White Paper

Cybersecurity Management Systems for the Automotive Market

New vehicle technology brings with it rising security threats, which must be addressed by integrating cybersecurity best practices into the vehicle lifecycle from design, to production and maintenance, through to decommissioning

The Regulatory Context

In order to protect road vehicles and their passengers from security threats, the United Nations Economic Commission for Europe (UNECE) has introduced baseline requirements for vehicle cybersecurity practices.

UN-R155 Regulation

By July 2024, this regulation will become fully applicable and will require all carmakers to implement and apply a CSMS to their product lifecycle, including the components supplied from third parties, and to provide proof of such implementation during the homologation phase. This will have a significant effect on the entire automotive ecosystem and its stakeholders, since failure to meet the regulatory requirements could affect the ability to market the vehicles.

ISO/SAE 21434

This is the standard referred to in the UN-R155 Regulations, which  represents an approved "guideline" to ensure R155 compliance and thus to obtain approval for vehicle homologation, and elaborates on the concept of a Cybersecurity Management System.

ISO/PAS 5112

This standard was released in 2022, in order to provide guidelines for managing an automotive cybersecurity audit program, providing specific criteria for auditing ISO/IEC 21434-based CSMS.

CSMS Key Elements

The Cybersecurity Management System (CSMS) is “a systematic risk-based approach defining organizational processes, responsibilities, and governance to treat risk associated with cyber threats to vehicles and protect them from cyber-attacks.” To guarantee proper cybersecurity risk management through the entire product lifecycle, the CSMS follows the Automotive V-Model, ensuring appropriate consideration of cybersecurity from the concept phase all the way through to the decommissioning phase of electrical and electronic systems in road vehicles, including their components and interfaces.

How We Can Help

Reply’s approach to CSMS implementation uses our extensive experience in the automotive cybersecurity sector to execute strategies which are custom-made and tailored to the needs of our unique customers. Due to our skills related to security advisory topics, system integration, and security operations, our automotive security offering provides both consultancy services and integrated solutions implementation.

Reply’s services

Assessment & Strategy definition

  • Assess and evaluate the current cybersecurity posture to meet UN-R155 and UN-R156 compliance

  • Evaluate the compliance against other applicable regulations (e.s. IATF, TISAX)

  • Provide a detailed Gap Analysis

  • Define the strategies and remediation activities to meet regulatory requirements

Support activities


Cybersecurity Engineering
& Security by Design

Vehicle cybersecurity engineering according to ISO/SAE 21434 and Regulation UNECE/WP R155.


Third Party Risk Management

Management of the suppliers related risks through the contract lifecycle (suppliers evaluation, monitoring,..)


Connected Vehicle ICT Security

Security services related to backend application used by Connected Vehicles (e.g. Service Delivery Platform, Authenticated Diagnostic, ...)


Secure develpment & tests

Secure development and execution of penetration testing for vehicle components or networks


Manufacturing Security

Implementation, integration and management of V-PKI (SW Sign, ECU Identify, ADA)


CSMS operation & Threat Intelligence

  • V-SOC and PSIRT implementation and management

  • Vulnerabilities management