COMPLIANCE · UNECE
UNECE R155
From CSMS documentation to Annex 5 threat coverage to a Cybersecurity Case the assessor can review — engineering evidence prepared, not reconstructed at audit time.
WHAT IS UNECE R155?
UNECE R155 is the binding regulation that requires OEMs to operate a Cybersecurity Management System and demonstrate cybersecurity engineering for Vehicle Type Approval in UNECE contracting parties.
CONTEXT
R155 has been mandatory for new vehicle types in UNECE markets since July 2022 and for all new vehicles since July 2024. It binds OEMs to maintain an audited CSMS, address Annex 5 threat and vulnerability categories, and prove cybersecurity is engineered into the vehicle. The regulation is outcome-oriented — assessors expect a method, and ISO/SAE 21434 is the de-facto method.
WHAT ENGINEERING TEAMS PRODUCE
Outputs that go into the evidence chain
- 01
Documented Cybersecurity Management System covering processes, roles, and governance
- 02
Evidence that cybersecurity is engineered across concept, development, production, operation, maintenance, and decommissioning
- 03
Annex 5 threat coverage mapped to vehicle architecture
- 04
TARA outputs and risk-treatment decisions for the Vehicle Type
- 05
Cybersecurity Interface Agreements with suppliers — bidirectional evidence
- 06
Post-production monitoring, vulnerability response, and incident-handling processes
- 07
Cybersecurity Case structured for the assessment authority
WHERE TEAMS STRUGGLE
Friction points that show up at audit time
Audit dates land before the CSMS is fully documented; teams scramble to assemble evidence
Annex 5 threat categories are interpreted differently across programmes — supplier and OEM coverage diverges
Bridge from engineering evidence to regulator language is brittle — translation happens late
Demonstrating CSMS coverage across multiple programmes, not a single vehicle, is hard
Vulnerability response evidence is fragmented across tools and teams
HOW AGNILE AND KAVACH HELP
Engineering evidence prepared for review
We support evidence preparation, structure work products, and help engineering teams ready themselves for assessment discussions. Final review and approval rest with the relevant authority.
KAVACH workflows align engineering outputs with R155 evidence expectations — Annex 5 threats, TARA, Cybersecurity Case
Curated automotive Threat Database covers Annex 5 categories so OEM and supplier coverage converge
Cybersecurity Case assembly with Clause-mapped evidence ready for the assessment authority
Interface Agreement workflows for supplier-side evidence
Agnile Cybersecurity Engineering services support readiness discussions, gap reviews, and pre-assessment preparation
RELATED RESOURCES
Detailed reference reading
ISO/SAE 21434
ISO/SAE 21434 vs UNECE R155: What’s the Difference?
Engineering standard vs regulation — understanding how ISO/SAE 21434 and UNECE R155 work together for Automotive Cybersecurity compliance.
Read article →
CYBERSECURITY
UNECE R155 Compliance Roadmap: From CSMS Audit to Type Approval
A practical 12–18 month UNECE R155 compliance roadmap for vehicle programmes — CSMS audit, Annex 5 threats, Type Approval, and post-2024 enforcement reality.
Read article →
INDUSTRY
Automotive Cybersecurity in India: The Growing Opportunity
India’s AIS 189/190 regulations, Bengaluru’s emerging cybersecurity hub, and the opportunity for Indian automotive companies.
Read article →
FAQ
Common questions about UNECE R155
Move from architecture to UNECE R155 evidence with engineers who do this work.
Bring a programme scope. We'll show where KAVACH fits cleanly, where integration work is, and what evidence is already in good shape for review.