Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The ECE R155 Cybersecurity Management System (CSMS) became mandatory in the automotive industry’s 2nd stage type approval processes with GSR II regulations. Learn detailed information about CSMS and the approval process for vehicle manufacturers.
Table of Contents
What is the Cybersecurity Management System (CSMS)?
The Cybersecurity Management System (CSMS) is defined by ECE Regulation 155, which automotive manufacturers must comply with. This system is a comprehensive security regulation developed to protect vehicles against cyber threats. R155 is also one of the mandates introduced by GSR II.
Compliance with this regulation requires vehicle manufacturers to meet specific cybersecurity standards before releasing their vehicles to the market.
According to the transition dates of GSR II regulations, manufacturers must obtain compliance certification.
The R155 regulation aims to ensure cybersecurity management throughout the vehicle’s entire lifecycle, encompassing every phase from design and production to use and maintenance.
Manufacturers fall into two main categories that must comply with these regulations: those with a 2nd stage type approval (also multi-stage) certificate and those seeking new certification. Manufacturers with a 2nd stage type approval must make the necessary adjustments to align their existing production processes with R155 regulations.
Those seeking new certification must establish a Cybersecurity Management System that complies with R155 regulations from the beginning of their production and design processes.
The Cybersecurity Management System includes a series of policies, processes, and technologies to ensure the safety of manufacturers’ vehicles. This system is designed to increase vehicles’ resilience to cyber-attacks, detect potential threats in advance, and develop effective responses to these threats. It also covers the secure updating of vehicle software and the protection of data security.
To successfully establish and implement the management system, manufacturers must form specialized cybersecurity teams or seek services from expert teams to conduct the approval processes. Additionally, the effectiveness of the management system requires manufacturers to collaborate with supply chain partners and third-party providers, ensuring these stakeholders also adhere to cybersecurity standards.
Which Vehicles Are Required to Comply?
Regarding cybersecurity and the protection of vehicles against cyber threats, M1, M2, M3, N1, N2, N3 category manufacturers, as well as component and separate technical unit manufacturers, are required to comply with the EU 2019/2144 regulation.
This regulation applies to specific type approval processes and necessitates manufacturers’ compliance. Although there is no mandatory requirement for category O manufacturers, they may seek approval under this regulation if they wish.
ECE R155 Approval Process for 2nd Stage Type Approval
Manufacturers performing body construction must first determine whether they fall within this scope based on their production. The impact on the base vehicle is a key consideration. Some documents need to be shared for this assessment.
For instance, a manufacturer producing in the M3 category must consider the types of electrical and electronic products used, their relationship with the base vehicle, and their internal cybersecurity status. This assessment represents a comprehensive and time-consuming process. It determines how extensive the manufacturer’s cybersecurity management system needs to be.
Therefore, bodywork companies must first understand the cybersecurity management system and determine the scope of their evaluation, confirming whether the cybersecurity system is necessary.
Approval durations can range from 3 months to 1 year, depending on the work required. During this period, manufacturers are expected to make the necessary adjustments and effectively implement the cybersecurity management system.
CSMS – Our Cybersecurity Solutions
Various solutions and services are offered to effectively implement the cybersecurity management system. Manufacturers can utilize these solutions to comply with cybersecurity regulations. The primary solutions provided under CSMS include:
- Risk Assessment and Management: Identifying and managing cybersecurity risks of vehicles.
- Security Policies and Procedures: Creating and implementing cybersecurity policies.
- Security Audits and Testing: Detecting and closing cybersecurity vulnerabilities in vehicles.
- Training and Awareness Programs: Educating and raising awareness among manufacturers and employees about cybersecurity.
These solutions help vehicle manufacturers comply with cybersecurity regulations and protect their vehicles against cyber threats.
Conclusion
The requirement of the ECE R155 Cybersecurity Management System in the 2nd stage type approval processes with GSR II regulations holds significant importance in the automotive industry. Manufacturers’ compliance with these regulations ensures their vehicles meet cybersecurity standards and are protected against cyber threats.
During this process, manufacturers must seek support from expert teams to make the necessary adjustments and effectively implement the cybersecurity management system.
