UNECE R155 · Global Regulatory Landscape · China Overseas Market Implications
Executive Summary
Automotive cybersecurity regulation has evolved from "nice-to-have" engineering practice to a hard, market-access-blocking legal requirement. UNECE Regulation No. 155 (R155), adopted in June 2020 and in force since January 2021, is the world's first binding international automotive cybersecurity regulation. Since July 2024, R155 is mandatory for all new vehicles sold across the EU, UK, Japan, South Korea, and 50+ UNECE contracting parties. Its rule is blunt: No valid CSMS certificate = No type approval = Zero sales.[1][2][3][4]
The regulatory landscape is now multi-layered: R155 established the floor, and new waves — EU Cyber Resilience Act (CRA, full application Dec 2027), NIS2 Directive (org-level, in force), and the US DoC "Chinese software ban" (effective MY2027) — are raising the ceiling further. For Chinese automakers going overseas, cybersecurity compliance has become the single most complex non-tariff barrier to market entry.[5][6]
I. UNECE R155: The Global Baseline
Origin & Institutional Framework
R155 was developed under the UNECE Working Forum for Harmonization of Vehicle Regulations (WP.29), specifically by its working party on Automated/Autonomous and Connected Vehicles (GRVA). The regulation was formally adopted at the June 2020 WP.29 session and entered into force on January 21, 2021. Its companion regulation, UN R156, governs Software Update Management Systems (SUMS) and is mandatory alongside R155.[2][7][8][9]
Scope of Application
R155 applies to vehicles equipped with at least one Electronic Control Unit (ECU)[10]
| Vehicle Category | Description | |
|---|---|---|
| M | Passenger cars ≥4 wheels | Mandatory (since Jul 2022/2024)[1] |
| N | Commercial/goods vehicles | Mandatory[1] |
| O | Trailers with ≥1 ECU | Mandatory[3] |
| L6/L7 | Light 4-wheelers with ≥L3 automation | Mandatory[9] |
| L (motorcycles/scooters/e-bikes >25km/h) | All other L-category | Amendment 3, in force Jan 2025; mandatory from Jul 2029[10][11] |
| T (agricultural machinery) | Tractors, farm equipment | Under discussion[12] |
Two-Phase Enforcement Timeline
| Requirement | ||
|---|---|---|
| July 2022 | Mandatory CSMS + R155 type approval for all new vehicle types[1][7] | |
| July 2024 | Extended to all new vehicles — including models type-approved before 2022 and still in production[1][13] | |
| Motorcycle expansion | July 2029 | All L-category vehicles with ECU required to comply[12][14] |
What R155 Requires: The Two-Approval Architecture
R155 requires manufacturers to obtain two separate approvals[15]
① Organizational Level — CSMS Certificate of Compliance
The Cybersecurity Management System (CSMS) is an organizational framework covering the full vehicle lifecycle — development, production, and post-production. Requirements[16][17]
- Systematic identification and assessment of cybersecurity risks
- Implementation of proportionate protective measures
- Monitoring, detection and response capabilities for cyber threats throughout the vehicle's operating life
- Supply chain cybersecurity management: cascade requirements to all relevant suppliers
- Incident data sharing with Approval Authorities
- CSMS certification must be renewed at least every 3 years CSMS[16][17]
② Product Level — Vehicle Type Approval
Each individual vehicle type must demonstrate that specific cybersecurity measures are implemented in design architecture, based on a documented TARA (Threat Analysis and Risk Assessment).[9][15]
II. The Core Technical Requirement: TARA
Annex 5: The 69 Attack Vector Catalog
R155 includes Annex 5, a structured catalog of 69 attack vectors across 7 focus areas that manufacturers must assess and mitigate for every vehicle type[3][9]
| Focus Area | Example Threats |
|---|---|
| 1. Backend server attacks | Cloud API spoofing, database breach |
| 2. Vehicle communication channel attacks | V2X message spoofing, GPS jamming, CAN bus injection V2X |
| 3. Vehicle update procedure attacks | Malicious OTA, firmware tampering |
| 4. Unintended human action | Social engineering, insider threat |
| 5. External connectivity attacks | Telematics hacking, EV charging system compromise |
| 6. Vehicle data / code attacks | ECU code extraction, data manipulation ECU |
| 7. Potential vulnerabilities from "connected" 3rd party systems | Aftermarket devices, smartphone pairing vulnerabilities |
The TARA Process (per ISO/SAE 21434)
R155 is closely linked to ISO/SAE 21434 — the international engineering standard that provides the methodology for TARA execution. The six-step process[18][8]
- Asset Identification[19]
- Threat Identification[19]
- Impact Assessment[19]
- Attack Feasibility Assessment[19]
- Risk Determination[19]
- Risk Treatment Decision[20][19]
TARA is not a one-time exercise: it must be repeated whenever new components are added, software is updated, or new threats emerge (e.g., zero-day vulnerabilities).[21]
III. The ISO/SAE 21434 & R155 Relationship
| Dimension | R155 | ISO/SAE 21434 |
|---|---|---|
| Mandatory regulation | Voluntary standard (but de facto required) | |
| Goal-based (what to achieve) | Process-based (how to achieve it) | |
| UNECE WP.29 | ISO + SAE Joint | |
| Vehicle type approval | Full engineering lifecycle from concept to decommissioning | |
| Supply chain | OEM is accountable; cascades via contracts OEM | All organizations in automotive supply chain |
| Companion | R156 (SUMS) | ISO 24089 (software update) |
Key insight
IV. Supply Chain Cascade: The Tier-1/Tier-2 Impact
R155 is nominally directed at OEMs, but its supply chain requirements cascade downward through the entire value chain. Practically[16][18]
- OEMs must establish cybersecurity interface agreements with all suppliers whose components could introduce security risks
- Tier-1 suppliers (ECU makers, domain controllers, TCUs, infotainment) must demonstrate CSMS-equivalent processes to their OEM customer — even without their own R155 certification
- Tier-2/3 suppliers (software components, semiconductor IP) must provide traceability — SBOM (Software Bill of Materials) is increasingly required [22]
- Post-production monitoring is mandatory: OEMs must continuously monitor threats and respond to incidents "within a reasonable timeframe" for the vehicle's entire operating life [17]
R155's real teeth are in the post-production obligation — unlike previous safety regulations, which focused on design and production, R155 requires ongoing operational security indefinitely.[23]
Concrete Business Impact
- 5 vehicle models killed in Europe (2024): Three Porsche models (Boxster, 718 Cayman, Macan) and two Audi models (R8, TT) discontinued in EU market because the cost of R155 compliance for their aging architectures was not justified. 2024[23]
- Audit cadence: CSMS must be audited and re-certified at minimum every 3 years by a designated approval authority. [16]
- Non-compliance penalty: Loss of type approval = immediate market ban from all UNECE contracting states simultaneously
V. Amendment 3 (2025): R155 Evolves
UNECE published Amendment 3 to R155 (Supplement 3 to the original version), which entered into force January 10, 2025. Key changes[10]
- Scope expanded: Paragraph 1.1 now formally includes all Category L vehicles (motorcycles, scooters, e-bikes >25 km/h) — not just L6/L7[10]
- Clarified CSMS validity requirement: Paragraph 7.3.1 explicitly states the manufacturer must hold a "valid Certificate of Compliance" for the CSMS
- Multi-stage vehicles: New rules for body manufacturers modifying base vehicles — triggering conditions for separate CSMS certification clarified[17]
- Physical protection requirements: Paragraph 7.3.4 added explicit obligations to protect vehicle types against identified risks[10]
What's next for R155
- Agricultural machinery (Category T) inclusion: under active discussion at WP.29[12]
- Potential expansion to aftermarket parts and accessories
- Post-quantum cryptography provisions: expected to be embedded into future R155 revisions (see Section VII)
VI. Global Regulatory Landscape: Beyond R155
Adoption Map
| European Union | Fully mandatory since Jul 2024 2024 | Enforced via EU General Safety Regulation (GSR)[7] |
| United Kingdom | Mandatory, GB type approval scheme | Post-Brexit separate scheme, aligned with R155; consultation Feb 2025[24][25] |
| Mandatory from May 2022 (new types); 2024 (all) 2022 | UNECE contracting party; MLIT enforces UNECE[2] | |
| South Korea | Mandatory | UNECE contracting party UNECE[2] |
| GB 44495/44496-2024, effective Jan 1, 2026 2026 | Aligned with R155/ISO 21434 but China-specific requirements[26][27] | |
| Self-certification; NOT a UNECE contracting party | DoC VCS/ADS ban effective MY2027 (software)[6] | |
| Not a UNECE contracting party | Aligning with US approach | |
| Australia | Referencing UNECE R155 but not mandatory contracting party | Transitioning over 2024–2026 2024-2026 |
| Considering R155 adoption | AIS-189 standard under development AIS-189 | |
| Under development | CONTRAN working group active CONTRAN |
China's GB 44495/44496-2024: The Parallel Framework
Issued: August 23, 2024. Effective: January 1, 2026.[26][27]
China's national standards align with R155/ISO 21434 in principle but introduce China-specific differences
| Dimension | UNECE R155 | GB 44495-2024 |
|---|---|---|
| Core Framework | CSMS + TARA CSMS + TARA | CSMS + TARA (same principle) |
| Testing requirement | Risk-based; no fixed test count | 27 mandatory specific cybersecurity tests 27[27][26] |
| Certification model | CSMS Certificate of Compliance (renewable 3yr) CSMS | Audit-based (no renewable CSMS certificate) [26] |
| Model extension | More flexible extension to other models | Stricter conditions for extending approvals to other models[26] |
| V2X security V2X | General communication security | Explicit V2X and vehicle-to-cloud security testing V2X[27] |
| Data localization | No explicit requirement | Implicit through data security laws |
Companion standards
VII. The Next Wave: "Cybersecurity 2.0" Threats
R155 established Cybersecurity 1.0 — the baseline compliance floor. The industry is now confronting a second wave of challenges that R155 alone cannot fully address
EU Cyber Resilience Act (CRA)
- Adopted: October 2024; In force: December 10, 2024; Full application: December 11, 2027[5][29]
- Scope: All products with digital elements (PDEs) sold in the EU — covers automotive component suppliers not already covered by GSR/R155 (e.g., aftermarket parts, EV charging software, in-vehicle apps)[30][29]
- Key obligations: Secure-by-design; minimum 5-year lifecycle support; incident reporting to ENISA within 24 hours; SBOM mandatory in machine-readable format[29]
- Penalties: Up to €15M or 2.5% of global annual turnover[29]
- CRA vs R155: CRA does NOT replace R155 for vehicles (lex specialis principle); but automotive Tier-1/Tier-2 suppliers of components not covered by R155 must comply with CRA — creating a dual compliance burden for the supply chain CRA[30]
EU NIS2 Directive (Organization-Level)
- In force: January 2023; transposition deadline October 2024; enforcement actively ongoing in most EU states as of mid-2026 2023[31]
- Impact on automotive OEMs: Large automotive OEMs are likely classified as "essential entities" under transport sector — subject to up to €10M or 2% of global turnover fines and personal board-level liability[31]
- Supply chain mandate: NIS2 explicitly requires organizations to assess and manage security across their entire supplier network — adding another supply chain security audit obligation on top of R155's CSMS requirement NIS2[31]
Post-Quantum Cryptography (PQC) Threat
By approximately 2030, sufficiently powerful quantum computers are expected to break the RSA and ECC cryptographic foundations underlying current vehicle security (PKI, TLS, secure boot). Strategic path for OEMs[4][32]
- Short term: Secure connectivity and TCU (Telematics Control Unit) access points against classical attacks[4]
- Medium term (by 2028–2030): Migrate internal vehicle architecture to quantum-safe cryptography (NIST PQC standards: CRYSTALS-Kyber, CRYSTALS-Dilithium)[4]
- R155 implications: Future R155 revisions are expected to mandate PQC-readiness; OEMs designing vehicles now must build in cryptographic agility[4]
AI-Driven Threats & "Cybersecurity by Design"
The same AI stack enabling advanced ADAS creates new attack surfaces: adversarial ML attacks on perception models, model poisoning via malicious training data, and LLM prompt injection in cockpit AI assistants. The 2026 trend is "security shifting left" — embedding secure boot, hardware security modules (HSM), and runtime intrusion detection earlier in the development cycle.[33]
VIII. US Market: The Chinese Software/Hardware Ban
DoC Final Rule (Effective March 17, 2025)
The U.S. Department of Commerce published a final rule finalizing a comprehensive ban on Chinese and Russian connected vehicle technology[34][6]
| Prohibition | Effective Date |
|---|---|
| Software ban: VCS (Vehicle Connectivity System) and ADS (Automated Driving System) software with nexus to PRC/Russia | Model Year 2027 2027[6][34] |
| Hardware ban: VCS hardware with nexus to PRC/Russia | Model Year 2030 (or Jan 1, 2029 for vehicles without model year) 2030[6] |
| Chinese OEM ban: Chinese manufacturers cannot sell connected vehicles in the US even if manufactured domestically | Model Year 2027 2027[6] |
Compliance mechanism
Congressional escalation
IX. Implications for Chinese Automakers Going Overseas
The Compliance Stack Chinese OEMs Must Navigate
Chinese automakers exporting to major markets face a multi-layer regulatory stack simultaneously
| Key Regulation | Impact on Chinese OEMs | ||
|---|---|---|---|
| R155 + R156 | Enforced | Must obtain CSMS cert + type approval per model; ongoing lifecycle monitoring | |
| CRA (supplier components) | Enforced Dec 2027 2027 | Tier-1 suppliers' digital components need CE marking Tier-1 | |
| NIS2 | If OEM EU entity qualifies as essential entity, board-level liability applies | ||
| GB type approval (R155-aligned) | Enforced | Separate approval even post-Brexit; parallel process[24] | |
| UNECE R155 (MLIT) | Enforced | Requires local TARA validation for Japanese road conditions[2] | |
| China (domestic) | GB 44495/44496-2024 | Enforced Jan 2026 2026 | 27 mandatory tests; audit-based; domestic compliance is prerequisite 27[27] |
| DoC VCS/ADS ban | Software: MY2027 | Chinese OEMs effectively banned from US market[6] |
Deloitte China Case: A SOE's R155 Journey
Deloitte China documented assisting a large state-owned Chinese automaker in achieving R155/R156 compliance to enter the European market. The four-step process[36]
- Group-level unified security framework: Integrated R155, R156, ISO 21434, and ISO 24089 into a single framework covering passenger vehicles, commercial vehicles, and NEVs
- Organizational structure per product line: Separate cybersecurity workflows for each major vehicle platform
- Cybersecurity inspections: TARA-based audits for each product line; deep staff training
- Ministry of Transport audit: Final approval enabling export to EU markets
Timeline insight: This is a 12–24 month process for a well-resourced automaker with internal cybersecurity teams. For smaller OEMs or new entrants, timelines are longer and external consulting costs are substantial.
Key Pain Points for Chinese OEMs
1. Post-production monitoring obligation
R155's lifecycle monitoring requires a Security Operations Center (SOC) capability — detecting threats across the entire fleet worldwide. Most Chinese OEMs lack this global SOC infrastructure and must build it or outsource it (to VicOne, Upstream, PlaxidityX, etc.).[9]
2. Supply chain transparency
SBOM requirements (reinforced by CRA) require detailed disclosure of all software components — including open-source libraries and third-party algorithm modules. Chinese supply chains often involve complex, opaque multi-tier structures difficult to document to EU standards.
3. TARA localization
A TARA performed on Chinese road conditions may not adequately address European threat landscapes (different road infrastructure, different V2X protocols, different regulatory attack surfaces). Per-market TARA adaptation is needed.
4. US market effectively closed
The DoC final rule effectively bans Chinese OEMs from the US market from MY2027, regardless of R155 compliance. This narrows the addressable global market for Chinese connected vehicle exports to EU/UK/Japan/ASEAN/Middle East/LatAm — where R155 compliance remains the gateway.
5. Dual standards (China + UNECE)
GB 44495-2024 and R155 are aligned in principle but differ in specifics (27 mandatory tests vs. flexible testing; audit vs. certificate). OEMs must maintain parallel compliance programs — increasing cost and complexity.
X. Automotive Cybersecurity Market
The global automotive cybersecurity market was valued at USD 4.6 billion in 2023 and is projected to reach USD 25.5 billion by 2031, growing at a CAGR of 17.2%. Key demand drivers[37]
- R155 compliance services and tools (TARA automation, CSMS platform, SOC) R155
- SDV (Software-Defined Vehicle) architecture security
- OTA security and firmware validation OTA
- V2X communication security V2X
- Post-quantum cryptography migration PQC
Key service/product vendors
Conclusion
UNECE R155 represents the constitutional moment of automotive cybersecurity — the point at which security moved from voluntary engineering practice to mandatory market-access requirement. Its genius is the dual-approval architecture: CSMS (organizational capability, renewed every 3 years) + vehicle type approval (product-level TARA evidence). This forces continuous improvement, not one-time certification.
Looking forward, the regulatory ceiling is rising rapidly: CRA (Dec 2027) adds component-level requirements across the supply chain; NIS2 adds board-level accountability; post-quantum cryptography will require deep architecture changes by 2030; and AI-driven attack surfaces from advanced ADAS are creating threat vectors that Annex 5's 69-item catalog did not anticipate in 2020.
For Chinese automakers, R155 is the necessary but not sufficient condition for European export. The companies that win in overseas markets will be those that treat cybersecurity not as a compliance checkbox but as a continuous operational capability — with global SOC infrastructure, SBOM-ready supply chains, localized TARA programs, and cryptographic agility ready for the post-quantum era.
References
- UNECE WP.29 R155/R156: new cybersecurity regulations for vehicles From July 2022, compliance with the new regulations on cybersecurity (UNECE WP.29/R155) will be mand...
- A Look at the UN R155 Regulation for Connected Vehicles In the EU and UNECE markets it became mandatory for new vehicle types in July 2022 and for all new v...
- UN R155 Reference Guide | Vehicle Cybersecurity Regulation | TTMI Plain-language guide to UN R155. Understand CSMS requirements, type approval, supply chain implicati...
- Olivier NORA's Post - LinkedIn By ~2030, experts predict a significant chance that quantum computers will break the foundations (RS...
- EU Cyber Resilience Act Explained for Automotive: What Changes ... The Cyber Resilience Act changes the regulatory expectations around connected vehicle software. It e...
- connected vehicle supply chain rule - Bureau of Industry and Security Commerce Finalizes Rule to Secure Connected Vehicle Supply Chains from Foreign Adversary Threats ......
- What New EU Cybersecurity Rules Mean For Carmakers UN R155 and R156 aim to improve cybersecurity in modern vehicles by requiring car manufacturers to i...
- Cyber Security UN R155 and R155 | Bosch Engineering The UN regulation 155 (R155) is on uniform provisions concerning the approval of vehicles with regar...
- UN R155 Compliance - VicOne According to the regulation, manufacturers must demonstrate that cybersecurity methods and processes...
- [PDF] R155am3e.pdf - UNECE 2025 Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber...
- UNECE Announces Inclusion of Motorcycles in R155 - Cybellum UNECE has taken a significant step forward by extending the scope of UNECE WP.29 Regulation No.155 t...
- Automotive Cybersecurity Regulation - UNECE R155 The UNECE WP.29 R155 regulation is rapidly evolving, reflecting the automotive industry's commitment...
- How to reach UNECE R155/R156 compliance | Secura From the 1st of July 2024 vehicle manufacturers must comply with UNECE R155/R156 regulations. Let us...
- UNECE: Cybersecurity management regulation extended to ... The decision to expand the scope of UN Regulation 155 to include motorcycles (vehicle category L) wi...
- Automotive Cybersecurity Standards: A 2026 Compliance Guide UN R155 is the UNECE regulation requiring a Cybersecurity Management System and vehicle type approva...
- Automotive Cybersecurity Management System Assessment Strengthen cybersecurity framework and achieve CSMS certification by aligning with UNECE R155 throug...
- UNECE Regulation No. 155: Amendments & Compliance for Multi ... UNECE Regulation No. 155 (UN R155) establishes the first globally recognized, legally binding framew...
- UN Regulations R 155 & R 156 : Steps For Improving Cybersecurity ... Type Approval Timing. UN R155 came into effect in 2021 with mandatory requirements for new vehicle t...
- ISO/SAE 21434 TARA: Step-by-Step Implementation Guide - VxLabs Step-by-step guide to implementing TARA per ISO/SAE 21434, from asset identification and threat mode...
- Performing The TARA Analysis - WITTENSTEIN high integrity systems ISO 21434 is a standard focused on managing cybersecurity threats in road vehicles, applying to all ...
- Automated Automotive TARA Threat Analysis Software - PlaxidityX PlaxidityX' automotive TARA threat analysis and risk assessment software enables OEMs & Tier-1 suppl...
- How will restrictions on Chinese technologies impact the future of ... While most automaker cybersecurity teams are only now recovering from the massive investment in achi...
- New Security Regulations Pose Challenge for Automakers - MOTOR R155 regulation is all about cybersecurity, and not just cybersecurity at a vehicle's start of produ...
- GB type approval scheme: cyber-security and software update ... By 2022, the EU had mandated R.155 (as item D4) and R.156 (as item H2) within its type approval fram...
- Cyber Security and Software Updating - Vehicle Certification Agency UNECE Regulation 155 covers the uniform provisions for vehicle cybersecurity and cybersecurity manag...
- China's GB Standards (44495 - 44497) revisited - dissecto GmbH GB 44495-2024 sets out technical requirements to mitigate these risks and ensure that vehicles meet ...
- China introduces GB 44495-2024 for vehicle cybersecurity - LinkedIn GB 44495-2024 was officially issued on August 23, 2024, and will be implemented on January 1, 2026. ...
- [PDF] Cybersecurity from a Global Perspective - Secure Our Streets Mainland China specific standard for EV charging system. Technical requirements for vehicle cybersec...
- Cyber Resilience Act: What It Means for Manufacturers ... - PlaxidityX The EU Cyber Resilience Act sets strict cybersecurity standards for digital products. Learn its impa...
- EU Cyber Resilience Act: Implications for the Automotive Industry A significant aspect of the CRA is how it will impact the entire automotive supply chain, including ...
- NIS2 Directive: What Automotive OEMs, Suppliers & Manufacturers ... It entered into force on 16 January 2023, with a transposition deadline of 17 October 2024. As of mi...
- Post-quantum cryptography for intelligent transportation systems An integrated analysis of how threats from quantum computers and emerging PQC standards impact the s...
- 2026 Automotive Trends: SDV, AI at the Edge, Cybersecurity & EV ... AI and digital twins are officially rewriting the rules of product design. Siemens' latest insights ...
- New US DoC 791D Rule Finalizes Ban on Chinese and Russian ... Implications of the New 'Software Ban' for OEMs and Suppliers. The move is driven by rising concerns...
- Moolenaar and Dingell Introduce Legislation That Would Ban ... Select Committee on China Chairman John Moolenaar (R-MI) and Congresswoman Debbie Dingell (D-MI) hav...
- Stronger cybersecurity secures overseas market access - Deloitte Deloitte China assisted a large state-owned automaker to enter the European market by improving tech...
- The Future of Automotive Cybersecurity Safeguarding the Next ... With cybersecurity fast becoming a pillar of automotive design, 2025 will be defined by the next wav...
UNECE R155 · 全球监管格局 · 中国汽车出海影响分析
执行摘要
汽车网络安全法规已从"工程可选项"演变为阻断市场准入的硬性法律要求。UNECE第155号法规(R155)2020年6月通过、2021年1月生效,是全球首部具有法律约束力的汽车网络安全国际法规。自2024年7月起,R155对欧盟、英国、日本、韩国及全球50余个UNECE缔约国的所有新车强制适用。规则简单粗暴:无有效CSMS证书 = 无型式批准 = 无法销售。[2][3][4][1]
监管格局现已多层叠加:R155奠定基线,新一波浪潮——EU网络韧性法(CRA,2027年12月全面适用)、NIS2指令(组织层面,已生效)、美国商务部"中国软件禁令"(MY2027生效)——正不断抬高门槛。对于中国出海车企而言,网络安全合规已成为最复杂的非关税壁垒。[6][5]
一、UNECE R155:全球网络安全基线
起源与制度框架
R155 由UNECE车辆法规协调世界论坛(WP.29)下设的自动/互联车辆工作组(GRVA)制定,2020年6月WP.29会议正式通过,2021年1月21日正式生效。其配套法规UN R156管理软件更新管理系统(SUMS),与R155同步强制执行。[7][8][9][2]
适用范围
R155 适用于装备至少一个电子控制单元(ECU)的车辆[10]
| 车辆类别 | 描述 | 适用状态 |
|---|---|---|
| M | 四轮及以上乘用车 | 强制(2022/2024年起)[1] |
| N | 商用/货车 | 强制[1] |
| O | 装有ECU的拖车 | 强制[3] |
| L6/L7 | 具备L3以上自动驾驶的轻型四轮车 | 强制[9] |
| L (motorcycles/scooters/e-bikes >25km/h) | 摩托车/电动车 | 第3号修订,2025年1月生效,2029年7月起强制[10][11] |
| T (agricultural machinery) | 拖拉机、农机 | 讨论中[12] |
两阶段执行时间轴
| 阶段 | 日期 | 要求 |
|---|---|---|
| 第一阶段 | July 2022 | 所有新车型须取得CSMS认证和R155型式批准[1][7] |
| 第二阶段 | July 2024 | — including models type-approved before 2022 and still in production 扩展至所有新车,含2022年前已取得型式批准、仍在生产的车型[1][13] |
| 摩托车扩展 | July 2029 | 所有带ECU的L类车辆须合规[12][14] |
R155 要求:双重批准架构
R155 要求车企获得两项独立批准[15]
组织层面——CSMS合规证书
网络安全管理体系(CSMS)是覆盖车辆全生命周期的组织框架——开发、生产和后生产阶段。具体要求[17][16]
- 系统性识别和评估网络安全风险
- 实施相称的保护措施
- 在车辆整个使用寿命期间保持威胁监测、检测和响应能力
- 供应链网络安全管理:向全链条供应商传导要求
- 与审批机构共享事件数据
- CSMS认证至少每3年更新一次[16][17]
产品层面——车型型式批准
每款具体车型须证明已在设计架构中实施具体的网络安全措施,以文档化的威胁分析与风险评估(TARA)为依据。[9][15]
二、核心技术要求:TARA
附录5:69个攻击向量目录
R155 附录5列出7大领域的69个攻击向量,车企须对每款车型逐一评估和缓解[9][3]
| 领域 | 威胁示例 |
|---|---|
| 后台服务器攻击 | 云端API欺骗、数据库入侵 |
| 车辆通信信道攻击 | 消息欺骗、GPS干扰、CAN总线注入 |
| 车辆更新程序攻击 | 恶意OTA、固件篡改 |
| 非预期人为操作 | 社会工程学、内部威胁 |
| 外部连接攻击 | 远程信息处理入侵、充电系统破坏 |
| 车辆数据/代码攻击 | 代码提取、数据篡改 |
| 第三方连接系统漏洞 | 后装设备、手机配对漏洞 |
TARA 流程(依据ISO/SAE 21434)
R155 与ISO/SAE 21434紧密关联,后者提供TARA执行的工程方法论。六步流程[8][18]
- 资产识别: Map all ECUs, sensors, communication interfaces, and data assets that require protection 梳理所有需保护的ECU、传感器、通信接口和数据资产[19]
- 威胁识别: For each asset, systematically identify threats using STRIDE or similar methodology 对每项资产运用STRIDE等方法系统识别威胁[19]
- 影响评估: Rate across Safety / Financial / Operational / Privacy (Negligible → Severe) 跨安全/财务/运营/隐私四维评级(轻微→严重)[19]
- 攻击可行性评估: Rate based on Elapsed Time / Expertise / Knowledge / Access / Equipment (5 factors) 基于所需时间/专业知识/系统了解/访问条件/设备5个因素评级[19]
- 风险评定: Combine impact × feasibility using a risk matrix (4 risk levels: Acceptable → High) 将影响×可行性组合生成风险矩阵(4级:可接受→高)[19]
- 风险处置决策: Avoid / Reduce / Transfer / Accept — with documented justification for each 规避/降低/转移/接受——每项均须文档化[20][19]
TARA 不是一次性工作:每当添加新组件、软件更新或出现新威胁(如零日漏洞)时都必须重新执行。[21]
三、ISO/SAE 21434与R155的关系
| 维度 | R155 | ISO/SAE 21434 |
|---|---|---|
| 性质 | 强制法规 | 自愿标准(但实际上被强制引用) |
| 层次 | 目标导向(要达到什么) | 过程导向(如何达到) |
| 发布方 | UNECE WP.29 | 联合发布 |
| 范围 | 车型型式批准 | 从概念到报废的完整工程生命周期 |
| 供应链 | 负责;通过合同向下传导 | 汽车供应链中的所有组织 |
| 配套 | R156 (SUMS) | ISO 24089 (software update) |
核心洞察: R155 sets the regulatory "what" — a CSMS must exist and vehicles must pass TARA. ISO/SAE 21434 provides the engineering "how." In practice, demonstrating compliance with ISO/SAE 21434 is the primary evidence path for passing R155 audits.[18][15]
R155 规定监管层面的"做什么"——CSMS须存在,车辆须通过TARA。ISO/SAE 21434提供工程层面的"怎么做"。实践中,证明符合ISO/SAE 21434是通过R155审计的主要证据路径。[18][15]
四、供应链传导:对Tier-1/Tier-2的影响
R155 名义上针对OEM,但其供应链要求贯穿整个价值链。实际上[18][16]
- 整车厂须与所有可能引入安全风险的供应商签订网络安全接口协议
- 一级供应商(ECU厂商、域控制器、TCU、车载娱乐)须向OEM客户证明其具备等同CSMS的流程——即便无需取得自己的R155认证
- 二/三级供应商(软件组件、半导体IP)须提供可追溯性——软件物料清单(SBOM)需求日益强烈[22]
- 后生产监控为强制要求:OEM须在车辆整个使用寿命内持续监控威胁并"在合理时间内"响应事件[17]
R155 真正的"牙齿"在于后生产义务——不同于以往侧重设计和生产的安全法规,R155要求无限期的持续运营安全。[23]
具体商业影响
- 2024年有5款车型在欧洲"被杀死":三款保时捷(Boxster、718 Cayman、Macan)和两款奥迪(R8、TT)因旧架构合规成本不合算而退出欧盟市场。[23]
- 审计频率:CSMS至少每3年须经指定审批机构审计并重新认证。[16]
- 不合规后果:丧失型式批准 = 立即被所有UNECE缔约国同步禁售。
五、第3号修订(2025年):R155持续演进
UNECE 发布了R155第3号修订案(原版第3号补充),2025年1月10日正式生效。主要变化[10]
- — not just L6/L7 范围扩展:第1.1段现正式纳入所有L类车辆(摩托车、电动自行车速度>25km/h)[10]
- 明确CSMS有效性要求:第7.3.1段明确规定制造商须持有CSMS"有效合规证书"
- 多阶段车辆:针对在底盘基础上改制车身的制造商,明确触发单独CSMS认证的条件[17]
- 物理保护要求:第7.3.4段新增保护车型免受已识别风险的明确义务[10]
R155 后续演进
- 农业机械(T类)纳入:WP.29正在积极讨论[12]
- 可能扩展至后装零件和配件
- 后量子密码学条款:预计纳入未来R155修订版(见第七节)
六、全球监管格局:R155之外
全球采纳地图
| 地区/国家 | 状态 | 说明 |
|---|---|---|
| 欧盟 | 年7月起全面强制 | 通过EU通用安全法规执行[7] |
| 英国 | 强制,英国型式批准体系 | 脱欧后独立体系,与R155一致[24][25] |
| 日本 | 年5月(新车型)强制 | 缔约国;国土交通省执行[2] |
| 韩国 | 强制 | 缔约国[2] |
| 中国 | 年1月1日生效 | 与R155/ISO 21434对齐但有中国特有要求[26][27] |
| 美国 | 自我认证;非UNECE缔约国 | 商务部VCS/ADS禁令MY2027生效[6] |
| 加拿大 | 非UNECE缔约国 | 与美国路径一致 |
| 澳大利亚 | 参考但非强制缔约国 | 年过渡中 |
| 印度 | 考虑采纳中 | 标准开发中 |
| 巴西 | 开发中 | 工作组活跃 |
中国GB 44495/44496-2024:平行框架
发布:2024年8月23日。生效:2026年1月1日。[27][26]
中国国家标准在原则上与R155/ISO 21434对齐,但引入了中国特有差异
| 维度 | UNECE R155 | GB 44495-2024 |
|---|---|---|
| 核心框架 | CSMS + TARA CSMS + TARA | 相同原则) |
| 测试要求 | 基于风险;无固定测试数量 | 项强制性具体测试[27][26] |
| 认证模式 | 合规证书(3年更新) | 基于审计(无可续签的CSMS证书)[26] |
| 车型扩展 | 扩展至其他车型较灵活 | 扩展至其他车型条件更严格[26] |
| 安全 | 通用通信安全 | 及车端-云端安全专项测试[27] |
| 数据本地化 | 无明确要求 | 通过数据安全法隐性要求 |
配套标准: GB 44496-2024 (software update, parallel to R156) and GB 44497-2024 (OTA/charging security) also took effect January 1, 2026.[26][28]
配套标准GB 44496-2024(软件更新,对标R156)和GB 44497-2024(OTA/充电安全)同于2026年1月1日生效。[28][26]
七、下一波浪潮:"网络安全2.0"威胁
R155 建立了网络安全1.0——基线合规底线。行业现面临第二波挑战,单凭R155无法完全应对
EU 网络韧性法(CRA)
- 通过:2024年10月;生效:2024年12月10日;全面适用:2027年12月11日[5][29]
- not already covered by GSR/R155 (e.g., aftermarket parts, EV charging software, in-vehicle apps) 所有在欧盟销售的含数字元素的产品(PDEs)——覆盖未被GSR/R155管辖的零部件供应商(如后装件、充电软件、车载应用)[30][29]
- ; SBOM mandatory in machine-readable format 安全设计;最低5年生命周期支持;24小时内向ENISA报告事件;SBOM强制以机器可读格式提供[29]
- 最高1500万欧元或全球年营收2.5%[29]
- for the supply chain CRA不替代R155(特别法优先);但未受R155覆盖的零部件供应商须遵守CRA——为供应链带来双重合规负担[30]
EU NIS2 指令(组织层面)
- 2023年1月生效;2024年10月转化截止;截至2026年中大多数EU成员国已积极执行[31]
- 大型OEM可能被列为"关键实体"——面临最高1000万欧元或全球营收2%的罚款以及董事会层面个人责任[31]
- — adding another supply chain security audit obligation on top of R155's CSMS requirement NIS2明确要求对整个供应商网络进行安全评估,在R155 CSMS要求之上再叠加供应链安全审计义务[31]
后量子密码学(PQC)威胁
约2030年,足够强大的量子计算机预计将破解当前车辆安全底层密码学(PKI、TLS、安全启动)所依赖的RSA和ECC算法。OEM战略路径[32][4]
- 短期:保护连接和TCU接入点免受经典攻击[4]
- (NIST PQC standards: CRYSTALS-Kyber, CRYSTALS-Dilithium) 中期(至2028-2030年):将车辆内部架构迁移至量子安全密码学[4]
- 未来R155修订版预计将要求PQC就绪;当前设计车辆的OEM须内置密码敏捷性[4]
AI 驱动威胁与"安全设计内嵌"
驱动高阶ADAS的AI技术栈同时创造了新攻击面:感知模型的对抗性ML攻击、恶意训练数据的模型投毒、座舱AI助手的LLM提示词注入。2026年趋势是"安全左移"——在开发周期更早阶段嵌入安全启动、硬件安全模块(HSM)和运行时入侵检测。[33]
八、美国市场:中国软件/硬件禁令
美国商务部最终规则(2025年3月17日生效)
美国商务部发布了禁止中俄互联汽车技术的最终规则[6][34]
| 禁令 | 生效日期 |
|---|---|
| 软件禁令:与中俄有关联的VCS和ADS软件 | 年款[6][34] |
| 硬件禁令:与中俄有关联的VCS硬件 | 年款(或2029年1月1日起)[6] |
| 中国OEM禁令:中国制造商即便在美国本地生产也不得在美销售互联汽车 | 年款[6] |
合规机制: Annual Declarations of Conformity to BIS (Bureau of Industry and Security), including SBOM/HBOM; 10-year record retention; civil penalties ≥USD 1.5M per violation.[34][35]
向BIS(工业和安全局)提交年度合规声明(含SBOM/HBOM);保存10年记录;每次违规民事处罚≥150万美元。[35][34]
国会进一步立法推进: In May 2026, the Connected Vehicle National Security Act was introduced — proposing to expand and codify the ban with penalties of at least USD 1.5M per violation. Bipartisan support signals the ban is structural, not political.[35]
2026 年5月,《互联汽车国家安全法》被提交国会,拟将禁令法制化并设定每次违规至少150万美元罚款。两党支持表明该禁令是结构性而非政治性的。[35]
九、对中国汽车出海的战略影响
中国车企出海须应对的合规层叠
中国出海车企同时面临多层监管叠加
| 市场 | 关键法规 | 状态 | 对中国车企影响 |
|---|---|---|---|
| EU 欧盟 | R155 + R156 | 已执行 | 须取得CSMS证书+每款车型批准;持续生命周期监控 |
| EU 欧盟 | CRA (supplier components) | 年12月 | 供应商数字组件须CE认证 |
| EU 欧盟 | NIS2 | 已执行 | 若欧盟实体为关键实体,董事会承担个人责任 |
| 英国 | GB type approval (R155-aligned) | 已执行 | 脱欧后须单独批准;并行流程[24] |
| 日本 | UNECE R155 (MLIT) | 已执行 | 须本地化TARA验证(日本路况)[2] |
| 中国(国内) | GB 44495/44496-2024 | 年1月已执行 | 项强制测试;审计制;国内合规是前提[27] |
| 美国 | DoC VCS/ADS ban | 软件:MY2027 | 中国OEM实际上被禁止进入美国市场[6] |
德勤中国案例:某大型国企的R155合规之路
德勤中国记录了协助某大型中国国有车企取得R155/R156认证进入欧洲市场的案例。四步流程[36]
- 集团层面统一安全框架:将R155、R156、ISO 21434和ISO 24089整合为单一框架,覆盖乘用车、商用车、新能源车
- 每条产品线建立组织架构:为每个主要车辆平台建立独立网络安全工作流程
- 网络安全检查:基于TARA的每条产品线审计;深度员工培训
- 交通部审计:获得最终批准,得以向欧盟市场出口
时间洞察:对于具有内部网络安全团队的大型车企,这是一个12-24个月的过程。对于规模较小的OEM或新进入者,时间更长,外部咨询成本可观。
中国车企的核心痛点
后生产监控义务
R155 生命周期监控需要安全运营中心(SOC)能力——检测全球整个车队的威胁。大多数中国OEM缺乏此类全球SOC基础设施,须自建或外包(VicOne、Upstream、PlaxidityX等)。[9]
供应链透明度
SBOM 要求(CRA强化)需要详细披露所有软件组件——含开源库和第三方算法模块。中国供应链往往涉及复杂、不透明的多层结构,难以满足欧盟标准的文档要求。
TARA 本地化
针对中国路况执行的TARA可能无法充分应对欧洲威胁场景(不同道路基础设施、不同V2X协议、不同监管攻击面)。需针对各市场进行TARA本地化适配。
美国市场实际关闭
商务部最终规则实际上从MY2027起禁止中国OEM进入美国市场,无论是否符合R155。这将中国互联汽车出口可寻址全球市场收窄为欧盟/英国/日本/东盟/中东/拉美——其中R155合规仍是门票。
双重标准(中国+UNECE)
GB 44495-2024 与R155原则一致但具体不同(27项强制测试vs.灵活测试;审计制vs.证书制)。OEM须维持平行合规计划——增加成本和复杂性。
十、汽车网络安全市场规模
全球汽车网络安全市场2023年价值46亿美元,预计2031年达255亿美元,CAGR 17.2%。主要需求驱动因素[37]
- 合规服务和工具(TARA自动化、CSMS平台、SOC)
- 软件定义汽车架构安全
- 安全和固件验证
- 通信安全
- 迁移
关键服务/产品供应商: VicOne (trend micro subsidiary, vehicle SOC), Upstream.auto (cloud-native automotive SOC), PlaxidityX (TARA automation), Cybellum (product security lifecycle), C2A Security (DevSecOps platform), Argus Cyber (continental subsidiary), Harman Shield.
结论
UNECE R155 代表汽车网络安全的宪制性时刻——安全从自愿性工程实践转变为强制性市场准入要求。其精妙之处在于双重批准架构:CSMS(组织能力,每3年更新)+ 车型型式批准(产品级TARA证据)。这强制推动持续改进,而非一次性认证。
展望未来,监管天花板正在快速升高:CRA(2027年12月)在供应链中增加组件层面要求;NIS2增加董事会层面问责;后量子密码学要求在2030年前进行深度架构变革;来自高阶ADAS的AI驱动攻击面正在制造附录5的69项目录在2020年未曾预见的威胁向量。
对于中国出海车企,R155是欧洲出口的必要条件但非充分条件。在海外市场获胜的企业,将是那些不把网络安全视为合规勾选项、而视之为持续运营能力的企业——具备全球SOC基础设施、SBOM就绪的供应链、本地化TARA程序,以及为后量子时代准备好的密码敏捷性。
参考文献
- UNECE WP.29 R155/R156: new cybersecurity regulations for vehicles From July 2022, compliance with the new regulations on cybersecurity (UNECE WP.29/R155) will be mand...
- A Look at the UN R155 Regulation for Connected Vehicles In the EU and UNECE markets it became mandatory for new vehicle types in July 2022 and for all new v...
- UN R155 Reference Guide | Vehicle Cybersecurity Regulation | TTMI Plain-language guide to UN R155. Understand CSMS requirements, type approval, supply chain implicati...
- Olivier NORA's Post - LinkedIn By ~2030, experts predict a significant chance that quantum computers will break the foundations (RS...
- EU Cyber Resilience Act Explained for Automotive: What Changes ... The Cyber Resilience Act changes the regulatory expectations around connected vehicle software. It e...
- connected vehicle supply chain rule - Bureau of Industry and Security Commerce Finalizes Rule to Secure Connected Vehicle Supply Chains from Foreign Adversary Threats ......
- What New EU Cybersecurity Rules Mean For Carmakers UN R155 and R156 aim to improve cybersecurity in modern vehicles by requiring car manufacturers to i...
- Cyber Security UN R155 and R155 | Bosch Engineering The UN regulation 155 (R155) is on uniform provisions concerning the approval of vehicles with regar...
- UN R155 Compliance - VicOne According to the regulation, manufacturers must demonstrate that cybersecurity methods and processes...
- [PDF] R155am3e.pdf - UNECE 2025 Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber...
- UNECE Announces Inclusion of Motorcycles in R155 - Cybellum UNECE has taken a significant step forward by extending the scope of UNECE WP.29 Regulation No.155 t...
- Automotive Cybersecurity Regulation - UNECE R155 The UNECE WP.29 R155 regulation is rapidly evolving, reflecting the automotive industry's commitment...
- How to reach UNECE R155/R156 compliance | Secura From the 1st of July 2024 vehicle manufacturers must comply with UNECE R155/R156 regulations. Let us...
- UNECE: Cybersecurity management regulation extended to ... The decision to expand the scope of UN Regulation 155 to include motorcycles (vehicle category L) wi...
- Automotive Cybersecurity Standards: A 2026 Compliance Guide UN R155 is the UNECE regulation requiring a Cybersecurity Management System and vehicle type approva...
- Automotive Cybersecurity Management System Assessment Strengthen cybersecurity framework and achieve CSMS certification by aligning with UNECE R155 throug...
- UNECE Regulation No. 155: Amendments & Compliance for Multi ... UNECE Regulation No. 155 (UN R155) establishes the first globally recognized, legally binding framew...
- UN Regulations R 155 & R 156 : Steps For Improving Cybersecurity ... Type Approval Timing. UN R155 came into effect in 2021 with mandatory requirements for new vehicle t...
- ISO/SAE 21434 TARA: Step-by-Step Implementation Guide - VxLabs Step-by-step guide to implementing TARA per ISO/SAE 21434, from asset identification and threat mode...
- Performing The TARA Analysis - WITTENSTEIN high integrity systems ISO 21434 is a standard focused on managing cybersecurity threats in road vehicles, applying to all ...
- Automated Automotive TARA Threat Analysis Software - PlaxidityX PlaxidityX' automotive TARA threat analysis and risk assessment software enables OEMs & Tier-1 suppl...
- How will restrictions on Chinese technologies impact the future of ... While most automaker cybersecurity teams are only now recovering from the massive investment in achi...
- New Security Regulations Pose Challenge for Automakers - MOTOR R155 regulation is all about cybersecurity, and not just cybersecurity at a vehicle's start of produ...
- GB type approval scheme: cyber-security and software update ... By 2022, the EU had mandated R.155 (as item D4) and R.156 (as item H2) within its type approval fram...
- Cyber Security and Software Updating - Vehicle Certification Agency UNECE Regulation 155 covers the uniform provisions for vehicle cybersecurity and cybersecurity manag...
- China's GB Standards (44495 - 44497) revisited - dissecto GmbH GB 44495-2024 sets out technical requirements to mitigate these risks and ensure that vehicles meet ...
- China introduces GB 44495-2024 for vehicle cybersecurity - LinkedIn GB 44495-2024 was officially issued on August 23, 2024, and will be implemented on January 1, 2026. ...
- [PDF] Cybersecurity from a Global Perspective - Secure Our Streets Mainland China specific standard for EV charging system. Technical requirements for vehicle cybersec...
- Cyber Resilience Act: What It Means for Manufacturers ... - PlaxidityX The EU Cyber Resilience Act sets strict cybersecurity standards for digital products. Learn its impa...
- EU Cyber Resilience Act: Implications for the Automotive Industry A significant aspect of the CRA is how it will impact the entire automotive supply chain, including ...
- NIS2 Directive: What Automotive OEMs, Suppliers & Manufacturers ... It entered into force on 16 January 2023, with a transposition deadline of 17 October 2024. As of mi...
- Post-quantum cryptography for intelligent transportation systems An integrated analysis of how threats from quantum computers and emerging PQC standards impact the s...
- 2026 Automotive Trends: SDV, AI at the Edge, Cybersecurity & EV ... AI and digital twins are officially rewriting the rules of product design. Siemens' latest insights ...
- New US DoC 791D Rule Finalizes Ban on Chinese and Russian ... Implications of the New 'Software Ban' for OEMs and Suppliers. The move is driven by rising concerns...
- Moolenaar and Dingell Introduce Legislation That Would Ban ... Select Committee on China Chairman John Moolenaar (R-MI) and Congresswoman Debbie Dingell (D-MI) hav...
- Stronger cybersecurity secures overseas market access - Deloitte Deloitte China assisted a large state-owned automaker to enter the European market by improving tech...
- The Future of Automotive Cybersecurity Safeguarding the Next ... With cybersecurity fast becoming a pillar of automotive design, 2025 will be defined by the next wav...