Cybersecurity & Digital
Attack vectors defined in Annex 5 requiring risk assessment
Countries where UN R155/R156 compliance is mandatory for type approval
CSMS/SUMS certificate validity before mandatory recertification
Regulation Overview
UN R155/R156 compliance is the first globally binding vehicle cybersecurity regulation and the cornerstone of automotive cybersecurity compliance. For supply chain teams, the primary obligation is managing cybersecurity evidence across multi-tier suppliers—demonstrating that organizational processes, vehicle architectures, and software update mechanisms are secure throughout the entire vehicle lifecycle.
UN R155 requires a certified Cybersecurity Management System (CSMS) covering development, production, and post-production phases. UN R156 requires a complementary Software Update Management System (SUMS) ensuring OTA and workshop updates are delivered securely and traceably. Together, they are prerequisites for vehicle type approval in 60+ countries. CSMS certification must be renewed every three years, and approval authorities can withdraw certificates if post-production monitoring or incident reporting is insufficient.
UN R155/R156 compliance requires documented cybersecurity evidence—threat analyses, risk assessments, mitigation plans, penetration test results, and supplier compliance attestations—from every tier. When scope expands or new threat vectors emerge, your entire supplier portfolio requires reassessment.
Vehicle manufacturers (OEMs) seeking type approval in any UNECE contracting party
Tier 1 suppliers providing ECUs, software modules, and connected components
Tier 2 and Tier 3 suppliers contributing cybersecurity-relevant hardware or software
Manufacturers of passenger cars (M), commercial vehicles (N), and trailers with ECUs (O)
Motorcycle, scooter, and quadricycle OEMs (from December 2027 for new types)
Non-UNECE manufacturers exporting to EU, UK, Japan, South Korea, or Australia
Key Thresholds
UN R155/R156 compliance demands cybersecurity evidence from every supplier contributing cybersecurity-relevant components. Your Tier 1 sends a security concept document in one format. Your Tier 2 provides a penetration test report in another. Your Tier 3 doesn't understand the request. Without multi-tier supply chain transparency, CSMS auditors find a folder of disconnected PDFs instead of a traceable evidence chain. Your team spends months chasing responses that arrive incomplete, inconsistent, or in the wrong language.
Your CSMS certificate expires in six months. Since the last audit, you've onboarded 40 new suppliers, introduced three new ECU platforms, and updated your OTA infrastructure. Every change requires updated documentation—TARA revisions, test results, supplier assessments. Your compliance team is rebuilding the evidence package from scratch because nothing was centralized. Without continuous compliance monitoring and audit readiness, recertification becomes a recurring crisis.
Annex 5 defines 69 attack vectors across seven threat categories—from back-end servers to physical vehicle access. Your TARA must address each relevant vector with specific mitigations mapped to supplier evidence. But your BOM contains 150+ ECUs from 60 suppliers. Without BOM-level compliance intelligence linking components to threat vectors and supplier documentation, you cannot demonstrate complete coverage. A single unmapped vector can delay type approval.
While OEMs bear type approval responsibility, automotive supply chain security depends entirely on supplier cooperation. A Tier 2 ECU manufacturer claims cybersecurity compliance but provides no supporting documentation. A Tier 1 integrator passes through declarations without validation. A software supplier's vulnerability disclosure process is undocumented. Without supplier risk scoring and due diligence, evidence gaps persist through audit—and become the OEM's liability when the approval authority reviews the CSMS package.
Certivo In Action
Certivo in Action — UN R155/R156 Workflow
Features Tabs
Automotive Manufacturing
Your Pain Point
Multi-tier CSMS evidence; OEM-to-supplier flowdown; 12–25 year lifecycle obligations
Electronics Manufacturing
Your Pain Point
ECU and connected component cybersecurity evidence; complex BOMs with hundreds of cybersecurity-relevant parts
Semiconductor & High-Tech
Your Pain Point
Chipset and SoC security evidence; hardware root-of-trust documentation; IP concerns alongside compliance
Industrial Machinery & Heavy Equipment
Your Pain Point
Connected off-highway vehicles and machinery under expanding scope; legacy ECU architectures
Aerospace & Defense
Your Pain Point
Stringent cybersecurity documentation; prime contractor flowdown to multi-tier suppliers
Energy & Infrastructure
Your Pain Point
EV charging infrastructure cybersecurity; vehicle-to-grid communication interfaces
From Manual Evidence Compilation to Exception Management
CORA extracts cybersecurity evidence automatically. Your team focuses on exceptions that need human judgment—not manual document chasing across supplier tiers.
CSMS Documentation Acceleration
Generate complete, audit-ready CSMS evidence packages in hours—not the 4–6 months of manual compilation typical for type approval cycles.
Proactive UN R155/R156 Compliance Tracking
When supplier certificates expire, scope expands, or parallel regulations emerge, Certivo reassesses your evidence portfolio instantly. Know which gaps exist before auditors ask.
Frequently Asked Questions
What vehicles and companies are subject to UN R155/R156 compliance obligations?
Any vehicle manufacturer seeking type approval in UNECE contracting parties must hold valid CSMS and SUMS certificates. This applies to passenger cars (M), commercial vehicles (N), trailers with ECUs (O), and—from December 2027—motorcycles and all Category L vehicles. While type approval responsibility sits with OEMs, the regulation cascades to Tier 1, Tier 2, and Tier 3 suppliers who must provide cybersecurity evidence. Certivo's automated campaigns ensure multi-tier evidence is collected, validated, and audit-ready regardless of supply chain depth.
What happens if an OEM fails to meet UN R155/R156 requirements?
Without valid CSMS and SUMS certification, a vehicle manufacturer cannot obtain type approval—meaning the vehicle cannot legally be sold in any contracting party including the EU, UK, Japan, and South Korea. Several OEMs have already discontinued specific models due to UN R155/R156 compliance challenges. Approval authorities can withdraw existing type approvals if post-production monitoring or recertification obligations are not met. CORA's continuous compliance monitoring ensures evidence stays current between audit cycles.
How does Certivo manage supplier cybersecurity evidence across multiple tiers?
CORA launches targeted cybersecurity evidence campaigns to suppliers across all tiers, following up automatically in suppliers' native languages. Certivo accepts any format—security concept documents, TARA reports, penetration test results, ISO/SAE 21434 work products, and freeform declarations. AI document parsing and certificate validation extracts structured data, maps it to Annex 5 requirements, and flags gaps automatically. Supplier risk scoring and due diligence give your team instant visibility into evidence quality across your automotive supply chain.
Does Certivo support UN R155/R156 alongside China's GB 44495 and other parallel frameworks?
Yes. Certivo validates supplier cybersecurity evidence against UN R155/R156, China's GB 44495:2024, the EU Cyber Resilience Act, and related frameworks simultaneously through regulatory intelligence and horizon scanning. A single supplier submission is validated across multiple regulatory requirements—eliminating duplicate evidence collection campaigns and supporting dual-track compliance for UNECE and Chinese market access.
How does Certivo handle CSMS recertification and ongoing compliance obligations?
Certivo maintains continuous tracking of CSMS and SUMS certificate validity, supplier evidence freshness, and regulatory scope changes. When recertification is due, CORA automatically identifies outdated supplier evidence, triggers targeted re-collection campaigns, and generates updated audit packages. The platform tracks post-production monitoring obligations and annual reporting requirements—transforming the three-year recertification cycle from a crisis event into a managed process through a centralized compliance data backbone.