WHAT IS UNECE WP.29?

UNECE WP.29 is the United Nations Economic Commission for Europe (UNECE) World Forum for the Harmonization of Vehicle Regulations. Originally named the Working Party (WP) of Experts on Technical Requirement of Vehicles, the forum defines the criteria for type approval for wheeled vehicles, equipment, and parts and is the largest international vehicle regulatory system in the world.

Its primary responsibility is to keep its vehicle regulations updated and relevant in order to support international commerce and market access. As of 2020, the contracting parties (CPs) to UNECE’s 1958 agreement have grown to 54 including all EU countries and other OECD nations (see Figure 1 below) like Japan, Turkey, Russia, Australia, and South Africa.

On June 25th, 2020, the UN announced the approval of an unprecedented vehicle cyber security regulation (ECE/TRANS/WP.29/2020/79) that outlines new cyber security processes and security measures/mitigations that manufacturers must have within their organizations and vehicles to achieve vehicle type approval. ECE/TRANS/WP.29/2020/79 applies to passenger cars, vans, trucks, buses, and trailers and already has an implementation timeline in the EU, Japan, and Korea.

ECE/TRANS/WP.29/2020/79 presents challenges for the industry and requires new cyber security methodologies, monitoring, detection, reporting and response capabilities across the vehicle lifecycle and throughout the value chain.

UNECE WP.29: FAQS

 How does the UN cyber security regulation affect vehicles which are already on the road?

The UN regulation on cybersecurity does not affect type approvals granted prior to the regulation’s entry into force in a given country (ie, not when it comes into force as a United Nations regulation). It also does not affect vehicles already on the road. After July 2024, vehicle manufacturers must obtain cybersecurity system type approval in order for their customers to be able to register their vehicles with authorities in any country that applies “ECE-TRANS-WP29-2020-079-Revised. In order to meet this requirement, change requests to existing vehicle programs may be implemented in order so that manufacturer will be able to continue selling those vehicles still in production.

 How and when does the regulation affect new car lines launched from existing architectures?

After July 2022, new car lines (ie, vehicle types) launched from existing electronic architectures will need to obtain cybersecurity system type approval as part of the process of whole vehicle type approval (WVTA).

 Do “facelifts” of existing vehicles require new CS and SU approvals? Before/after 7/2022 and 7/2024?

If a vehicle “facelift” includes the changing or replacement of a system(s) that could potentially affect the cybersecurity of the vehicle (eg, infotainment, telematics), the vehicle manufacturer may be required to obtain a new whole vehicle type approval (WVTA) and /or an “extension” of the current WVTA held for the vehicle.

 How is the process of new system type approval affected?

If a new system (eg, added to the vehicle in a facelift) affects the security architecture or risk assessment of a wholly approved vehicle type, the vehicle manufacturer may need to acquire an extension of that whole vehicle type approval to include a system approval for cyber security.

 Are new car lines affected when launched after January 2021 (the expected entry into force date at the UN) but prior to July 2022?

Beginning in January 2021, when the UN regulation on cybersecurity (WP.29) “enters into force,” contracting parties (countries that are signatory to the 1958 UNECE agreement on vehicle regulations) can begin integrating the final regulatory language and documents into national legislation. Thus, the regulation’s entry into force at the United Nations and its implementation in a given country’s national law will not occur simultaneously. For example, if Russia were to implement the cybersecurity regulation in July 2021 while Germany implements the regulation in July 2022, vehicles sold in the Russian market after July 2021 would have to meet the requirements of “ECE-TRANS-WP29-2020-079-Revised” while vehicles sold in Germany would not have to meet those requirements until July 2022.

 How does a vehicle type differ from architecture, car line, and model?

Multiple car lines may be launched on a single-vehicle architecture. However, not every car line is a different vehicle “type.” Type approval is usually required when essential elements of the vehicle differ in some critical or significant way. The term ‘”car model” usually refers to the model year of a given car line.

 How does an approval “extension” differ from whole vehicle type approval (WVTA)?

An approval “extension” refers to changes, additions or upgrades to a given car line which has already been granted type approval (eg, when a new infotainment unit is installed changing the cyberattack-surface of the vehicle). For such changes, the manufacturer does not need to re-approve all vehicle systems relevant to WVTA, rather it needs to seek approval only for the system(s) that has been affected by the change (eg, cybersecurity system approval). If everything is determined to be aligned with the requirements criteria for the new/upgraded system, an “extension” of the WVTA is granted which changes the designation of the vehicle according to the authorities without requiring the vehicle manufacturer to undertake all of the activities associated with WVTA.

 Why does the automotive industry need cyber security regulations?

As vehicles are increasingly connected to the internet, external devices, other vehicles, infrastructure and more, they are increasingly vulnerable to cyber-attacks. While there are many automotive cyber security guidelines, best practices and a few select standards from organizations such as the Auto ISAC, NHTSA, ISO, ENISA and others, vehicle manufacturers are not yet required to demonstrate a vehicle’s cyber security posture in order to certify a vehicle (eg, type approval, self-certification). When seen in the context of growing concern about the potential implications of cyber attacks in the automotive sector, additional concerns about public safety, national security, unclear legal accountability and a business environment which rewards the best use of new, connected services, are all catalysts bringing about more industry regulation and standardization on the topic of vehicle cybersecurity.

 Which countries do UNECE vehicle regulations affect?

UNECE vehicle regulations are currently applied in 54 countries worldwide included in which are all 26(27?) member states of the European Union, Japan, and South Korea. An updated list of the status of the UNECE 1958 agreement on vehicle regulations including which countries are signators (ie, contracting parties), can be found here.

 What is the current status of the cybersecurity regulation from WP.29?

At the 181st gathering of WP.29 in June 2020, three new UN regulations were approved (see press releases here and here):

1. UN Regulation on uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system (CSMS) – “ECE-TRANS-WP29-2020-079-Revised.”2. UN Regulation on uniform provisions concerning the approval of vehicles with regards to software update and software updates management system (SUMS) – “ECE/TRANS/WP.29/2020/80.”3. UN Regulation on uniform provisions concerning the approval of vehicles with regards to Automated Lane Keeping System (ALKS) – ECE/TRANS/WP.29/2020/81.”

 The UN doesn’t enforce regulations in any one country so how does it work and which countries are affected?

UNECE vehicle regulations are developed at an international level for approval by the World Forum for the Harmonization of Vehicle Regulations (WP.29), a working party of the United Nations responsible for developing internationally recognized vehicle regulations. WP.29 was set up according to a 1958 UNECE agreement which is open for all UN member states to sign. Signatory countries to the 1958 agreement (a.k.a., the “contracting parties”), commit to integrating any new regulation developed by WP.29 into their national motor vehicle legislative framework. As of July 2020, the European Union, Japan and South Korea have announced formal plans to implement WP.29’s cybersecurity regulation (“ECE-TRANS-WP29-2020-079-Revised”).

 When will the new cybersecurity regulation from WP.29 be introduced?

The EU, Japan and South Korea have formally announced plans to implement “ECE-TRANS-WP29-2020-079-Revised.” Based on a preliminary national legislation, Japan plans to apply the regulation beginning in November 2020. The Republic of Korea has adopted a stepwise approach, introducing the provisions of the regulation on Cybersecurity in a national guideline in the first half of 2020, and proceeding with the implementation of the regulation in a second step. In the EU, the General Safety Regulation (Regulation (EU) 2019/2144) requires implementation of all United Nations regulations on cybersecurity at the earliest possible date following their passage. Due to this directive, the EU has announced plans to introduce the regulation such that system type approval for cyber security will be mandatory for all new vehicle types from July 2022 and will become mandatory for all vehicle “first registrations” after July 2024.

 Which vehicle categories need to comply with the new WP.29 requirements?

The regulation applies to vehicles of category M (passenger vehicles) and N (vehicles meant for carrying goods, such as trucks). The regulation also applies to vehicles of Category O if fitted with at least one electronic control unit (ECU). Additionally, the regulation will apply to vehicle categories L6 and L7 if equipped with automated driving functionalities from level 3 onwards (as defined in the reference document which defines terms related to Automated Driving under WP.29 and the General Principles for developing a UN Regulation on automated vehicles (ECE/TRANS/WP.29/1140).

 How is the WP.29 regulation on cyber security structured and what are the main requirements?

“ECE-TRANS-WP29-2020-079-Revised” creates two specific requirements regarding cybersecurity type approval: 1) Criteria for approval of a manufacturer’s cyber security management system; and 2) Criteria for the approval of a vehicle with regards to cyber security. A short summary of some of the requirements for both the CSMS and the vehice is listed beow:

Requirements of the manufacturer’s cyber security management system (CSMS):– Identification and management of vehicle cyber-risk– Ongoing review and improvement processes must be implemented and demonstratable in order to obtain a CSMS certificate of compliance– Incident response within “a reasonable timeframe”

Requirements for approval of the vehicle with regards to cyber security:– Detection and prevention of cyber-attacks on the vehicle– Protection of the vehicle against identified risks– Support for the monitoring and forensic analysis capabilities of the manufacturer

 Does the cybersecurity regulation require me to implement mitigations on my vehicles?

“ECE-TRANS-WP29-2020-079-Revised” is technology agnostic and provides flexibility for the manufacturers to determine how they will accomplish the requirements of the regulation. For example, section 7.2.2.3. of the regulation requires the manufacturer to respond to threats and vulnerabilities within, “a reasonable timeframe,” but does not mandate the inclusion of certain technologies that may facilitate a fast response; it is up to the vehicle manufacturer to make its own determination about how it will accomplish that, and other, objectives required by the regulation (eg, with technology, processes, both or neither). Additionally, Annex 5 of “ECE-TRANS-WP29-2020-079-Revised” provides a list of generic threats and mitigations that must be demonstrably considered and applied to the vehicle type throughout its development processes and lifecycle.

 How and when do the regulations affect new vehicle models launched from new architectures?

After July 2022, new vehicle type approvals will need to obtain cyber security system approval in order to achieve whole vehicle type approval. For new type approvals granted between July 2022 and July 2024, “appropriate” alternatives to the functions described in the regulation’s Annex 5 and “adequate consideration” of cyber security during development and risk management will be acceptable by approval authorities. Beyond July 2024, new cybersecurity type approvals and all new vehicle registrations (existing type-approved vehicles that remain on the market for sale) will require full compliance with the regulation (regardless of architecture, launch date, etc.).