Automotive Cybersecurity Regulations and Standards

The more cars are software-defined and connected, the higher become the cybersecurity risks.   

With every added feature, the risk of cyberattacks on vital components of a vehicle like user data and trust is worrisome. To mitigate these threats, a cybersecurity framework composed of laws and standards on an international and regional scale has been implemented which involves automotive manufacturers and suppliers as well as industry stakeholders. 

Hence, this article may assist in an outline of the regulatory scope of both directly and indirectly related automotive cybersecurity regulations. 

The Global Regulatory Framework

Across the world, several regulatory bodies worldwide are actively developing and implementing standards and frameworks to secure vehicles. The UNECE WP.29 (United Nations' World Forum for Harmonization of Vehicle Regulations) stands out with its introduction of key regulations such as UN R155, focusing on Cybersecurity Management Systems (CSMS), and UN R156, addressing Software Update Management Systems (SUMS)... These regulations are mandatory for type approvals in countries adhering to UNECE regulations... 

In addition to these global interventions, regional adaptations are also crucial to look at. In the U.S., the NHTSA's guidelines function as voluntary yet widely adopted best practices whereas NIST provides special publications and framework. The European Union has established a comprehensive framework of information security and cybersecurity regulatory directives, such as the NIS2 Directive and the Cyber Resilience Act (CRA), that are highly relevant to and directly impact the automotive industry. China, on the other hand, enforces a robust regulatory framework through a system of GB standards.   

This varied landscape highlights the need for a global compliance strategy for any automotive company that operates globally. 

Why are Regulations and Standards Essential? 

The growth of regulations and standards associated with automotive cybersecurity is driven by several critical factors: 

• Connectivity and Autonomous Operations: Increased reliance on software and connectivity significantly expands the potential attack surface of cyber threats. 

• Cybersecurity Breaches: Attacks can target vital vehicle systems, leading to severe safety risks, data breaches, and a loss of consumer confidence. 

• Market Stability: Compliance with these regulations helps maintain stability in the automotive market by reducing widespread cybersecurity incidents. 

• Consequences of Non-Compliance: Failure to adhere to these regulations can result in substantial fines, loss of access to key markets, and significant damage to a company's reputation. 

Key International Standards

To provide a structured approach to managing cybersecurity risks, several international standards have been developed: 

1. ISO/SAE 21434:2021 Road Vehicles-Cybersecurity engineering: This standard specifies engineering requirements for cybersecurity risk management throughout the lifecycle of electrical and electronic (E/E) systems in road vehicles. 
2. ISO/PAS 5112:2022 Road Vehicles- Guidelines for auditing cybersecurity engineering: This provides guidelines for auditing cybersecurity management systems (CSMS) across the automotive supply chain. 
3. ISO 24089:2023 Road Vehicles-Software update engineering: This standard specifies requirements for software update engineering systems (SUMS) for road vehicles, including over-the-air (OTA) updates. 
4. UNECE WP.29 UN R155: Establishes requirements for Cybersecurity Management Systems (CSMS) and is mandatory for new vehicles from July 2024 onwards in adhering countries. 
5. UNECE WP.29 UN R156: Sets out requirements for Software Update Management Systems (SUMS) to ensure secure management of software updates throughout the vehicle lifecycle. 
6. ISO/SAE 8477 (under development): Provides considerations for planning and executing cybersecurity verification and validation. 
7. ISO/SAE 8475 (under development): Elaborates on Cybersecurity Assurance Levels (CAL) and Targeted Attack Feasibility (TAF) concepts. 

Regional Focus: Europe 

Europe presents a particularly complex regulatory landscape for automotive cybersecurity. The below are the regulations/standards that are directly or indirectly relevant to automotive cybersecurity.  

1. TISAX (ISMS): Trusted Information Security Assessment Exchange, TISAX, focuses on information security management systems for the automotive industry. It is based on the ISO 27001 standard supporting overall cybersecurity efforts by protecting sensitive data. 
2. EU CRA:2024/2847 Cyber Resilience Act: Aims to strengthen digital resilience by ensuring that products with digital elements, including vehicles, are designed and developed with cybersecurity in mind. 
3. EU GSR II:2019/2144 General Safety Regulation II: Includes requirements for vehicle safety and cybersecurity, mandating that vehicles are equipped with cybersecurity measures. 
4. EU NIS2:2022/2555 Cybersecurity of Network and Information Systems Directive: At first glance, it solely focuses on information security. However, the effects of the directive will apply to all value-creation activities, especially considering the rapid technological progress in vehicles, components, and systems. The product 'vehicle' now denotes a more interconnectedness dependent on suppliers and technology providers, shaping responsibilities in new ways. 
5. GDPR (2.0-Draft) General Data Protection Regulation: Ensures the protection of personal data and privacy, crucial for connected vehicles collecting extensive data, including location, driving behavior, and biometric details, necessitating explicit user consent and robust security measures. 
6. EU RED:2014/53 Radio Equipment Directive: Requires that radio (infotainment) equipment, including connected vehicles, incorporates cybersecurity measures to protect networks, and personal data, and prevent fraud. 
7. EU Product Liability Directive: Expands the definition of "product" to explicitly include software and AI, meaning software updates and AI-supported systems in vehicles are now covered under product liability. 
8. VDA ASPICE Cybersecurity: Integrates cybersecurity practices into the Automotive Software Process Improvement and Capability dEtermination (ASPICE) process assessment model that helps to build up CSMS throughout the development of electrical and electronic (E/E) systems. 

The regulatory framework of Europe carries considerable weight for OEMs and suppliers, thus creating a baseline for compliance in the market. Therefore, it's worth highlighting ENISA which publishes traffic lights of information, best practice guides, and full regulatory recommendations concerning improving resilience to cyber capabilities across the EU.  

To illustrate, the below image exhibits a draft connection between mentioned standards and regulations, in Europe. 

Regional Focus: China 

China has established a robust legal framework for automotive cybersecurity, with the Ministry of Industry and Information Technology (MIIT) playing a central role. Key laws include the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. 

The Intelligent and Connected Vehicle (ICV) Industry Standard System outlines a comprehensive set of standards, including mandatory (GB) and recommended (GB/T) standards. Notably, GB 44495-2024 focuses on vehicle cybersecurity, aligning with UN R155, and GB 44496-2024 addresses software updates, similar to UN R156. 

While both GB and UNECE require OEMs to establish CSMS and SUMS, GB standards establish their own technical requirements and test methods, and unlike UNECE, do not mention CSMS and SUMS certificates. Compliance with GB 44496-2024 defines clear requirements for implementing software update management systems, significantly affecting automotive operations in the Chinese market. 

Regional Focus: Other Regions 

Other regions are also actively addressing automotive cybersecurity: 

NIST (U.S.): Develops cybersecurity standards, guidelines, and best practices, with the NIST Cybersecurity Framework (CSF) being widely adopted. Notable NIST standards are:  

1. NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations 
2. NIST SP 800-209 Security Guidelines for Storage Infrastructure 
3. NIST SP 800-160-1 Engineering Trustworthy Secure Systems 
4. NIST SP 800-160-2 Developing Cyber-Resilient Systems 

NHTSA (U.S.): Provides guidelines for automotive cybersecurity best practices. These guidelines are designed to help manufacturers protect vehicles from malicious attacks, unauthorized access, or damage to the vehicle's software systems. 

JAMA-JAPIA (Japan): Establishes cybersecurity guidelines for Japan's automotive industry, often referencing international standards. 

AIS-189 & AIS-190 (India):  Outline CSMS and SUMS requirements for vehicular systems (draft, adopted from UN R155/R156) that will be released in 2027. 

Summary and Key Takeaways

There is no doubt that the regulatory and standards landscape for automotive cybersecurity is complicated, especially in regions like Europe and China. This complexity makes it difficult for automotive manufacturers and suppliers to comply with national and international requirements. Regulatory requirements surrounding data privacy and information security, for example, are key considerations of automotive cybersecurity. There is a trend where existing regulations are changing, and new ones are being introduced at the regional level that impacts the automotive industry. It is important to note that suppliers are also responsible for putting CSMS processes in place and ensuring that their sub-components are compliant with cybersecurity requirements.