What Is UN R156?
UN Regulation No. 156 is the companion regulation to UN R155, focused specifically on software update management for vehicles. It requires vehicle manufacturers to implement a Software Update Management System (SUMS) that ensures all software updates delivered to a vehicle are carried out safely, securely, traceably, and in compliance with the vehicle's type approval.
Modern connected vehicles receive software updates regularly, including to telematics devices, GPS trackers, IoT sensors, engine control units, and driver assistance systems. These updates are delivered over the air (OTA) or through physical access at service centres. Each update represents a potential vulnerability: if the update channel is compromised, an attacker can push malicious code to every device on a fleet simultaneously.
The UN R156 software update regulation exists to ensure that the update pipeline itself is protected, not just the software it delivers. It was adopted alongside R155 in 2020 and follows the same enforcement timeline.
Who Is Affected by UN R156?
UN R156 applies wherever software updates are delivered to vehicle systems, whether over the air or through physical access. The regulation creates obligations for manufacturers and has direct implications for their suppliers and the fleet operators who depend on those systems.
Vehicle Manufacturers
Direct regulatory obligation. Manufacturers must establish, implement, and maintain a SUMS. The system must be audited and certified by a neutral body; without certification, the vehicle cannot receive type approval. The SUMS certificate is valid for three years.
Suppliers and Telematics Providers
Suppliers providing software components, telematics devices, or connected systems are affected through supply chain requirements. Manufacturers must demonstrate that update processes across their supply chain meet R156 standards. TTMI provides security for telematics devices and connected fleet systems, including the update channels that deliver firmware to fleet hardware.
Fleet and Logistics Operators
Fleet operators across ASEAN and the Middle East are affected because the telematics devices, GPS trackers, and IoT sensors fitted to their vehicles all receive software updates. The security of those update channels determines whether a fleet's connected systems remain protected or become a vector for attack.
What Does UN R156 Require?
UN R156 requires manufacturers to establish a Software Update Management System covering every software update delivered to a vehicle, whether over the air or through physical access at a service centre.
Software Update Management System (SUMS)
The SUMS must establish that software updates are carried out safely, functionally, traceably, and in compliance with the vehicle's type approval. It encompasses processes for identifying which vehicles need updates, checking compatibility with the overall vehicle configuration, assessing the impact on type approval, and meeting security and documentation requirements for both workshop and OTA updates.
RXSWIN
The Regulation Software Identification Number (RXSWIN) is a key concept in R156. It provides a standardised way to identify the software version of a vehicle's type-approval-relevant systems. This enables tracking of which software version is running on each vehicle and whether that version remains compliant with the original type approval.
Secure Update Chain
UN R156 requires four core capabilities in the update delivery mechanism:
-
Authentication: The update source must be verified before deployment. The vehicle must confirm that the update originates from an authorised source.
-
Integrity: The code must be checked for tampering in transit. Any modification between the source and the vehicle must be detectable.
-
Rollback: Failed or compromised updates must be reversible. The system must be able to return to the previous working state safely.
-
Documentation: A full audit trail must be maintained across the vehicle's lifecycle, including which updates were applied, when, and to which vehicles.
How UN R156 Relates to Other Standards
UN R155 addresses the cybersecurity of the vehicle itself. R156 addresses the cybersecurity of the software update mechanisms that maintain the vehicle. Together, they form a pair: R155 ensures the vehicle is secure at the point of production, while R156 ensures it remains secure through ongoing updates across its operational life.
​
ISO 24089 (Road Vehicles: Software Update Engineering) provides detailed implementation guidance for meeting R156 requirements. Where R156 defines what must be achieved, ISO 24089 explains how: organisational processes, project-level activities, and technical requirements for secure update delivery.
​
ISO/SAE 21434 provides the cybersecurity engineering framework that underpins both R155 and R156. The threat analysis and risk assessment methods defined in 21434 are used to identify the security requirements that the SUMS must address.
Key Terms
Chain of Trust: The sequence of verification steps that confirm an update is authentic, unmodified, and authorised before it is applied to the vehicle. Each step in the chain must pass before the next proceeds.
​
Code Signing: The cryptographic process used to verify that a software update package was produced by the claimed source and has not been altered. The update carries a digital signature that the receiving device checks against a known certificate before accepting the package.
​
Firmware: The low-level software embedded in hardware devices such as telematics units, ECUs, and sensors. Firmware controls how the device operates at the hardware level and is updated less frequently than application software, but a compromised firmware update can give an attacker direct control of the device.
​
Integrity Verification: The specific check confirming that code has not been tampered with during transmission between the source and the vehicle. Distinct from authentication, which verifies who sent the update. Integrity verification confirms the update itself is unchanged.
​
OTA: Over-the-Air. Software updates delivered wirelessly to the vehicle without physical access at a service centre. OTA updates are faster to deploy across a fleet but expose the update channel to remote attack if not properly secured.
Software Update Package: The complete deliverable transmitted to a vehicle or device during an update. Includes the code itself, version metadata, cryptographic signatures for authentication, and integrity hashes for verification.
​
Staged Rollout: The practice of deploying an update campaign incrementally rather than simultaneously across all vehicles. A staged rollout begins with a small subset of the fleet, validates the update in the field, then progressively expands. This limits the impact of a faulty or compromised update.
​
SUMS Certificate: Issued by the approval authority after a successful audit of the manufacturer's Software Update Management System. Valid for three years, after which the SUMS must be re-audited. Distinct from the SUMS itself, which is the ongoing operational system.
​
Type Approval: The process by which an approval authority certifies that a specific vehicle type meets regulatory requirements, including R156 software update management requirements, before the vehicle can be sold in contracting markets.
​
Update Campaign: A managed rollout of a specific software update to a defined set of vehicles, including planning, approvals, staged delivery, monitoring, and post-update validation.
Frequently Asked Questions
We answer the questions that drive cybersecurity decisions.
How TTMI Helps
TTMI provides security for telematics devices and connected fleet systems, including the update channels that deliver new firmware to the hardware your operation depends on. For organisations managing software updates to connected vehicle systems, TTMI can assess the security of your update pipeline and support alignment with R156 requirements.
​
Update Channel Security: Assess the authentication, integrity verification, and rollback mechanisms protecting your over-the-air and workshop update delivery. Identify where the chain of trust is strong and where it has gaps.
​
Telematics Device Protection: Evaluate the security of the firmware signing, provisioning, and configuration management processes for the connected devices deployed across your fleet.
​
R156 Alignment Review: Map your current software update processes against R156 requirements and ISO 24089 guidance. Identify what needs to change before your next OEM audit or type approval submission.
Related Standards and Official Sources
R156 works alongside several other standards that together define the cybersecurity requirements for connected vehicle systems. The official texts are published by their respective governing bodies.
