Cybersecurity is becoming increasingly important, especially in the automotive industry, which is reinventing itself. Connected cars, autonomous systems, electric cars and personal mobility systems all rely heavily on software. Today’s car has about 300 million lines of software code (compared to an average PC operating system’s 40 million) which makes it vulnerable to various cyberattacks. No unified regulatory framework or even technical standards currently exist.
1. Where can the new requirements be found?
The United Nations Economic Commission for Europe issued
- a proposal on uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management systems on 23 June 2020;
- a proposal on uniform provisions concerning the approval of vehicles with regards to software updates and software update management systems on 31 March 2020 (and its proposal for amendments on 10 July 2020).
They have not yet been adopted as UN Vehicle Regulations. If accepted as UN Vehicle Regulations, they might come into effect directly in the EU, because EU Regulation no. 2019/2144 might well refer to them when defining the requirements for protection from cyberattacks for the automotive industry. Therefore, the exact content of the new cybersecurity regulatory framework cannot be defined yet; however, the main characteristics can be anticipated.
2. Which vehicles and manufacturers are affected?
The new rules apply to passenger vehicles, transportation vehicles and trailers and to systems, components and separate technical units designed and constructed for them. Based on the EU Regulation’s wording, the rules apply to the above vehicles’ Original Equipment Manufacturers (OEMs).
However, suppliers seem to be affected as well, since according to the UN proposals, OEMs are explicitly obliged to collect and verify the required information throughout their supply chains. Suppliers are obliged to provide information to the competent authority so that it can check compliance.
3. What is required by the new regulations?
The UN proposals contain very few specific technical requirements. They require OEMs to ensure that cybersecurity and software updates are reviewed during design, production and postproduction phases using specific management systems: a cybersecurity management system (CSMS) and a software update management system (SUMS).
4. What happens in case of non-compliance?
After 6 July 2022, no type approval will be issued without a CSMS and a SUMS.
After 7 July 2024, no vehicles will be registered and no components will be permitted on the market if they do not comply with the new cybersecurity rules.
5. To Dos
Both OEMs and their suppliers (Tier 1, Tier 2, etc.) in the automotive sector must be up to date on the status of the new regulations and changes to their content. This is a good opportunity to check/implement processes and to communicate with each other in order to ensure compliance throughout the supplier chain.
By Zoltan Nadasdy, Partner, and Eszter Sieber-Fazakas, Senior Associate, Noerr