Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

Cybersecurity Management System (CSMS) in Multi-Stage Type Approval Processes – ECE R155 Certification

The ECE R155 Cybersecurity Management System (CSMS) became mandatory in the automotive industry’s 2nd stage type approval processes with GSR II regulations. Learn detailed information about CSMS and the approval process for vehicle manufacturers.

The ECE R155 Cybersecurity Management System (CSMS) became mandatory in the automotive industry’s 2nd stage type approval processes with GSR II regulations. Learn detailed information about CSMS and the approval process for vehicle manufacturers.

What is the Cybersecurity Management System (CSMS)?

The Cybersecurity Management System (CSMS) is defined by ECE Regulation 155, which automotive manufacturers must comply with. This system is a comprehensive security regulation developed to protect vehicles against cyber threats. R155 is also one of the mandates introduced by GSR II.

Compliance with this regulation requires vehicle manufacturers to meet specific cybersecurity standards before releasing their vehicles to the market.

According to the transition dates of GSR II regulations, manufacturers must obtain compliance certification.

The R155 regulation aims to ensure cybersecurity management throughout the vehicle’s entire lifecycle, encompassing every phase from design and production to use and maintenance.

Manufacturers fall into two main categories that must comply with these regulations: those with a 2nd stage type approval (also multi-stage) certificate and those seeking new certification. Manufacturers with a 2nd stage type approval must make the necessary adjustments to align their existing production processes with R155 regulations.

Those seeking new certification must establish a Cybersecurity Management System that complies with R155 regulations from the beginning of their production and design processes.

The Cybersecurity Management System includes a series of policies, processes, and technologies to ensure the safety of manufacturers’ vehicles. This system is designed to increase vehicles’ resilience to cyber-attacks, detect potential threats in advance, and develop effective responses to these threats. It also covers the secure updating of vehicle software and the protection of data security.

To successfully establish and implement the management system, manufacturers must form specialized cybersecurity teams or seek services from expert teams to conduct the approval processes. Additionally, the effectiveness of the management system requires manufacturers to collaborate with supply chain partners and third-party providers, ensuring these stakeholders also adhere to cybersecurity standards.

Which Vehicles Are Required to Comply?

Regarding cybersecurity and the protection of vehicles against cyber threats, M1, M2, M3, N1, N2, N3 category manufacturers, as well as component and separate technical unit manufacturers, are required to comply with the EU 2019/2144 regulation.

This regulation applies to specific type approval processes and necessitates manufacturers’ compliance. Although there is no mandatory requirement for category O manufacturers, they may seek approval under this regulation if they wish.

ECE R155 Approval Process for 2nd Stage Type Approval

Manufacturers performing body construction must first determine whether they fall within this scope based on their production. The impact on the base vehicle is a key consideration. Some documents need to be shared for this assessment.

For instance, a manufacturer producing in the M3 category must consider the types of electrical and electronic products used, their relationship with the base vehicle, and their internal cybersecurity status. This assessment represents a comprehensive and time-consuming process. It determines how extensive the manufacturer’s cybersecurity management system needs to be.

Therefore, bodywork companies must first understand the cybersecurity management system and determine the scope of their evaluation, confirming whether the cybersecurity system is necessary.

Approval durations can range from 3 months to 1 year, depending on the work required. During this period, manufacturers are expected to make the necessary adjustments and effectively implement the cybersecurity management system.

CSMS – Our Cybersecurity Solutions

Various solutions and services are offered to effectively implement the cybersecurity management system. Manufacturers can utilize these solutions to comply with cybersecurity regulations. The primary solutions provided under CSMS include:

  1. Risk Assessment and Management: Identifying and managing cybersecurity risks of vehicles.
  2. Security Policies and Procedures: Creating and implementing cybersecurity policies.
  3. Security Audits and Testing: Detecting and closing cybersecurity vulnerabilities in vehicles.
  4. Training and Awareness Programs: Educating and raising awareness among manufacturers and employees about cybersecurity.

These solutions help vehicle manufacturers comply with cybersecurity regulations and protect their vehicles against cyber threats.


The requirement of the ECE R155 Cybersecurity Management System in the 2nd stage type approval processes with GSR II regulations holds significant importance in the automotive industry. Manufacturers’ compliance with these regulations ensures their vehicles meet cybersecurity standards and are protected against cyber threats.

During this process, manufacturers must seek support from expert teams to make the necessary adjustments and effectively implement the cybersecurity management system.

Emre Cetin
Emre Cetin

I have been acquainted with homologation in the automotive sector for over 10 years now. We have accomplished great things in many projects within various teams. Adapting to the recently updated homologation processes has been particularly exciting. Integrating past experiences with new procedures fosters a fertile ground for innovation and productivity. Having a special interest and expertise in both automotive and technology,

I am thrilled by the prospect of these fields converging in the future. It is a privilege to be a part of the journey in automotive and technology!

For this reason, I have decided to launch a blog project that I have long envisioned, where I can share my experiences and assess developments in the industry.

Previously, in the early years of my career, I managed a well-loved project named, which offered content in Turkish. I had decided to discontinue this project for various reasons.

Now, I am excited to engage with an international audience through a new blog project, sharing knowledge and insights. I hope my efforts will contribute positively to the industry.

Please feel free to contact me with your views and suggestions.

Articles: 7

Leave a Reply