Modern vehicles have become more than just basic mechanics. They are software-defined systems made from connected control units, sensors, and cloud services that continuously evolve through updates. These new features have introduced new cybersecurity risks and regulatory responsibilities for automotive manufacturers. To address these challenges, the United Nations Economic Commission for Europe (UNECE) introduced two critical regulations under WP.29: UN Regulation No. 155 (R155) and UN Regulation No. 156 (R156). These regulations establish a framework for managing cybersecurity risks and software updates throughout a vehicle’s lifecycle. R155 focuses on cybersecurity management, while R156 governs software update management. For automotive engineering leaders, understanding the differences and the relationship between these two regulations is essential. Despite these differences, both are required for vehicle type approval and ensure vehicles remain safe, secure, and compliant long after they leave the factory.
What Are UNECE R155 and R156?
UNECE R155: Cybersecurity Management System (CSMS)
UNECE Regulation No. 155 (R155) requires automotive manufacturers to implement a certified Cybersecurity Management System (CSMS). This system ensures that teams identify, assess, and mitigate cyber risks across the entire vehicle lifecycle, including design, development, production, and post-production operation. The regulation became mandatory for new vehicle types in July 2022 and requires manufacturers to demonstrate a structured and methodical approach to product cybersecurity.
A CSMS typically includes:
- Threat identification and risk assessment processes
- Cybersecurity monitoring and incident response procedures
- Defined organizational responsibilities and governance structures
- Processes for identifying vulnerabilities and responding to emerging threats
- Continuous evaluation of vehicle cybersecurity risks across the fleet
Manufacturers must undergo an independent audit to certify their CSMS. The resulting certificate is typically valid for three years, and manufacturers must renew it to maintain compliance. In simple terms, R155 defines how manufacturers manage cybersecurity risks across the vehicle lifecycle.
UNECE R156: Software Update Management System (SUMS)
While R155 focuses on cybersecurity governance, UNECE Regulation No. 156 (R156) addresses how teams manage vehicle software updates. R156 requires manufacturers to establish a Software Update Management System (SUMS) that ensures updates are delivered safely, securely, and in compliance with vehicle type approval requirements. This regulation is especially important as modern vehicles increasingly rely on Over-the-Air (OTA) updates to deliver security patches, feature improvements, and bug fixes.
A SUMS ensures that software updates are:
- Secure and protected from manipulation
- Tested and validated before deployment
- Traceable and documented
- Compatible with the vehicle’s configuration
- Compliant with regulatory requirements
The goal is to guarantee that updates do not introduce safety risks or new vulnerabilities while maintaining the integrity of the vehicle’s approved design. Put simply, R156 defines how manufacturers safely deliver and manage software updates.
Why UNECE R155 and UNECE R156 Matter to Automotive Engineers
For engineering teams building modern vehicles, R155 and R156 represent a major shift in how they handle software and cybersecurity. Vehicles today are essentially computers on wheels, containing millions of lines of code and dozens of connected electronic control units (ECUs). These systems interact with cloud services, mobile apps, and backend infrastructure. As a result, cybersecurity threats are constantly evolving. What was secure when a vehicle entered production may no longer be secure a year later.
Software updates are therefore essential to maintaining vehicle safety. They allow manufacturers to:
- Patch vulnerabilities discovered after production
- Improve vehicle performance and functionality
- Address emerging cybersecurity threats
- Maintain regulatory compliance
However, updates themselves can introduce risks. If not properly tested and managed, they may create safety issues, break system compatibility, or introduce new vulnerabilities.
This is why R155 and R156 must work together.
The CSMS defined in R155 identifies cybersecurity risks and determines when updates are necessary, while the SUMS defined in R156 ensures those updates are delivered safely and securely. This means engineering teams must build cybersecurity and software update processes into vehicle development from the start, rather than treating them as an afterthought.
Key Requirements Automotive Engineers Should Know
1. Cybersecurity Must Be Managed Across the Entire Vehicle Lifecycle
R155 requires cybersecurity management from concept through post-production operation.
Engineering teams must consider cybersecurity during:
- System architecture design
- Software development
- Vehicle production
- Fleet operation and monitoring
Threat monitoring must also continue even after vehicles are released to customers.
2. Software Updates Must Be Traceable and Documented
R156 requires manufacturers to track software versions and configuration states across the vehicle fleet. A key component of this process is the Regulatory Software Identification Number (RXSWIN).
RXSWIN acts as a unique identifier for software versions related to type approval requirements. It allows authorities and manufacturers to determine:
- Which software version is installed in a vehicle
- Whether that version complies with regulatory requirements
- How updates impact homologation status
For example, a steering system governed by UNECE Regulation 79 may have an identifier such as RX79, followed by a manufacturer-specific software version number.
3. Software Updates Must Be Secure and Safe
Updates must protect the three core cybersecurity principles:
- Confidentiality – Prevent unauthorized access to update data
- Integrity – Ensure software is not altered or tampered with
- Availability – Guarantee updates can be delivered reliably
Manufacturers must also implement safeguards to handle failed or interrupted updates, ensuring vehicles can safely revert to a previous state if needed.
4. Compatibility and Vehicle Configuration Must Be Managed
Connected vehicles can exist in thousands of configuration variations depending on:
- Hardware components
- Software modules
- ECU versions
- Regional regulatory requirements
Engineering teams must verify that updates remain compatible with each configuration. This requires strong configuration management systems and software dependency tracking.
5. Updates Must Be Tested and Validated
Software updates can impact vehicle safety systems. Before deployment, manufacturers must verify that updates do not affect:
- Functional safety
- Vehicle dynamics
- Regulatory compliance
- System interoperability
Testing and validation are therefore critical parts of SUMS processes.
6. Certification and Audits Are Required
To sell vehicles internationally, manufacturers must obtain certification for both systems. For vehicle type approval, authorities require a CSMS certificate (R155), a SUMS certificate (R156), and component-level certifications for critical systems. These certifications are issued by independent inspection bodies and are required before vehicles can enter the market.
Automotive Engineering Compliance
UNECE R155 and R156 represent a fundamental shift in how automotive manufacturers must approach cybersecurity and software management. As vehicles become increasingly connected and software-driven, regulatory frameworks now require manufacturers to maintain security and functionality across the entire vehicle lifecycle. For automotive engineering leaders, the key takeaway is that UNECE R155 and R156 are not isolated compliance requirements. They are interconnected systems that must work together to support secure vehicle development, fleet management, and long-term operational safety. If you are ready to better implement cybersecurity governance, software lifecycle management, and robust update processes, reach out to our experts for help. We will get you better positioned to meet regulatory demands and protect your customers.
