Skip to main content
← Back to Blog
ISO/SAE 21434July 17, 2026 • 7 min read

ISO/SAE 21434 Second Edition: What Is Changing and When

By Shreyansh, Founder & CTO, Agnile Technologies

Key Takeaways

TL;DR — ISO/SAE 21434:2021 entered systematic review on 15 July 2026, but no second-edition project is formally registered yet. The ISO/SAE Joint Working Group expects development to start in 2026 and publication around 2029 — with no change in scope or structure, the same 42 Work Products, and the verification and validation content of TR 8477 folded in. Build your CSMS on the 2021 edition now; UNECE R155 enforcement is already here.

  1. 1.ISO/SAE 21434:2021 moved to ISO stage 90.20 — systematic review — on 15 July 2026. That is a routine five-year checkpoint, not a revision: no amendment or revision project has been formally registered.
  2. 2.The Joint Working Group's public roadmap: industry comments collected in August 2024, categorized by January 2025, scope decisions in November 2025, development starting in 2026, publication around 2029 on a roughly three-year timeline.
  3. 3.The decided direction is continuity — no change in scope or structure, ISO/PAS 5112 stays a separate audit document, and ISO/SAE TR 8477's verification and validation content merges into the second edition.
  4. 4.The 42 Work Products of Annex A, the Clauses 5–15 organization, and the TARA method all carry forward. Evidence built on the 2021 edition will not be discarded.
  5. 5.Waiting for edition 2 is not an option: UNECE R155 has applied to all new vehicles in the EU since 7 July 2024, and L-category deadlines arrive on 11 December 2027 (new types) and 11 June 2029 (existing types).

At a Glance

One-Sentence Answer
ISO/SAE 21434 remains at its 2021 first edition — under routine systematic review since 15 July 2026, with second-edition development expected to start in 2026 and publication around 2029, preserving today's scope, structure, and Work Products.
Who This Is For
CSMS owners, cybersecurity managers, TARA leads, compliance and homologation teams, and Tier-1 suppliers planning standards alignment through 2029.
Last Reviewed
July 2026
Primary References
ISO/SAE 21434:2021, ISO systematic review status, ISO/SAE Joint Working Group public roadmap, ISO/SAE 8475, ISO/SAE TR 8477, ISO/PAS 8800, UNECE R155.
Practical Use
Use this to decide what to build now versus what to defer, and to answer auditor and customer questions about the second edition with verifiable status.

Editorial Process: Written and reviewed by Agnile engineers working day-to-day in automotive cybersecurity and safety. AI tooling is used to assist with drafting, outlining, and copy-editing; every claim, standards reference, and technical statement is verified by a human engineer before publication.

On 15 July 2026, the ISO status page for ISO/SAE 21434 quietly changed: the standard moved to stage 90.20, the marker for a systematic review. That routine entry has already produced a wave of confident commentary about a “new ISO 21434” arriving imminently. Most of it is wrong in at least one load-bearing detail. This post sets out what is actually happening with the second edition — what has been decided, what has not, and what the dates really are — using only the public record.

The short version: the 2021 first edition is still the only edition, no revision project is formally registered, and the working group that owns the standard has said publicly that the second edition will change far less than the rumor mill suggests.

Where ISO/SAE 21434 Actually Stands in July 2026

ISO/SAE 21434 was published on 31 August 2021 by ISO/TC 22/SC 32 jointly with SAE International. Under ISO’s rules, every International Standard passes a systematic review roughly five years after publication: national member bodies vote to confirm the standard as-is, revise it, or withdraw it. That is the process that opened this week, and it is the reason the status page now reads stage 90.20.

Here is the detail most coverage misses: a systematic review is not a revision. As of this writing, no amendment and no revision project for ISO/SAE 21434 has been formally registered with ISO. There is no committee draft, no DIS, no ballot on new technical content. Anyone claiming to summarize “what the new edition says” is summarizing a document that does not yet exist.

The Roadmap the Joint Working Group Has Shared

What does exist is a public roadmap. In a presentation given in December 2025, the co-convener of the ISO/SAE Joint Working Group that maintains the standard laid out the path to a second edition. Industry comments on the first edition were collected in August 2024 and categorized by January 2025. Decisions on the scope of the revision were taken in November 2025. Development of the second edition is expected to start in 2026, on a roughly three-year timeline — which puts publication around 2029.

Treat those dates as directional. Until a revision project is registered, ISO has committed to nothing. But the sequence — comments, categorization, scope decisions, development — is the standard machinery of an ISO revision, and it is visibly in motion.

What Has Already Been Decided

Three scope decisions matter for planning. First, the second edition will not change the scope or structure of the standard: it remains a cybersecurity engineering standard for road-vehicle E/E systems, organized the way practitioners know it today. Second, ISO/PAS 5112 — the audit guidance for organizational cybersecurity audits — stays a separate document rather than being absorbed. Third, ISO/SAE TR 8477, the Technical Report on cybersecurity verification and validation, is transitional: its content is planned to merge into the second edition.

Read together, these decisions describe a consolidation release, not a rewrite. The working group is folding in the verification and validation guidance the first edition was thin on, and otherwise leaving the load-bearing walls where they are.

DateMilestoneWhat It Means
31 August 2021First edition publishedISO/SAE 21434:2021 issued by ISO/TC 22/SC 32 jointly with SAE International; Annex A defines the 42 Work Products.
August 2024Industry comments collectedThe Joint Working Group gathered improvement proposals from national bodies and industry on the first edition.
January 2025Comments categorizedProposals sorted into themes to shape the scope of a second edition.
November 2025Scope decisions takenDirection fixed: no change in scope or structure; ISO/PAS 5112 stays separate; TR 8477 content to merge in.
15 July 2026Systematic review opened (stage 90.20)Routine five-year ballot. Second-edition development expected to start in 2026 — no revision project formally registered yet.
~2029Second edition published (indicative)Based on the roughly three-year development timeline shared publicly by the Joint Working Group co-convener.
From first edition to an expected second — the 2024–2025 milestones come from the Joint Working Group’s public roadmap; 2029 is indicative, not a registered ISO target.

What Stays Stable — and Why That Matters

For teams holding budget conversations, the stable core is the headline. Annex A of ISO/SAE 21434 defines exactly 42 Work Products — a count independently corroborated by two VDA documents, the VDA CSIA RASI responsibility matrix and VDA Position Paper 5783. Those Work Products, the Clauses 5–15 organization, and the Threat Analysis and Risk Assessment method of Clause 15 all carry forward. If your organization has mapped its evidence against the 42 Work Products checklist, that mapping survives the second edition.

This is the practical answer to the question every CSMS owner is being asked right now: nothing you build on the 2021 edition becomes waste in 2029. The second edition is being designed for continuity.

Why Waiting for Edition 2 Is the Wrong Move

The regulatory clock is not synchronized to ISO’s. UNECE R155 has been mandatory in the EU for new vehicle types since 6 July 2022 and for all new vehicles — first registration, sale, or entry into service — since 7 July 2024, via Regulation (EU) 2019/2144. Type Approval authorities such as KBA in Germany and RDW in the Netherlands are auditing each Cybersecurity Management System today, against the engineering evidence practices the 2021 edition defines.

The scope is still widening. Commission Delegated Regulation (EU) 2025/1455, adopted on 23 July 2025, extends UN R155 to L-category vehicles — L1e through L7e, except pedal-designed L1e — with new types in scope from 11 December 2027 and existing types from 11 June 2029. A two-wheeler program that waits for the second edition to “stabilize” will find the regulation arrived first. If you are starting now, our ISO/SAE 21434 pillar guide covers the full clause structure, and the ISO/SAE 21434 compliance overview maps the standard to Type Approval evidence.

The Adjacent Documents Filling the Gaps

Between now and the second edition, three companion documents cover the areas practitioners ask about most.

ISO/SAE 8475 defines three Cybersecurity Assurance Levels (CAL) and the Targeted Attack Feasibility (TAF) concept — a graded way to scale engineering rigor to risk. Its final text was registered with ISO on 2 April 2026 and the project sits at the last approval stage (50.20) with a July 2026 publication target; as of this writing it is on the verge of publication. Once issued, it gives OEMs and suppliers a shared vocabulary for how much security is enough in procurement and design reviews.

ISO/SAE TR 8477 addresses cybersecurity verification and validation — how to demonstrate that Cybersecurity Goals and requirements are actually met. It is at the DTR approval stage as of May 2026 and expected to publish late in 2026. It is explicitly transitional: its content merges into the second edition of 21434, so adopting its methods early is a low-risk bet.

ISO/PAS 8800, published on 13 December 2024, covers safety and artificial intelligence in road vehicles. It is a safety document rather than a cybersecurity one, but for teams shipping machine-learning-based driving functions it is the reference the second edition of 21434 will coexist with rather than duplicate.

Frequently Asked Questions

Is a second edition of ISO/SAE 21434 already published? No. ISO/SAE 21434:2021 remains the current and only edition. The standard is at ISO stage 90.20 — under systematic review as of 15 July 2026 — and no amendment or revision project has been formally registered. Second-edition development is expected to start in 2026, with publication around 2029.

Will my existing CSMS and Work Products become obsolete when the second edition arrives? No. The Joint Working Group has stated publicly that the second edition will not change the scope or structure of the standard. The 42 Work Products of Annex A, the Clauses 5–15 organization, and the TARA method carry forward. Expect clarification and consolidation — including merged verification and validation guidance — rather than replacement.

When will the second edition of ISO/SAE 21434 be published? Around 2029, based on the roughly three-year development timeline the Joint Working Group co-convener presented publicly in December 2025, with development starting in 2026. Because no revision project is formally registered yet, that date is indicative, not an ISO commitment.

What happens to ISO/SAE TR 8477 on verification and validation? It is a Technical Report at the DTR approval stage as of May 2026, expected to publish late in 2026. It is transitional by design: its verification and validation content is planned to merge into the second edition of ISO/SAE 21434.

For the clause-by-clause treatment of the current edition, start with our ISO/SAE 21434 Guide.

Need Help Applying This to a Real Programme?

Agnile supports engineering teams from architecture and requirements through implementation, validation, release, and evidence preparation.