Cybersecurity is now a fundamental requirement for the automotive industry. To sell cars on the European market, manufacturers must prove that security is ensured throughout the entire lifecycle from development to decommissioning. New international regulations are driving a paradigm shift that is reshaping vehicle manufacturing at its core.
Today's vehicles are powered by advanced software and are constantly connected to apps, cloud services, and infrastructure. They also require frequent software updates to operate safely. But as attack surface increases, so do the risks of cyber attacks.
Connected vehicles introduce risks
From an attacker's perspective, a modern vehicle can be almost as accessible as a computer. Infotainment systems, brake circuits, and fleet management platforms are typical targets. This is why the new regulations set the framework for the entire automotive industry. Cybersecurity can no longer be added at the end of development; it must be built into the entire chain, from design to lifecycle management.
What we see during our penetration tests includes vulnerabilities in signals, backends, and information flows. An intrusion might involve tracking vehicle locations or exploiting open interfaces
, says Alexander Alasjö, Senior Security Specialist at Assured.
- Read more about how we work with penetration testing
- Read more about how we help make the automotive industry more secure
Which regulations govern vehicle cybersecurity?
A rising threat landscape has led to more regulation, but not all standards carry the same weight. Here are the most important regulations for manufacturers and suppliers right now.
Requires a Cyber Security Management System (CSMS)
Requires a Software Update Management System (SUMS)
Provides detailed guidelines for fulfilling R156 in practice
Governs risk management, threat modeling and secure development of automotive software
An EU directive that tightens requirements for the supply chain and IT operations
Upcoming regulation covering connected products, including vehicles. It sets requirements for security testing and an established process for reporting and handling vulnerabilities.
What do the regulations mean?
Cybersecurity is a prerequisite for selling vehicles within the EU. Since 2022, UNECE R155 requires manufacturers to operate a Cyber Security Management System (CSMS)—a structured approach that governs security efforts throughout the product lifecycle.
UNECE R156 mandates a Software Update Management System (SUMS) that ensures all software updates are traceable and secure, both during workshop visits and via OTA (over-the-air) updates. The ISO 24089 standard explains how this should be implemented in practice.
Together with ISO/SAE 21434, which governs risk management and secure development, these regulations form the foundation for vehicle type approval.
Other regulations also have an impact. NIS2 increases supply chain security requirements, and the upcoming Cyber Resilience Act (CRA) will apply to connected products, including vehicles, from 2027.
Cybersecurity is the vehicle's new airbag. It's a safety measure that must be present from the first design draft and remain throughout the entire lifecycle. You can never say that a car will be secure forever, but you can say that the requirements are met at this moment and that processes exist to manage future vulnerabilities,
says Alexander.
Type approval – risks of non-compliance
The EU's Whole Vehicle Type Approval (WVTA) certifies that a vehicle meets all safety and technical requirements, including cybersecurity. To obtain approval, manufacturers must demonstrate that cybersecurity is implemented and verified across the entire lifecycle.
Failure can lead to denied registration, delayed product launches, or revoked permissions—posing significant risks to revenue and market position. Cybersecurity weaknesses can also result in incidents that damage brand reputation and customer trust.
How to meet cybersecurity requirements
Achieving type approval requires a systematic approach. Manufacturers and suppliers must adapt established processes, introduce new methods, and integrate cybersecurity as a natural part of quality assurance. Among other things, they must ensure that:
- Cyber threats are continuously identified, mitigated, and managed
- Security is integrated from the design phase through threat modeling and risk analysis (TARA)
- Development processes follow established practices aligned with ISO/SAE 21434, which provides detailed guidance
- Software updates are performed securely—both in workshops and via OTA
- Incident response capabilities are in place to act quickly on discovered vulnerabilities
- All work is documented and available for audits and type-approval reviews
Verification and witnessed testing
Once requirements are met, manufacturers must demonstrate that security works in practice. Documentation alone is not enough—during witnessed testing, the authority selects specific activities to observe in real time. These sessions validate both the vehicle's cybersecurity and the manufacturer's ability to present traceable, relevant results. The outcome may determine whether type approval is granted.
From requirement to competitive advantage
Cybersecurity is an integral part of the future automotive landscape. For manufacturers who stay ahead, it can lead to faster time to market, stronger trust from customers and partners, and a chance to take a leading position in a rapidly evolving industry.
Contact us or leave a message below to discuss how we can help you meet cybersecurity requirements and achieve type approval. We provide expertise in penetration testing, risk management, and secure automotive software development.