What does UN R155 mean for fleet procurement?

When procuring new vehicles, fleet operators can ask suppliers to confirm R155 type approval status and provide the associated cybersecurity documentation. As the regulation matures, this will become a standard part of the procurement process, giving fleet buyers visibility into the cybersecurity posture of the vehicles they are purchasing.

How can a fleet operator verify that a vehicle has R155 type approval?

Ask your vehicle supplier to confirm the cybersecurity type approval status and provide the relevant documentation. As R155 adoption matures, this documentation will accompany vehicles at point of sale, similar to emissions compliance records.

Is UN R155 likely to expand?

Yes. Proposals are on the table to extend R155 to L-category vehicles (motorcycles) from December 2027 for new vehicle types and June 2029 for existing types.

How does R155 differ from ISO/SAE 21434?

R155 is the regulatory mandate that says what manufacturers must achieve. ISO/SAE 21434 is the engineering standard that describes how to achieve it. Compliance with 21434 is the recognised method for demonstrating R155 requirements.

Does R155 apply in countries outside the 1958 Agreement?

Not directly, but countries like China and India are developing national regulations that follow the UNECE blueprint. Vehicles exported to contracting markets must comply regardless of where they are manufactured.

Can a fleet operator request R155 documentation from their vehicle supplier?

As R155 adoption matures, cybersecurity documentation will increasingly accompany vehicles at point of sale, similar to emissions compliance documentation. Fleet operators can and should ask suppliers to confirm the cybersecurity type approval status of the vehicles they purchase.

UN R155 Reference Guide

Vehicle Cybersecurity Type Approval

Request a Consultation

What Is UN R155?

UN Regulation No. 155 is the first binding international regulation for vehicle cybersecurity. Developed under the UNECE World Forum for Harmonisation of Vehicle Regulations (WP.29), it requires vehicle manufacturers to implement a Cybersecurity Management System (CSMS) and obtain cybersecurity type approval before vehicles can be sold in contracting markets.

The regulation was adopted in June 2020 and has been mandatory for all new vehicle types since July 2022 and for all new vehicles produced since July 2024 in the European Union, Japan, South Korea, and other contracting parties. It applies to passenger cars (category M), commercial vehicles (category N), and certain trailers (category O) equipped with at least one electronic control unit.

UN R155 vehicle cybersecurity regulation is not a technical specification. It is a regulatory framework that mandates organisational capability: manufacturers must demonstrate they can identify cybersecurity threats, assess risks, implement protective measures, detect attacks, and respond to incidents across the entire vehicle lifecycle, from design through production to post-production operation.

Who Is Affected by UN R155?

UN R155 is a regulatory mandate, not a voluntary certification. Its requirements bind vehicle manufacturers directly and cascade through the supply chain to every connected system provider.

sleek car frames move along an advanced assembly line.jpeg

Vehicle Manufacturers (OEMs)

Direct regulatory obligation. Manufacturers must obtain a CSMS certificate from an approval authority and secure vehicle-level type approval for each vehicle type. The CSMS must cover the entire vehicle lifecycle, from design through production to post-production operation. Without both certificates, the vehicle cannot be registered or sold in contracting markets.

connected trucks on highway at night_edi

Tier 1 and Tier 2 Suppliers

Indirect but binding. Suppliers do not need their own CSMS certificates, but manufacturers must demonstrate that cybersecurity requirements have been cascaded through the supply chain. Suppliers of telematics devices, ECUs, software platforms, and connected vehicle systems must meet the cybersecurity requirements defined by the OEM.

Fleet and Logistics Operators

Fleet operators across ASEAN and the Middle East are not directly regulated by UN R155, but the implications are significant. The telematics and connected systems fitted to your vehicles must be included in the manufacturer's cybersecurity assessment. Cybersecurity documentation will accompany new vehicles much as emissions compliance does today.

What Does UN R155 Require?

UN R155 requires two things: an organisational capability (the CSMS) and a product-level approval (vehicle type approval). Both must be in place before a vehicle can be sold in contracting markets.

Cybersecurity Management System (CSMS)

The CSMS is the organisational framework manufacturers must establish, implement, and maintain. It must cover the vehicle development, production, and post-production phases. The approval authority audits the CSMS and issues a Certificate of Compliance, valid for three years.

The CSMS must demonstrate: systematic identification and assessment of cybersecurity risks; implementation of proportionate protective measures; monitoring, detection, and response capabilities for cyber threats; supply chain cybersecurity management; and continuous improvement through management review.

Vehicle Type Approval

Each vehicle type must receive cybersecurity type approval, demonstrating that cybersecurity risks have been systematically identified, assessed, and treated for that specific vehicle. This is separate from the CSMS certificate and must be obtained for each distinct vehicle type.

Annex 5: Threat Categories

UN R155 includes Annex 5, a structured catalogue of 69 attack vectors across seven focus areas. Manufacturers must demonstrate that each applicable threat has been assessed and mitigated for every vehicle type. The seven areas are:

Back-end servers: attacks on fleet-supporting infrastructure, including unauthorised access and abuse of staff privileges.
Communication channels: spoofing, interception, and interference with telematics, V2V, and V2I communications.
Update procedures: compromise of the software update pipeline, from package manipulation to denial-of-service attacks blocking rollouts.
Unintended human actions: social engineering, insider threats, and accidental exposure of credentials.
External connectivity: exploitation of APIs, connected services, and third-party interfaces.
Data and code: manipulation of vehicle parameters, firmware, or stored data.

Vehicle components: physical and logical attacks on telematics units, ECUs, diagnostic ports, and sensors.

UN R155 Geographic Scope and Timeline

UN R155 applies to the 54 contracting parties to the 1958 UNECE Agreement. Key adoption milestones:

European Union: Mandatory for all new vehicle types from July 2022; all new vehicles produced from July 2024.
Japan: Mandatory for new vehicle types from July 2022 (January 2024 if no OTA functionality); all new vehicles from July 2024 (May 2026 if no OTA).
South Korea: Implementing under national regulation with a self-certification system for vehicle type approval.
United Kingdom: Post-Brexit, the UK is developing its own GB Type Approval Scheme aligned with UN R155 principles.
China: Published GB 44495:2024, one of the most technically demanding national cybersecurity standards, effective for new vehicle types from January 2026.

Countries not party to the 1958 Agreement may still require compliance for vehicles exported to contracting markets. National regulations in India, China, and other markets increasingly follow the UNECE blueprint.

How UN R155 Relates to Other Standards

ISO/SAE 21434 is the engineering standard commonly used to implement the technical requirements of UN R155. Where R155 defines what must be achieved, 21434 defines how to achieve it: threat analysis, risk assessment, security engineering, and verification across the vehicle lifecycle.

UN R156 is the companion regulation covering Software Update Management Systems (SUMS). Together, R155 and R156 form a pair: R155 addresses the cybersecurity of the vehicle itself, while R156 addresses the security of the software update mechanisms that maintain the vehicle over its lifecycle.

ISO 27001 provides a recognised framework for information security management. While not formally required by R155, it offers a structured approach to demonstrating the organisational security controls that the CSMS demands.

Key Terms

1958 Agreement: The UNECE agreement on mutual recognition of vehicle type approvals. Vehicles approved in one contracting party are accepted in all others without additional testing.

Annex 5 Part B / Part C: Annex 5 is divided into mitigations for vehicle systems (Part B) and mitigations for areas outside the vehicle such as back-end servers and cloud infrastructure (Part C). Both must be addressed.

Approval Authority: The national or regional body responsible for assessing CSMS compliance and granting vehicle type approval. In practice, the approval authority typically delegates the technical assessment to a designated technical service.

Contracting Party: A country that has signed the 1958 UNECE Agreement and recognises vehicle type approvals issued under it. There are currently 54 contracting parties.

CSMS Certificate: Issued by the approval authority after a successful audit of the manufacturer's Cybersecurity Management System. Valid for three years, after which the CSMS must be re-audited.

TARA: Threat Analysis and Risk Assessment. The structured methodology, defined in ISO/SAE 21434, used to identify and evaluate cybersecurity risks. TARA results feed directly into the R155 type approval evidence package.

Technical Service: The organisation designated by the approval authority to conduct the CSMS audit and vehicle-level cybersecurity assessment on its behalf.

Type Approval: The process by which an approval authority certifies that a specific vehicle type meets regulatory requirements. Each distinct vehicle type requires its own cybersecurity type approval.

Vehicle Type: A category of vehicles sharing the same essential cybersecurity-relevant characteristics. Changes to connected systems or software architecture may require a new type approval even within the same model range.

WP.29: The UNECE World Forum for Harmonisation of Vehicle Regulations. The body that developed UN R155 and UN R156 and administers the regulatory framework.

Frequently Asked Questions

We answer the questions that drive cybersecurity decisions.

Telematics devices fitted after purchase that connect to a vehicle's internal networks fall within the scope of the manufacturer's cybersecurity assessment. If a device introduces new attack vectors or modifies the vehicle's cybersecurity profile, the manufacturer must account for it. Fleet operators fitting aftermarket telematics should confirm with both the device supplier and the vehicle manufacturer that the integration has been assessed.

How TTMI Helps

For organisations navigating UN R155 supply chain requirements, TTMI provides cybersecurity services that address the gap between regulatory expectation and operational readiness. Whether you are a telematics provider demonstrating compliance to an OEM, or a fleet operator assessing whether your connected systems meet R155 standards, TTMI can help you understand where you stand.

Posture Assessment: Evaluate your current cybersecurity controls against the R155 threat catalogue and identify where your systems meet, partially meet, or fall short of the requirements your OEM customers or approval authorities expect.

Supply Chain Mapping: Identify where your cybersecurity responsibilities begin and your providers' responsibilities end. TTMI helps document the interfaces, data flows, and shared obligations that R155 requires across the supply chain.

Compliance Advisory: Navigate the CSMS audit process, prepare the evidence package, and understand what technical services look for during the vehicle-level cybersecurity assessment.

Cybersecurity at TTMI

Related Standards and Official Sources

UN R155 sits within a broader framework of cybersecurity standards and regulations. The official source material for each related standard is linked below.