Part 1 — Automotive Software Security Readiness: A Researcher’s Field Guide

Are You Ready for UN R155? The Real Work Behind Automotive Software Security Compliance

Modern vehicles are software systems on wheels with over 100 ECUs, millions of lines of code, and globally distributed supply chains.

The UNECE regulations R155 and R156 have transformed cybersecurity and software update management into conditions for type approval.

If you build or secure automotive software, you must be able to prove that you can defend it.

The Regulatory Stack That Matters

Each standard ultimately asks the same question: can you show that your controls work?

Readiness Means Proof, Not Paperwork

A defensible security posture aligns three capabilities:

1. Governance – ownership, accountability, supplier oversight
2. Engineering – security embedded in code, updates, and telemetry
   

Response – measurable incident handling and remediation evidence

Control Mapping — From Mandate to Mechanism

Readiness converts regulatory requirements into verifiable engineering artifacts.

Runtime Proof as the New Baseline

Auditors now seek runtime evidence rather than static compliance documents.

Telemetry, exploitability validation, and continuous monitoring demonstrate control effectiveness in real operating conditions.

This closes Part 1.

Part 2 will examine how runtime analysis and exploit intelligence extend these requirements into measurable proof.

References

• Applied Intuition. (2023). ISO/SAE 21434: Shaping automotive cybersecurity.
• Cybellum. (2023). Introduction to automotive cybersecurity regulations.
• European Commission. (2024). Cyber Resilience Act: Proposal and implementation overview.
• International Organization for Standardization. (2021). ISO/SAE 21434: Road vehicles – Cybersecurity engineering.
• National Highway Traffic Safety Administration. (2022). Cybersecurity best practices for the safety of modern vehicles (Report DOT HS 813 417).
• United Nations Economic Commission for Europe. (2021). UN Regulation No. 155: Cybersecurity and cybersecurity management system requirements.
• United Nations Economic Commission for Europe. (2021). UN Regulation No. 156: Software update processes and management systems.
• Verband der Automobilindustrie (VDA). (2023). Trusted Information Security Assessment Exchange (TISAX) Assessment Levels Guide.