This article is the second episode of a blog series covering cyber security trends and best practices to be addressed by automotive stakeholders for implementing State-of-the-Art technics and meeting required compliance levels.


Previous episode


Upcoming episode

  • Cyber Security for Road Vehicles – EP.3 – A management system story
  • Cyber Security for Road Vehicles – EP.4 – From process to products
  • And even more to come…

EP.1 of that blog series introduced new cyber security requirements (especially regarding impact on suppliers) vehicle manufacturers have to fulfill for claiming for new type approvals since June 2022. Behind those new expectations stated into UN ECE R155, a three-step approach will have to be followed by manufacturers:


1. Cyber Security Management System (CSMS) Certification


Vehicle manufacturers have to demonstrate first their cyber security process framework, also called Cyber Security Management System (CSMS) to authorities. This initial step is mandatory to get a CSMS certificate which is the first prerequisite to claim for a new type approval. This certificate is not bound to a specific car program and represents the evidence that a manufacturer has the organizational capability to meet UN ECE R155 requirements.


2. Vehicle Type Approval (VTA)


After getting this CSMS certificate, vehicle manufacturers have the right to apply for Vehicle Type Approvals (VTA). The objective of this second step is to evaluate that the process framework, which has been “certified” during step 1, has been effectively applied in the context of a specific car program / vehicle type. During this phase manufacturers will therefore have to present documentations demonstrating vehicle security process implementation (e.g. for risk assessment process evidence of complete risk assessment details for this specific vehicle type)


Note: for car program initiated earlier than CSMS certification, deviations from such processes are allowed by June 2024, but require justifications



A Type Approval is only the first milestone to reach for being authorized to sell cars on the market. However, for keeping up this authorization, authorities are also requiring regular checks to confirm the continuous application of security processes all along the lifetime of a vehicle type. The third phase of this journey might therefore be described as follows:


3. Provisions reporting


After getting a type approval, vehicle manufacturers will have to regularly (at least once a year) report the outcome of their monitoring activities, information related to new cyber attacks and potential incidents which might require adjustment of security measures. The main objective of this reporting is for the manufacturer to demonstrate to the authorities that protection measures are still effective and adequate against evolving threat landscape


Note: If the reporting or response is not sufficient the Approval Authority may decide to withdraw the CSMS certificate (and therefore suspend type approval)


The full process is summarized and illustrated below

CertX as you partner for meeting UN ECE R155 and/or ISO 21434 compliance

If you have any questions about the new regulatory situations around cyber security for the automotive industry, or any other open points about how the application of relevant standards and certification could be used for compliance, please do not hesitate to contact our cyber security experts