Site Search
Semiconductor business menu
Semiconductor business
HOME
Macnica 's
Products & Services
Technical Information
Case Study
event·
seminar
Handling Manufacturer
Support

Narrow down by specifying conditions

現在2121件がヒットしています。check

New article
foundation
design
product pick up
UNECE WP.29 UN-R155 Cyber Security Management System (CSMS)
Basic Software Terminal Security Network ETAS

As mentioned in "WP.29 Regulation Compliance and CSMS/SUMS Implementation Guide," new autonomous driving vehicles and vehicles with OTA are required to comply with UN-R155. This article introduces UN-R155 and ISO/SAE21434, which can be used as an implementation guideline for UN-R155.

table of contents

Introduction: Why are "UN-R155" and "CSMS" important now?

As automobile functions become increasingly computer-controlled and sophisticated, cybersecurity threats are increasing year by year. To address this situation, the United Nations Economic Commission for Europe (UNECE) enacted UN-R155, making the introduction of a Cyber Security Management System (CSMS) mandatory. This regulation aims to ensure resistance to cyberattacks in the development, production, operation, and maintenance of vehicles, and has been in effect in many countries, including the EU, since 2022. In Japan, the Ministry of Land, Infrastructure, Transport and Tourism has incorporated UN-R155 into its vehicle type approval system, making it an urgent task for OEMs and suppliers to take action.

The role of CSMS

A CSMS is a system for managing and operating cybersecurity throughout an organization. UN-R155 requires the introduction of a CSMS as a prerequisite for type certification, and requires the following elements:

  • Threat Analysis (TARA)
  • Defining security requirements
  • Audits and Continuous Improvement
  • Establishment of an incident response system


CSMS is not just a technical measure, but a framework for organizational and continuous security management that applies to OEMs as well as suppliers.

Legal and regulatory trends in Japan (Ministry of Land, Infrastructure, Transport and Tourism type certification)

In Japan, the Ministry of Land, Infrastructure, Transport and Tourism has incorporated UN-R155 into domestic law, making it mandatory for new vehicles applying for type approval after July 2022 to implement a CSMS. As a result, cars sold in Japan are now required to have a cybersecurity system that complies with international standards. The following documents and systems are checked during type approval reviews.

  • Clarification of the CSMS operation system and responsible person
  • TARA implementation record
  • Security Incident Response Procedures
  • External audit history


In this way, compliance with UN-R155 has become a legal obligation in Japan as well, and is an important factor that directly affects a company's credibility and market competitiveness.

Differences and Relationships between UN-R155 and ISO/SAE 21434

When it comes to automotive cybersecurity, "UN-R155" and "ISO/SAE 21434" are frequently mentioned keywords. While the two standards are closely related, there are clear differences in purpose, scope, and legal binding force.

Comparison items: UN-R155: ISO/SAE 21434:
nature International legislation (UNECE WP.29) Technical standards (ISO/SAE)
legally binding Yes (required for type approval) None (recommended but important)
Scope Cybersecurity management for the entire vehicle Automotive system development process
Requirements CSMS implementation and operation Risk analysis, design, verification, and maintenance
Subject of review Organizational structure and operational records Technical documentation and development process evidence


Simply put, UN-R155 is a regulation that defines "what should be done," while ISO/SAE 21434 is a technical guideline that shows "how to achieve it."

There is also a page that explains how to implement it, so please take a look.

WP.29 Compliance and CSMS/SUMS Implementation Guide

OEM-Supplier Responsibilities and Implementation Issues

Under UN-R155, the OEM (automobile manufacturer) is responsible for managing cybersecurity for the entire vehicle. However, because the majority of the actual development of on-board systems and ECUs is carried out by Tier 1 and Tier 2 suppliers, a clear division of responsibilities and collaboration between the OEM and suppliers is essential.

OEM's main responsibilities: Primary responsibilities of Tier 1/Tier 2:

・ CSMS construction and operation

・ Preparation of documents necessary for obtaining type certification

- Present security requirements to suppliers

・Security audits of the entire supply chain

・ Responding to security requirements presented by OEMs

・Implementation of development process in accordance with ISO/SAE 21434

・Implementation of TARA and risk countermeasures

・Providing security evidence (design, verification, maintenance)


In this way, the ideal structure is one in which the OEM is responsible for the overall design of the CSMS, and the supplier supports the technical implementation.

Issues and solutions when implementing CSMS from a supplier's perspective

Suppliers who want to implement a CSMS face practical challenges, such as meeting different security requirements from each OEM, managing security activities across multiple projects, a shortage of security specialists, and the time it takes to understand and apply ISO/SAE 21434. However, introducing a common framework and utilizing external support can be effective in overcoming these challenges.

assignment: explanation: Solution:
Lack of resources There are few security specialists within the company

Utilizing external services and programs such as security consulting and security training
Tool Selection I don't know what tools are suitable for TARA etc.

Implement TARA efficiently with market-proven tools like ETAS's CycurRISK
Variability between projects Different levels of support for different projects Utilizing external consulting to standardize CSMS within the company and build a cross-sectional auditing system


For suppliers to implement CSMS, close collaboration with OEMs and the establishment of internal systems are key. ETAS, which Macnica deals with, provides comprehensive support for suppliers' CSMS implementation by providing technical assistance, tools, and training to address these challenges.

CSMS support by ETAS

ETAS, which Macnica handles, has a wide range of achievements based on its many years of experience and know-how, including support for building CSMS, implementing TARA, supporting the building of security management systems (PSIRT), supporting the acquisition of type certification, and implementing security training, and it also employs many tools that can be used to implement TARA. Please take a look at their product lineup.

Security consulting, security training
Threat analysis and risk assessment software tool CycurRISK


If you have any other concerns or questions about security, or would like to see specific solutions, please feel free to contact us.

Contact Us

ETAS manufacturer information TOP

If you want to return to ETAS Manufacturer Information Top, please click below.

Back to Manufacturer Information Top