To download this report, you need to log in as a DVN Gold member or you can buy it.
Not a DVN member yet? Contact us now to join the DVN Community!
The rapid move toward digitalization and connectivity in modern vehicles is greatly increasing the complexity of cybersecurity and software management. In response, the industry has converged on regulations and standards aimed at ensuring security, safety, and compliance from the earliest stages of vehicle development to the end of a vehicle’s useful life and beyond.
At the regulatory level, UN Regulations № 155 and 156 establish mandatory requirements for vehicle type approval, addressing (respectively) cybersecurity (CSMS) and software updates (SUMS). These regulations are performance-based, defining what must be achieved rather than how it should be done.
The operationalization of these requirements is enabled by a set of complementary standards ISO/SAE 21434 provides the engineering framework for cybersecurity, translating CSMS obligations into concrete processes at both company and project levels. A central element is the TARA methodology – threat analysis and risk assessment – which links threat assessment to risk mitigation strategies, directly supporting regulatory compliance.
Similarly, ISO 24089 supports the implementation of SUMS by defining end-to-end software update processes, including governance, infrastructure, campaign management, and vehicle-level execution. Together, ISO/SAE 21434 and ISO 24089 form the backbone of engineering activities required by UN R155 and R156.
Cybersecurity and software updates must also be aligned with functional safety requirements defined by ISO 26262, ensuring that any update is assessed both from a security perspective, and also in terms of its effect on safety-critical functions. In parallel, A-SPICE (automotive software process improvement and capability determination) contributes by embedding cybersecurity within established development processes through a security-by-design approach.
At the organizational level, ISO/IEC 27001 defines information security management practices, while TISAX (trusted information security assessment exchange, a mechanism for information security of enterprises) enables a harmonized assessment of supplier security maturity across the automotive value chain. Although not directly ensuring regulatory compliance, these frameworks are key enablers for supply chain trust and secure collaboration.
In addition, GDPR (the EU’s General Data Protection Regulation) contains legal requirements for the protection of personal data processed by connected vehicles, complementing technical standards by enforcing principles such as data minimization, integrity, and accountability.
Together, these regulations and standards form a layered and interdependent framework: UN R155 and R156 define regulatory objectives; ISO/SAE 21434 and ISO 24089 provide the engineering foundation; ISO 26262 and A-SPICE ensure safety and process maturity, and ISO 27001, TISAX, and GDPR address organizational, supply chain, and data protection aspects – as showed in the graphic above.
This integrated approach reflects the shift of the automotive industry towards a system-level perspective, where cybersecurity, software, safety, and data governance are increasingly interconnected.
To understand the background of these new requirements, and their effects on vehicle development, including lamp development, Bylogix have prepared an explainer we are pleased to publish this month
