The automotive industry is undergoing a transformation driven by increasing digitalization and connectivity across all vehicle categories, including motorcycles. While UN Regulation No. 155 (UNR155) has established a global framework for vehicle cybersecurity, the newly introduced Cyber Resilience Act (CRA) expands the landscape by addressing cybersecurity requirements for digital products more broadly. Understanding why the CRA is needed alongside UNR155, and how both affect vehicle and component manufacturers, is essential for navigating today’s complex regulatory environment.
UN Regulation No. 155: Now Covering Motorcycles and More
UNR155 mandates a Cybersecurity Management System (CSMS) to manage risks throughout the vehicle lifecycle-from design to post-production. This regulation requires manufacturers to conduct risk assessments based on defined attack vectors, implement cybersecurity controls, monitor and respond to cyber incidents, and manage cybersecurity risks in the supply chain.
As of mid-2024, UNR155’s scope has been extended to include motorcycles, scooters, and electric bicycles exceeding 25 km/h (vehicle category L). This expansion reflects the increasing connectivity and complexity of two-wheelers, which now feature advanced driver assistance and connectivity systems, making them vulnerable to cyber threats just like four-wheeled vehicles.
What is the Cyber Resilience Act (CRA)?
The CRA is a horizontal EU regulation introduced in December 2024 that sets baseline cybersecurity requirements for all products with digital elements sold in the European Union. Unlike UNR155, which is vehicle-specific, the CRA applies broadly across industries and product categories, including hardware and software products with embedded digital components, aftermarket automotive products such as telematics devices and diagnostic tools, cloud and backend systems connected to vehicles, and non-road vehicles like agricultural and construction machinery.
The CRA aims to improve consumer safety and trust by enforcing cybersecurity throughout the entire product lifecycle, from design and development to maintenance and decommissioning. Non-compliance can lead to significant fines and market restrictions.
Why is CRA Needed When UNR155 Exists?
UNR155 provides a detailed regulatory framework specifically for vehicle cybersecurity but does not cover all digital products related to or connected with vehicles. The CRA fills this gap by addressing cybersecurity requirements for digital products and components that fall outside the scope of vehicle type approval under UNR155.
UNR155 applies to complete vehicles and their safety-critical systems, requiring a CSMS and risk management aligned with ISO/SAE 21434. CRA applies to individual digital products, components, and aftermarket items, including those integrated into vehicles but not covered by type approval regulations. CRA is a horizontal regulation, meaning it applies across industries, ensuring a baseline cybersecurity standard for all digital products.
Therefore, even if a vehicle manufacturer complies with UNR155, component suppliers and aftermarket product makers must also comply with CRA if their products fall within its scope.
Impact on Vehicle and Component Manufacturers
Vehicle Manufacturers (OEMs) must comply with UNR155 by implementing a CSMS and conducting cybersecurity risk assessments for their vehicles. They need to ensure that suppliers provide cybersecurity evidence for components to maintain compliance and may be indirectly affected by CRA through supply chain requirements, as suppliers must meet CRA obligations for their digital products.
Component Manufacturers and Suppliers face direct CRA obligations for digital products not covered by UNR155, and aftermarket devices (such as telematics units, infotainment systems). They must implement cybersecurity by design and maintain security throughout the product lifecycle, provide documentation and evidence of cybersecurity resilience to OEMs and regulatory bodies, and risk fines and market bans if CRA compliance is not met, affecting their ability to supply to vehicle manufacturers.
Practical Example:
A company producing an aftermarket telematics dongle with internet connectivity will not fall under UNR155’s vehicle type approval but must comply with CRA. This means designing the dongle with cybersecurity controls, providing vulnerability management and update mechanisms, documenting cybersecurity measures for market approval, and collaborating with OEMs for integration without introducing new risks. Meanwhile, the OEM ensures that the vehicle’s core systems comply with UNR155, including secure communication with such aftermarket devices.