individual documents — it’s a continuous chain of explanation across the organization, technology, and supply chain. During audits, OEMs must be able to conclusively demonstrate how cyber risks are identified, assessed, addressed, and monitored throughout the entire vehicle lifecycle – using specifically linked evidence.

Cybersecurity in the Supply Chain

The role of suppliers is central. Contracts, purchase orders, and technical orders become critical documentation artifacts. They must contain explicit cybersecurity requirements and can’t rely on implicit expectations or general quality clauses. Compliance with these requirements must be documented, verifiable, and auditable. Every supplier order thus becomes a potential entry point for the audit.

Cross-Lifecycle Consistency

These relationships must remain consistent throughout the entire product lifecycle. Traceability starts with requirements gathering and continues through development, production, and operation into the post-production phase. Particularly relevant: risk analysis as a living process. Risks must not be documented as a one-time snapshot, but must be recognizable as a continuously reviewed basis for decision-making that responds to new threats, system changes, or insights from the field.

For OEMs, “know your documents” means being able to explain the contextual relationships between contracts, system architecture, risk analyses, and organizational CSMS requirements at any time.

Only this holistic, lifecycle-spanning traceability creates the transparency required by regulations and forms the basis for a successful audit.

2. Verifiable Evidence at Vehicle and Component Level Instead of Formal CSMS Claims

As already shown, the Korean regulation marks a paradigm shift: general statements on cybersecurity are being replaced by concrete, verifiable evidence. The OEM must declare that the vehicle has been developed in accordance with CSMS and is secure, which also includes the involvement of suppliers.

So far, so good.

The technical service involved now systematically checks this declaration at several levels during the audit:

• At the component level, for example, individual electronic control units and their specific security features are analyzed.
• At the system level, the interaction between different vehicle systems is evaluated.
• Finally, at the vehicle level, a holistic view of all security aspects in interaction is taken.

A pure self-assessment, or in other words, a pure thesis in which an OEM makes a blanket claim that it meets all cybersecurity requirements, is no longer sufficient. In case of doubt, Korean authorities can even verify these declarations through their own tests or withdraw vehicles from circulation.

This means that during the audit, every statement on cybersecurity must be backed up by concrete evidence.

Detailed Evidence for Each Development Step

General information or only (prepared) examples are therefore generally no longer sufficient. The technical service expects detailed evidence for each individual development step.

This begins with the initial risk analysis, which must not only be carried out but also documented with concrete threat scenarios, assessments, and justifications.

The implementation of protective measures must be presented in an understandable way, as must their validation, also with regard to the suppliers involved and their contributions. Continuous monitoring in the field also requires concrete evidence – monitoring reports, incident logs, and response documentation.

Worth noting is the detailed knowledge that local technical services have about markets, manufacturers, and current vehicle products. They seem to conduct implicit or systematic cross-comparisons between different OEMs in the South Korean market.

This significantly reduces room for interpretation and forces manufacturers to justify their specific development steps and procedures in detail.

• Why was this security measure chosen?
• What alternatives were considered?
• How was its effectiveness validated?

These questions require substantial, evidence-based answers.

• The Korean cybersecurity regulations represent a fundamental change in two ways, especially for OEMs with long-established structures:
• First, they must disclose their internal methods — especially in cybersecurity engineering and management at the vehicle level — in a way that external auditors can truly understand and evaluate in depth. What may have previously been taken for granted must now be explicitly described: established practices, internal logic, and unspoken assumptions.
• Second, OEMs must also explain in an understandable way why their processes or decisions differ from industry standards (like ISO/SAE 21434) — if they do. Such differences require an understandable justification, clear documentation, and consistent integration into the overall CSMS.

3. South Korea = UNR155 Audits Next Level? About the High Level of In-Depth Investigation

What exactly is meant by the new dimension of audit depth and intensity in South Korean vehicle cybersecurity audits?

A CSMS in accordance with is intentionally designed to be principle-based and risk-based. In the audit practice of UNECE member states, this has resulted in an approach that focuses heavily on process descriptions, formal evidence, and plausibility checks.

Typical UNR155 audits focus on the existence of a documented CSMS, defined roles and responsibilities, abstract risk-based development work, and exemplary evidence in accordance with Annex 5. The depth of the audit often remains at the level of systematics: “Is a process defined?” and “Is it fundamentally suitable for addressing cyber risks?”

The Korean regulation raises this approach to a significantly higher technical and operational level. To put it bluntly, but with a grain of truth: What has been considered adequately documented in Europe (and other parts of the UNECE world) in recent years often proves to be too superficial in the Korean context.

South Korea is transforming the thoroughly generic framework of UNR155 into a highly granular, operationalized catalog of requirements. (Specifically, there is an official checklist with around 140 detailed requirements derived from UNR155, ISO/SAE 21434, and national specifications. This is comparable to the equally granular evidence-based Chinese approach of GB 44495.)

The focus shifts from the mere existence of processes to the robust demonstration of their actual application and effectiveness.

The risk-based approach is not replaced, but rather made concrete by precise audit questions that require in-depth evidence. This results in an audit depth that goes far beyond previous audits in accordance with various vehicle cybersecurity regulations and standards.

Greater Detail Required

While conventional UNR155 audits, for example, often work with summary risk analyses, sample TARA extracts, and aggregated lists of measures, the Korean approach requires traceability down to the component, function, and measure level. (This becomes particularly relevant in self-assessment, where all these details are required.)

Risks must not only be identified, but also clearly assigned to individual technical elements, software versions, supplier contributions, and specific protective measures. Generic statements at the system level without a solid technical basis are not readily accepted.

A Key Difference: The Type of Evidence Review

Is it sufficient to simply submit guidelines, process descriptions, training concepts, or management reviews? No.

Korean technical services also like to request dedicated proof of actual implementation: logs, configuration extracts, test reports, version statuses, specific tool outputs, and traceable decision documentation.

Claimed measures must be verifiable – purely declarative statements lose their validity. (This underscores the importance of “Know your Documents,” see above.)

The role of technical services also differs. While UNR155 audits in many regions are highly formalized and checklist-oriented, Korean auditors demonstrate a strong understanding of technical details.

The questionnaire isn’t static but is expanded depending on the situation. Questions aim to understand the actual functioning of the protective measures, not just obtaining a general description.

This means that we are now at a significantly different level in auditing vehicle cybersecurity (and CSMS) than we were half a decade ago, when UNR155 and ISO/SAE 21434 found their way into practice. Even for technical services, continuous professional development in the field of vehicle cybersecurity and a constant focus on best practices now seem to be part of everyday life.

The Vehicle Product Lifecycle in the Korea Vehicle Security Audit

The vehicle product lifecycle is also of particular importance. In UNR155 audits, this was often only addressed in abstract terms – for example, through the existence of a risk update process or an incident response concept. Korean regulations, on the other hand, require proof that these processes are actually applied iteratively.

Reiterations of cyber risk analysis must be specifically documented, including triggers, changes in assessment, and measures derived from them.

Post-production phases, software updates, and field observations are not accepted as theoretical concepts, but are also required as auditable reality.

4. Self-Assessment and Subsequent Institutional Review

With the Korea Vehicle Security Regulation, the South Korea Ministry of Land, Infrastructure, and Transport remains true to its tradition by using the principle of self-certification, which is common in South Korea (unlike, for example, the type approval system in Germany with the Federal Motor Transport Authority).

At the same time, or rather in addition to this, the Korean regulation establishes a strict market surveillance regime that goes far beyond previous compliance mechanisms. The authorities also have extensive control and sanctioning powers at their disposal.

In concrete terms, the right of official inspection is a reality for OEMs. The competent Korean authorities can verify the declarations made by OEMs (during the audit discussed here) by conducting their own tests.

This is not a theoretical scenario, but a real possibility that must be factored into every manufacturer’s internal risk assessment. The days when self-assessments (and the potentially limited verifiability by third parties) were considered sufficient are over.

Possible sanctions highlight the seriousness of the vehicle cybersecurity situation

One thing is certain in South Korea: vehicles can be taken off the road if defects are found. This possibility of sanctions underscores the seriousness of the regulatory requirements and makes it clear that the Korean authorities are prepared to enforce their control rights.

For OEMs, this means that every secruity declaration must not only be formally correct, but also materially robust.

Specifically, the self-assessment carried out by the manufacturer as part of the Korea Vehicle Security Audit (against the aforementioned criteria catalog) serves as the basis for possible formal testing/validation.

This is another reason why it’s clear that simply declaring that vehicles are developed according to CSMS principles and are considered safe on the day of the audit is only one part of the equation. The other part is that the audit is considered a survey by the authorities so that they can independently carry out a subsequent institutional review of the OEM’s information if necessary.