Resource guide
Automotive Cybersecurity Regulations Map: UN R155, R156, ISO/SAE 21434, CRA, NIS2, and GSR2
Five instruments now shape cybersecurity obligations for anyone building, supplying, or selling vehicle technology in Europe — and they regulate different things, bind different parties, and are enforced by different bodies. This map puts all of them on one grid and one verified timeline, so you can see which apply to you and in what order the deadlines arrive.
By Shreyansh, Founder & CTO, Agnile Technologies •
Key Takeaways
TL;DR — UN R155 and R156 bind the vehicle at Type Approval, ISO/SAE 21434 defines the engineering process behind that evidence, the EU Cyber Resilience Act covers digital products that Type Approval does not reach, NIS2 covers the enterprise and its plants, and TISAX covers information security assessments in the supply chain. Each has a different scope, a different enforcement body, and a different deadline — this guide places all of them on one matrix and one verified 2021–2029 timeline.
- 1.UN R155 and UN R156 have applied to all new vehicles in the EU since 7 July 2024, enforced through Type Approval authorities such as KBA, RDW, and UTAC — the VCA grants approvals under the UK GB scheme, not the EU one.
- 2.The EU Cyber Resilience Act (Regulation (EU) 2024/2847) exempts type-approved vehicles via Article 2(2)(c), but aftermarket devices, EV charging equipment, development and diagnostic tools, and standalone components sold to the supply chain remain in scope — reporting duties start 11 September 2026, full application on 11 December 2027.
- 3.Germany implemented NIS2 through the NIS2UmsuCG, in force since 6 December 2025: vehicle and parts manufacturers with at least 50 employees or more than EUR 10 million turnover are important entities under Anlage 2 BSIG. The statutory registration deadline lapsed on 6 March 2026, and the BSI grace period ends 31 July 2026.
- 4.ISO/SAE 21434 is the engineering evidence framework behind R155 CSMS assessments — a process certificate alone is not R155 compliance, and a second edition is expected around 2029.
- 5.L-category vehicles enter the R155 regime under Delegated Regulation (EU) 2025/1455 — new types from 11 December 2027, existing types from 11 June 2029.
- 6.TISAX is contractual, not statutory — the ENX-governed information security assessment that German OEMs require before sharing development data with suppliers.
Section 1
One Vehicle, Five Rulebooks
A connected vehicle programme in Europe now answers to at least five distinct instruments at once. UN R155 and UN R156 regulate the vehicle and its manufacturer at Type Approval. ISO/SAE 21434 defines the engineering process that produces the evidence those approvals rest on. The Cyber Resilience Act (CRA) regulates products with digital elements that Type Approval does not reach. NIS2 regulates the company itself — its plants, IT, and incident handling. And TISAX, while not law at all, is the contractual information security assessment German OEMs demand across their supply chain.
Confusing these instruments is expensive in both directions: teams over-invest in obligations that do not apply to them, and under-invest in ones that do. The two tables below — a master matrix and a verified timeline — are designed to be the one-page reference that prevents both mistakes.
Section 2
How the Instruments Interlock
The instruments are not competing rulebooks — they form a chain. UN R155, made binding in the EU through the second General Safety Regulation (GSR2, Regulation (EU) 2019/2144), requires every vehicle manufacturer to operate a certified Cybersecurity Management System and to obtain a cybersecurity Type Approval for each vehicle type. The regulation states what must exist; it deliberately does not prescribe engineering methods.
ISO/SAE 21434 is the how. Its Threat Analysis and Risk Assessment process, lifecycle Work Products, and Cybersecurity Case are what assessment bodies expect to find inside an R155 CSMS. Annex A of the standard defines exactly 42 Work Products — a count corroborated independently by the VDA CSIA RASI responsibility matrix and VDA Position Paper 5783. UN R156 extends the same logic to software updates through the Software Update Management System.
The CRA picks up where Type Approval stops. Because Article 2(2)(c) excludes products already covered by Regulation (EU) 2019/2144, the CRA does not apply to type-approved vehicles — but it fully applies to automotive-adjacent products sold outside that boundary, from OBD dongles to EV charging equipment to standalone MCUs and middleware sold into the supply chain.
NIS2 regulates the enterprise rather than the product. In Germany, the NIS2UmsuCG places vehicle and parts manufacturing squarely in scope: the official estimate counts roughly 29,850 affected entities nationwide — 8,250 particularly important and 21,600 important — yet only about 18,500 had registered with the BSI by the end of May 2026. Finally, TISAX covers the information security dimension of collaboration: how a supplier protects the OEM data, prototypes, and connected services it handles.
Section 3
Master Matrix: Who Regulates What
Read each row as one question: what does this instrument regulate, who does it bind, who checks, and what evidence closes the loop? Note that only R155, R156, the CRA, and NIS2 carry legal force — ISO/SAE 21434 and TISAX derive their power from assessments and contracts.
| Instrument | What it regulates | Who it binds | Enforcement / assessment | Key evidence | Read next |
|---|---|---|---|---|---|
| UNECE R155 | Vehicle cybersecurity at Type Approval — the vehicle type and the manufacturer-level CSMS. | OEM (vehicle manufacturer); suppliers indirectly via Cybersecurity Interface Agreements. | EU Type Approval authorities — KBA (Germany), RDW (Netherlands), UTAC (France). | CSMS Certificate of Compliance, vehicle-type cybersecurity assessment, Annex 5 threat coverage. | UNECE R155 compliance |
| UNECE R156 | Software updates over the vehicle lifetime and the Software Update Management System. | OEM. | Same Type Approval authorities as R155. | SUMS certificate, RXSWIN software identification, update integrity records. | UNECE R156 compliance |
| ISO/SAE 21434 | The engineering process — cybersecurity risk management across the full vehicle lifecycle. | OEMs and the supply chain, cascaded through contracts and interface agreements. | No statutory authority — audit and assessment bodies use it as the benchmark behind R155 evidence. | TARA, Cybersecurity Case, the 42 Work Products of Annex A. | ISO/SAE 21434 compliance |
| CRA — Regulation (EU) 2024/2847 | Products with digital elements sold in the EU outside the type-approval boundary. | Manufacturers, importers, and distributors of in-scope products. | National market surveillance authorities; incident reporting to ENISA and national CSIRTs. | CE conformity assessment, vulnerability handling, SBOM, Article 14 reports. | CRA automotive scope |
| NIS2 — Germany: NIS2UmsuCG / BSIG | The organization — corporate IT, plants, and operations of essential and important entities. | Automotive manufacturers and suppliers (Anlage 2 BSIG, NACE C29/C30) with at least 50 employees or more than EUR 10 million turnover. | BSI — fines up to EUR 500,000 for registration violations. | §33 registration, §30 risk-management measures, §32 incident reports. | NIS2 for suppliers |
| TISAX | Information security in the supply chain — protection of development data, prototypes, and connected services. | Suppliers and service providers, contractually — German OEMs require it in sourcing. | ENX Association governs the scheme; accredited audit providers run the assessments. | TISAX assessment labels at the contractually agreed assessment level. | Cybersecurity Engineering |
| GSR2 — Regulation (EU) 2019/2144 | The EU legal carrier — makes UN R155/R156 mandatory in the EU and adds separate vehicle safety mandates. | OEM. | Type Approval authorities under European Commission framework rules. | Whole-vehicle Type Approval incorporating the R155 and R156 approvals. | R155 compliance roadmap |
Section 4
Verified Timeline, 2021–2029
Every date below is taken from the primary source — EUR-Lex consolidated texts, the Bundesgesetzblatt, BSI publications, and the ISO project record — as of July 2026. The two GSR2 rows are safety mandates, included because programmes often plan them on the same calendar; they are not cybersecurity requirements.
| Date | Instrument | What happens |
|---|---|---|
| 31 Aug 2021 | ISO/SAE 21434 | First edition published by ISO and SAE International. |
| 6 Jul 2022 | UN R155 / R156 | Mandatory for new vehicle types in the EU via Regulation (EU) 2019/2144. |
| 7 Jul 2024 | UN R155 / R156 | Mandatory for all new vehicles in the EU — first registration, sale, or entry into service. |
| 10 Dec 2024 | CRA | Regulation (EU) 2024/2847 enters into force. |
| 6 Dec 2025 | NIS2 (Germany) | NIS2UmsuCG in force (promulgated 5 December 2025, BGBl. 2025 I Nr. 301), recasting the BSI-Gesetz. |
| 7 Jan 2026 | GSR2 — safety | Event Data Recorder mandatory for new heavy-vehicle types. A safety date, not a cybersecurity one. |
| 6 Mar 2026 | NIS2 (Germany) | Statutory §33 BSIG registration deadline (three months after entry into force) — now lapsed. |
| 7 Jul 2026 | GSR2 — safety | Advanced Driver Distraction Warning mandatory for all new M and N vehicles. Safety, not cybersecurity. |
| 31 Jul 2026 | NIS2 (Germany) | End of the BSI administrative grace period (Nachfrist) for registration, granted by BSI letter of 12 June 2026. |
| 11 Sep 2026 | CRA | Article 14 reporting obligations apply — 24-hour early warning, 72-hour notification, 14-day final report to ENISA and the national CSIRTs. |
| 11 Dec 2027 | CRA | The Cyber Resilience Act applies in full. |
| 11 Dec 2027 | UN R155 — L-category | New L-category vehicle types (L1e–L7e, except pedal-designed L1e) need R155 approval under Delegated Regulation (EU) 2025/1455. |
| 11 Jun 2029 | UN R155 — L-category | Existing L-category vehicle types must comply. |
| ~2029 | ISO/SAE 21434 | Second edition expected — development anticipated to start in 2026 on a roughly three-year timeline, with ISO/SAE TR 8477 content merged in. |
Section 5
Who Needs What
OEM
Carries the full stack: R155 CSMS certification and vehicle-type cybersecurity approval, R156 SUMS certification, ISO/SAE 21434 as the engineering backbone, NIS2 duties for its plants and enterprise IT, and TISAX expectations flowed down to every supplier that touches its data. The CRA is mostly out of scope for the vehicle itself — but not for accessories or tools the OEM sells separately.
Tier-1 Supplier
Has no direct R155 obligation, but inherits it through Cybersecurity Interface Agreements: TARA contributions, Work Products, and vulnerability handling flow into the OEM's approval evidence. NIS2 applies directly in Germany once the 50-employee or EUR 10 million threshold is met, and TISAX labels are a de facto sourcing prerequisite. Products sold separately into the aftermarket fall under the CRA.
Component and Software Vendor
MCUs, connectivity modules, RTOS, and middleware sold as standalone products to the supply chain are in CRA scope — including conformity assessment, SBOM expectations, and Article 14 reporting from 11 September 2026. Customers will also demand ISO/SAE 21434-aligned development evidence through contracts, even though the standard itself is voluntary.
Aftermarket Device Maker
OBD dongles, retrofit telematics, and dashcams sold separately are exactly what the CRA exemption does not cover — they are ordinary products with digital elements. Note the narrow carve-out in Article 2(6): spare parts made to identical specifications as the original are exempt.
EV Charging Vendor
Charging equipment sits outside vehicle Type Approval and therefore inside the CRA. Vendors should plan conformity assessment and vulnerability-handling processes against the 11 December 2027 full-application date, with reporting duties live from 11 September 2026.
Section 6
Common Misconceptions
“The CRA applies to cars.”
It does not. Article 2(2)(c) of Regulation (EU) 2024/2847 excludes products covered by Regulation (EU) 2019/2144 — the regulation that makes UN R155 and R156 mandatory in the EU. But the exemption follows the type-approval boundary, not the industry: aftermarket devices, development and diagnostic tools, standalone components, charging equipment, and fleet hardware outside Type Approval all remain in scope. So do L-category vehicles and agricultural and forestry vehicles, which are approved under their own framework regulations (Regulation (EU) 168/2013 and 167/2013) rather than Regulation (EU) 2019/2144 — although new L-category types will separately need UN R155 approval from 11 December 2027.
“The VCA is an EU type-approval authority.”
The VCA grants approvals under the UK GB scheme, which is separate from the EU framework. Programmes targeting EU markets work with authorities such as KBA, RDW, or UTAC; programmes targeting Great Britain deal with the VCA. The technical requirements are closely aligned, but the approvals are not interchangeable.
“An ISO/SAE 21434 certificate equals R155 compliance.”
A process certificate demonstrates engineering capability — it does not grant market access. R155 additionally requires the manufacturer-level CSMS Certificate of Compliance and a cybersecurity assessment of each vehicle type by a Type Approval authority. The standard supplies the evidence; the regulation grants the approval. Our ISO/SAE 21434 guide covers what that evidence actually looks like.
Section 7
What Changes Next
ISO/SAE 21434 entered systematic review at ISO in July 2026, and no amendment or revision project has been formally registered yet. Per public statements from the ISO/SAE joint working group leadership in late 2025, second-edition development is expected to start in 2026 on a roughly three-year timeline — publication around 2029 — with no change in scope or structure.
Two companion documents matter for planning. ISO/SAE 8475, the standard for Cybersecurity Assurance Levels (CAL) and Targeted Attack Feasibility (TAF), sits at the final approval stage as of mid-July 2026 with publication imminent. ISO/SAE TR 8477 on cybersecurity verification and validation is at the draft Technical Report stage, expected in late 2026, and is transitional — its content is planned to merge into the 21434 second edition. Neither changes today's obligations, but both signal where assessment expectations are heading.
Related Pillar Guides
- ISO/SAE 21434 Guide — the engineering standard in depth: TARA, Work Products, and evidence readiness.
- UNECE R155 Compliance Roadmap — the step-by-step path from CSMS build-out to Vehicle Type Approval.
FAQ
Automotive Cybersecurity Regulations: Frequently Asked Questions
Explore next
Turn the map into a plan
Move from the regulations map to the compliance hubs, solution workflows, and a working evaluation of the KAVACH workspace.
Contact Us
Agnile supports safety, security, and mission critical engineering programmes across automotive, aerospace, embedded, IoT, enterprise software, cybersecurity, safety, V&V, digital engineering, and KAVACH.