UN Regulation No 155 (UN R155) is the first globally recognised framework to prescribe specific cybersecurity requirements for road vehicles in a legally binding manner. It is effective for all new vehicles in UNECE member states since mid-2024, but it is also used as the basis for regulating vehicle cybersecurity in many other regions of the world. Therefore, the time is now to take a global look at markets around the world and their respective counterparts for UN R155. In other words, an up-to-date snapshot of global cybersecurity regulation. Here we go.
Felix Roth
The tremendous relevance of UN Regulation No. 155 as an effective framework for the consideration of cybersecurity around the vehicle is currently also demonstrated by the fact that the regulation is not only used as a benchmark across regions and countries, but also that its scope is increasingly being extended.
One significant extension is that vehicles in vehicle category L (two and three-wheeled vehicles, i.e. motorcycles) are to fall within the scope of UN R155.
This can also be seen in EU Regulation 168/2013 (type approval and market surveillance of motorcycles/mopeds and quads in the EU), which now also includes the need for cybersecurity principles (see Article 68).
The first proposals for a legislative amendment to UN R155 are on the table: According to these, the type approval of the vehicles concerned will fall within the scope of UN R155 from July 1, 2029.
The players in the associated value chain would do well to assign sufficient priority (and resources!) to the needs of the associated cybersecurity requirements at an early stage. Not least because the schedule may be accelerated – for example, due to the Cyber Resilience Act (CRA).
At the same time, the ongoing refinement of the requirements for successful cybersecurity with UN R155 is not yet complete. For example, the responsibilities and necessary activities for cybersecurity up to and at the end of the product lifecycle are currently being discussed.
A position paper from the VDA working group on cybersecurity, which is currently being drafted, could soon provide an important position. An in-depth look at the challenges associated with the end of a vehicle’s life from a cybersecurity perspective should also provide clarity in one of the many areas that remain open.
UN Regulation 155 as a global benchmark for vehicle cybersecurity
In expert circles, the requirements of UN R155 are regarded as the benchmark for cybersecurity in and around vehicles (and all related areas of action, structural, procedural, etc.). The principles around the CSMS have been adopted by both OEMs and suppliers.
Accordingly, UN R155 has been and is being used in countries and regions outside the UNECE area of application to develop parallel regulations.
The following sections provide an initial overview of the main global regulatory activities in this regard.
South Korea, UN R155 and a look at self-certification – between global harmonisation and local distinctions
South Korea is formally part of the 1958 UNECE Agreement and thus within the scope of UN R155. However, it has a special position when it comes to adopting harmonised UN technical regulations. The declaration on the UN Agreement is simple but clear: “The Republic of Korea declares that it does not consider itself bound by any of the Regulations”. (Source)
This unique position allows South Korea to develop its own legally binding vehicle cybersecurity regulations. However, international frameworks such as UN R155 and ISO/SAE 21434 can still be used for content.
Another regional feature of the South Korean regulatory landscape is the use of a self-certification system for vehicle type approval.
Unlike many other countries that rely on third-party technical services or government type approval authorities to certify cybersecurity measures, in South Korea manufacturers themselves are responsible for assessing the compliance of their vehicles with the applicable regulations.
On the one hand, this allows for greater flexibility, but it also places the responsibility for compliance and liability squarely on the manufacturer. This is complemented by regulatory oversight after vehicles are placed on the market and strict recall obligations.
Timeline of South Korean vehicle cyber security regulation
Regardless of the original timeline of UN R155 (new vehicle types: July 2022, all vehicles: July 2024), there is another timeline for the South Korean cybersecurity regulation, which is now certain:
- From August 14, 2025: New vehicle types must comply with the regulations
- From August 14, 2027: All vehicles (including acquired types) must comply with the regulations from this date
Although the regulation itself has not yet been finalized, the first drafts of both the framework for the Cybersecurity Management System (CSMS) and a preliminary audit checklist that is currently being developed have already been circulated.
The current checklist contains about 140 detailed requirements that are derived from the following sources:
- UN Regulation No. 155,
- its official interpretation document,
- and the ISO/SAE 21434.
This high level of specificity is challenging for many OEMs, particularly those whose existing CSMS follows the more generic and risk-based approach of UN R155. These companies are now faced with the challenge of adapting their approaches for the South Korean market to the South Korean checklist. The Korea Automobile Importers & Distributors Association (KAIDA) has also submitted comments on the current process, which are being discussed with the relevant South Korean authority.
In general, the South Korean authorities have been very cooperative and flexible in this regard.
For example, the initial audits are used not only to verify compliance, but also to refine the checklist and clarify the interpretation of the requirements. The focus is on realistic processes and common industry practices.
This open dialogue between regulators and industry suggests that the approach, while stricter in terms of granularity, still provides sufficient flexibility for specific implementation.
Vehicle cyber security regulation in the United Kingdom – repositioning after Brexit
In the United Kingdom, the far-reaching consequences of Brexit also extend to the cybersecurity regulations for the automotive industry. With Brexit, the UK is no longer bound by the EU General Safety Regulation, which requires compliance with UN R155 for type approval within the European Union.
Consequently, the UK can decide autonomously whether and how it will implement the requirements of UN R155 for cybersecurity on its roads.
The UK Department for Transport (DfT) is currently conducting an open consultation entitled “GB Type Approval Scheme: Cyber Security and Software Update Requirements” (Source), in which both industry representatives and the public are invited to provide input.
This review, which is due to run until the end of April 2025, already makes it clear that the UK intends to align itself with the principles of UN R155 in general, although local adaptations may be made in the final implementation.
Of particular note at this point is the high level of transparency and inclusiveness of the current UK process.
By actively seeking feedback from OEMs, suppliers and cybersecurity experts, the UK is striving for a balanced regulation that takes into account cybersecurity and protection measures on the one hand, and the practical impact on industry on the other.
Accordingly, it is currently expected that the core requirements of UN R155 will be reflected in the UK regulation, albeit in the context of a purely national type approval. This demonstrates the importance that UN R155 now has worldwide, as mentioned at the beginning.
Vehicle Cybersecurity Regulation in China – Technically sophisticated and always evidence-based
With the publication of GB 44495:2024, China has created one of the most detailed and technically demanding sets of regulations for automotive cybersecurity. Especially in terms of the timeline:
- From January 2026: Effective for all new vehicle types.
- From January 2028: Effective for all types of vehicles.
In contrast to UN R155, which is largely risk-based and process-oriented, the Chinese approach places a strong emphasis on technical verification and the provision of concrete evidence.
An important step in this development was already taken in 2021, when the Ministry of Industry and Information Technology (MIIT) published a draft regulation entitled “Technical Requirements for Vehicle Cybersecurity”.
This document laid the groundwork for what would become China’s national counterpart to UN R155, reflecting similar principles but adapted to China’s regulatory and technological realities.
At the heart of the current regulatory framework are the Cybersecurity Management System (CSMS) requirements, which are closely aligned with the concepts of UN R155 and ISO/SAE 21434, but go further in terms of structure and expectations:
- The Operational Guidance contains a detailed checklist in which each cybersecurity requirement (referred to as a ‘key point’) is assigned to a specific process and associated evidence.
- This makes the Chinese system a highly evidence-based approach, with OEMs required to provide traceable documentation and implementation details throughout the vehicle lifecycle.
A look at CSMS audits in China in accordance with GB 44495:2024
Systematic CSMS audits have also begun in China, and initial experience shows that the transition from a general global CSMS (based on UN R155) to a CSMS that takes into account the specifics of the Chinese GB 44495 regulation can be a challenge not to be underestimated.
But again, the Chinese authorities are quite willing to recognise existing company-specific processes during testing, provided that OEMs can clearly justify their applicability.
The biggest hurdle, however, is the special type approval procedure that is planned here:
- The ambiguity of vehicle type: The Chinese concept of grouping vehicles (i.e. “family building”) for vehicle type approval does not appear to be fully defined. This may result in individual type approvals being required for vehicles that share the same E/E architecture.
- Challenges with legacy vehicles: A key challenge is the widespread lack of clarity on how to deal with legacy vehicles. These are vehicles that are already on the market or were developed years ago. This is particularly relevant where development processes took place before structured cybersecurity practices became necessary. Within UN R155, there is a passage that can be consulted for these vehicles that deliberately states, in simplified terms, that “cybersecurity has been given appropriate consideration”.
Overall, there is still regulatory uncertainty about the extent to which retrospective compliance is expected. This legitimate discussion is still ongoing.
While the authorities seem willing to adjust expectations as needed, particularly with the important understanding that the CSMS is a living system that will evolve over time and continuously improve in depth and scope, it is evident that Chinese regulation is pushing the industry towards a highly technical, documentation-based approach. Achieving effective compliance with legally binding cybersecurity regulations is not only about having the right processes in place, but also being able to demonstrate and defend them in a detailed and resilient manner.
Automotive cybersecurity in the rest of the world – a look at future regulations and different approaches
When it comes to automotive cybersecurity, it cannot be denied that all sales markets and their respective requirements must ultimately be taken into account. At a recent conference, the question of which regulations are actually applicable in the Vatican was met with astonished looks.
So let us first try to look at the somewhat larger regulatory areas.
New automotive cybersecurity regulations in India – on the way to a national standard
India has long shown an ambition to define its own cybersecurity regulation for the automotive industry. Since 2023, the Automotive Industry Standards Committee (AISC) – a joint body involving the Ministry of Road Transport and Highways (MoRTH) and the Automotive Research Association of India (ARAI) – has been actively working on its own regulation. It is called AIS-189.
The first drafts of AIS-189 were quite progressive and even included category L vehicles (two- and three-wheeled vehicles) from the outset. However, this inclusion was later revised and deleted in subsequent drafts.
Timetable of AIS-189 for mandatory cybersecurity requirements in India
The AIS-189 regulation now has a set implementation schedule:
- From October 1, 2025: Effectiveness for new vehicle types (NT)
- From October 1, 2028: Effectiveness for all vehicle types (AT)
AIS-189 is closely modeled on UN R155 in structure and intent. However, it also reflects national legislative procedures and the needs of the Indian automotive market. Although final approval is still pending, it is clear that India is on a clear path to mandatory cybersecurity compliance.
Saudi Arabia and the United Arab Emirates – following the global benchmark
Saudi Arabia and the United Arab Emirates (UAE) have also taken concrete steps to enact national regulations for cybersecurity in the automotive sector. Initial drafts have already been circulated in industry forums and discussions.
Two key observations of the two approaches can already be made at this stage:
- A strong orientation towards UN R155, which serves as the fundamental point of reference for the design of the requirements.
- Consideration of necessary adjustments to regional governance frameworks and infrastructure considerations.
However, at this stage, there is still no confirmed timeline for when these regulations will become legally binding. It remains to be seen how quickly the Gulf region will move from drafting to implementation, but interest and regulatory momentum are clearly increasing.
United States – National security first, regulation later
In the United States, where there is currently a tendency to view regulation with a critical eye, there is currently no direct equivalent to UN R155.
Instead, the approach to connected vehicle security is currently determined more by national security concerns than by a structured framework for type approval.
On March 17, 2025, a new law came into force that bans the sale and import of hardware and software systems for connected vehicles from certain foreign suppliers that are considered to pose a national security risk. (see also: New US regulations for connected vehicles)
This law introduces the following milestones:
- From 2027: Ban on software imports
- From 2030: Ban on hardware imports
While this law addresses specific risks, it is far from providing a holistic cybersecurity framework for vehicle development or type approval that matches the level of UN R155.
The US automotive industry currently works with voluntary guidelines, such as those issued by the NHTSA and AutoISAC, rather than binding regulations.
As the global regulatory landscape continues to evolve rapidly, it will be interesting to see if the US decides to formalize its own cybersecurity standard – and if so, whether it will be more closely aligned with UN R155 or go its own way.
Summary and outlook
First of all, it’s great that you’ve followed this compilation so far. If you are now hoping to find a shortcut, a cheat sheet or a workaround in this summary to simplify and holistically manage the increasing heterogeneity of global automotive cybersecurity regulations, please don’t be disappointed.
Yes, we see a strong tendency for the UN R155 and the associated CSMS principles to set an essential benchmark for the design of legally binding cybersecurity requirements that is being observed worldwide – but sovereignty in the region- and country-specific approaches remains of central importance.
Especially in times of geopolitical shifts and turbulent dynamics in international trade relations, the specific governance of cybersecurity regulation is likely to remain particularly important in the future.
So, stay tuned.
