No certified CSMS, no vehicle type approval.
UN R155 makes a certified Cyber Security Management System the price of entry for new vehicle type approval — and you must prove cybersecurity for every vehicle type, across its whole life. Setu Innovation joins the advisory that reads R155 to the engineering — CSMS, TARA, ISO/SAE 21434 — that makes the evidence stand up.
- UNECE WP.29
- New types · Jul 2022
- All new vehicles · Jul 2024
- Pairs with ISO/SAE 21434
If you place vehicles on the market in a 1958 Agreement country, R155 applies.
R155 binds vehicle manufacturers seeking type approval for passenger cars, vans, trucks, buses and certain trailers and connected systems. Compliance flows down to Tier-1 and Tier-N suppliers whose components carry cybersecurity relevance.
A 20-second self-check
- Do you seek vehicle type approval under the UNECE 1958 Agreement?
- Do your vehicles have connectivity, ECUs, or external interfaces?
- Do you supply components or software into a vehicle manufacturer?
- Can you evidence cybersecurity risk management across the lifecycle?
Mostly "yes"? You need a certified CSMS and per-type cybersecurity evidence — and ISO/SAE 21434 is how you build it. A short call confirms the path.
What you'll have to demonstrate.
R155 has two layers: a certified management system at the organisation level, and cybersecurity evidence for each vehicle type.
A certified management system
An audited Cyber Security Management System covering processes, roles and tooling for managing cyber risk — certified before type approval, with the certificate typically valid for around three years.
Type-level cybersecurity
For each vehicle type: risk assessment and TARA, identification of risks and mitigations, and demonstration that the type is protected against the threats that matter.
Risk management over the lifetime
Cybersecurity managed across development, production and post-production — not a one-off at approval, but a continuous process for the life of the type.
Supplier & CooC management
Flow cybersecurity requirements down to suppliers and manage them through the chain, often via the Component-out-of-Context approach from ISO/SAE 21434.
Monitoring & incident response
Detect, analyse and respond to cyberattacks, threats and vulnerabilities affecting vehicles in the field, with the capability to act across the fleet.
Approval evidence pack
Assemble the documentation the technical service and approval authority expect — traceable from risk to mitigation to verification.
From management system to fleet.
R155 connects an organisation-level certificate to each approved type and the suppliers behind it — and sits alongside R156 and ISO/SAE 21434.
CSMS certificate
The organisation-level certificate, issued after audit, that a manufacturer must hold before its vehicle types can be approved. Typically valid for around three years.
Vehicle type approval
Each vehicle type must demonstrate cybersecurity, drawing on the CSMS and per-type TARA, before it can be placed on the market.
Suppliers & CooC
Tier-1 and Tier-N suppliers provide the cybersecurity evidence the manufacturer's CSMS depends on, frequently using Component-out-of-Context from ISO/SAE 21434.
R156 & ISO 21434
R156 adds the software-update side; ISO/SAE 21434 is the engineering standard that generates the evidence. Most connected-vehicle programmes need all three.
R155 is won in the CSMS and the type evidence.
A binder won't pass a technical service — the CSMS and per-type cybersecurity have to be real and traceable. Setu does both, in one team.
Scope & gap
Map your programme against R155, settle the CSMS scope, and produce a prioritised gap and roadmap to certification and type approval.
Engineer the CSMS
Stand up the CSMS processes and document set, run TARA to ISO/SAE 21434, build supplier and CooC management, and the monitoring and incident-response capability.
Reach approval
Package the evidence for the technical service, rehearse the audit, and pre-review the type files before they're submitted for approval.
R155, answered plainly.
When does R155 apply?
In the EU it has been mandatory for new vehicle types since July 2022 and for all new vehicle registrations since July 2024. It's adopted across the UNECE 1958 Agreement, including the EU, Japan and South Korea.
What is a CSMS?
A Cyber Security Management System — the processes, roles and tooling used to manage cyber risk across the vehicle lifecycle. R155 requires it to be audited and certified (certificate typically valid ~3 years) before types can be approved.
Do suppliers need to comply?
R155 binds the manufacturer, but the evidence comes from the chain. Manufacturers flow requirements down to Tier-N suppliers, often via Component-out-of-Context, so suppliers must supply the cybersecurity evidence the CSMS relies on.
How does R155 relate to ISO/SAE 21434?
R155 is the regulatory requirement; ISO/SAE 21434 is the engineering standard that tells you how to do the work. Building to 21434 is the practical way to generate the evidence R155 expects.
What's the difference between R155 and R156?
R155 covers the CSMS and per-type cybersecurity; R156 covers the Software Update Management System and safe, secure updates including OTA. Most connected-vehicle manufacturers need both.
Meet R155 with evidence that holds.
A focused review: the CSMS scope, the gap to certification, your per-type cybersecurity evidence, and the realistic route to approval. Tell us where you are and we'll take it from there — or ask for a call if that's easier.
Talk to our team →