Proposal to amend para. 5.1.3. of UN R155 to add a refusal ground where the Certificate of Compliance for the Cyber Security Management System has not been issued by the same approval authority granting type approval, and insert new para. 5.4. into UN R156 to provide that approval authorities shall not grant any type approval if the Certificate of Compliance for the Software Update Management System has not been issued by the same approval authority granting type approval. The proposal, based on TFCS-37-02, ensures that Certificates of Compliance and type-approvals for UN R155 and UN R156 are issued by the same approval authority to enable holistic assessment and clarify reporting obligations.

Proposal to insert provisions on software identification and software updates into UN R13, UN R13-H, UN R79, UN R89, UN R130, UN R131, UN R152, UN R155, UN R156, UN R157, UN R171, UN R175, and UN R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles, clarifying that production discontinuation does not apply when manufacturers seek approval extensions for software updates of registered vehicles, and amending communication forms to include software identification numbers and related information.

Proposal to amend para. 5.3.2. to require approval authorities to notify other approval authorities of methods and criteria used to assess measures taken in accordance with the Regulation, insert new para. 8.2. to exclude equipment with negligible intrinsic cyber security risk from further assessment where installation does not impinge on the cyber security management system and is connected exclusively via an approved interface, insert new para. 8.3. to exclude standard domestic, business or industrial equipment connected only for power from further assessment where the equipment is unmodified and complies with applicable regional and national cyber security requirements, and amend Annex 1 to include any equipment excluded from assessment pursuant to paras. 8.2. and 8.3.

Proposal to insert new Part C providing guidance on application of UN R155 to transformed vehicles. Part C defines when transformations require new approval, establishes terminology for original vehicle types, transformed vehicle types, transformations, and installations, identifies cyber-relevant transformations by evaluating impact on architecture and connection risks, addresses intrinsic cyber security risks, clarifies non-automotive equipment requirements, and specifies documentary evidence manufacturers must provide to approval authorities or technical services, including functional descriptions, connection details, software modifications, and component lists.

The Informal Working Group on Cyber Security and Software Updates discussed amendments to UN R155 and UN R156 for multi-stage approval, including simplified handling for low-risk devices and clarification of intrinsic cyber risk assessment. The group reviewed proposals from GRVA-25-31 and GRVA-25-32 concerning continued validity of approvals and Certificate of Compliance issuance. A Sub-Working Group was established to develop component and separate technical unit approval concepts. Pending discussion include RXSWIN application to components, STUs, and the extent of application to UN R155 and UN R156, and type-approval numbering for software updates.

OICA-CLEPA-EME comments on German proposal GRVA-25-07 to require the approval authority granting UN R155 or UN R156 type approvals to use CSMS or SUMS certificates signed by the same approval authority. OICA-CLEPA-EME identify that CSMS and SUMS are Management Systems covering entire manufacturer organizations, and mandating the same approval authority for Management Systems certificates and approvals will have significant consequences for original equipment manufacturers typically using multiple approval authorities in homologation. The submission proposes keeping text unchanged to allow different approval authorities for Management Systems certificates and type approval based on voluntary acceptance, implementing wording on information exchange if different approval authorities are involved, and establishing a horizontal approach for Management Systems with mutual recognition aspects considered.

Proposal to amend para. 5.1.3. of UN R155 to add a refusal ground where the Certificate of Compliance for the Cyber Security Management System has not been issued by the same approval authority granting type approval, and insert new para. 5.4. into UN R156 to provide that approval authorities shall not grant any type approval if the Certificate of Compliance for the Software Update Management System has not been issued by the same approval authority granting type approval. The proposal, based on TFCS-37-02, ensures that Certificates of Compliance and type-approvals for UN R155 and UN R156 are issued by the same approval authority to enable holistic assessment and clarify reporting obligations.

Proposal to insert provisions on software identification and software updates into UN R13, UN R13-H, UN R79, UN R89, UN R130, UN R131, UN R152, UN R155, UN R156, UN R157, UN R171, UN R175, and UN R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles, clarifying that production discontinuation does not apply when manufacturers seek approval extensions for software updates of registered vehicles, and amending communication forms to include software identification numbers and related information.

Proposal to amend para. 5.3.2. to require approval authorities to notify other approval authorities of methods and criteria used to assess measures taken in accordance with the Regulation, insert new para. 8.2. to exclude equipment with negligible intrinsic cyber security risk from further assessment where installation does not impinge on the cyber security management system and is connected exclusively via an approved interface, insert new para. 8.3. to exclude standard domestic, business or industrial equipment connected only for power from further assessment where the equipment is unmodified and complies with applicable regional and national cyber security requirements, and amend Annex 1 to include any equipment excluded from assessment pursuant to paras. 8.2. and 8.3.

Proposal to insert new Part C providing guidance on application of UN R155 to transformed vehicles. Part C defines when transformations require new approval, establishes terminology for original vehicle types, transformed vehicle types, transformations, and installations, identifies cyber-relevant transformations by evaluating impact on architecture and connection risks, addresses intrinsic cyber security risks, clarifies non-automotive equipment requirements, and specifies documentary evidence manufacturers must provide to approval authorities or technical services, including functional descriptions, connection details, software modifications, and component lists.

The Informal Working Group on Cyber Security and Software Updates discussed amendments to UN R155 and UN R156 for multi-stage approval, including simplified handling for low-risk devices and clarification of intrinsic cyber risk assessment. The group reviewed proposals from GRVA-25-31 and GRVA-25-32 concerning continued validity of approvals and Certificate of Compliance issuance. A Sub-Working Group was established to develop component and separate technical unit approval concepts. Pending discussion include RXSWIN application to components, STUs, and the extent of application to UN R155 and UN R156, and type-approval numbering for software updates.

OICA-CLEPA-EME comments on German proposal GRVA-25-07 to require the approval authority granting UN R155 or UN R156 type approvals to use CSMS or SUMS certificates signed by the same approval authority. OICA-CLEPA-EME identify that CSMS and SUMS are Management Systems covering entire manufacturer organizations, and mandating the same approval authority for Management Systems certificates and approvals will have significant consequences for original equipment manufacturers typically using multiple approval authorities in homologation. The submission proposes keeping text unchanged to allow different approval authorities for Management Systems certificates and type approval based on voluntary acceptance, implementing wording on information exchange if different approval authorities are involved, and establishing a horizontal approach for Management Systems with mutual recognition aspects considered.

Proposal to amend para. 5.1.3. of UN R155 to add a refusal ground where the Certificate of Compliance for the Cyber Security Management System has not been issued by the same approval authority granting type approval, and insert new para. 5.4. into UN R156 to provide that approval authorities shall not grant any type approval if the Certificate of Compliance for the Software Update Management System has not been issued by the same approval authority granting type approval. The proposal, based on TFCS-37-02, ensures that Certificates of Compliance and type-approvals for UN R155 and UN R156 are issued by the same approval authority to enable holistic assessment and clarify reporting obligations.

Proposal to insert provisions on software identification and software updates into UN R13, UN R13-H, UN R79, UN R89, UN R130, UN R131, UN R152, UN R155, UN R156, UN R157, UN R171, UN R175, and UN R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles, clarifying that production discontinuation does not apply when manufacturers seek approval extensions for software updates of registered vehicles, and amending communication forms to include software identification numbers and related information.

Proposal to amend para. 5.3.2. to require approval authorities to notify other approval authorities of methods and criteria used to assess measures taken in accordance with the Regulation, insert new para. 8.2. to exclude equipment with negligible intrinsic cyber security risk from further assessment where installation does not impinge on the cyber security management system and is connected exclusively via an approved interface, insert new para. 8.3. to exclude standard domestic, business or industrial equipment connected only for power from further assessment where the equipment is unmodified and complies with applicable regional and national cyber security requirements, and amend Annex 1 to include any equipment excluded from assessment pursuant to paras. 8.2. and 8.3.

Proposal to insert new Part C providing guidance on application of UN R155 to transformed vehicles. Part C defines when transformations require new approval, establishes terminology for original vehicle types, transformed vehicle types, transformations, and installations, identifies cyber-relevant transformations by evaluating impact on architecture and connection risks, addresses intrinsic cyber security risks, clarifies non-automotive equipment requirements, and specifies documentary evidence manufacturers must provide to approval authorities or technical services, including functional descriptions, connection details, software modifications, and component lists.

The Informal Working Group on Cyber Security and Software Updates discussed amendments to UN R155 and UN R156 for multi-stage approval, including simplified handling for low-risk devices and clarification of intrinsic cyber risk assessment. The group reviewed proposals from GRVA-25-31 and GRVA-25-32 concerning continued validity of approvals and Certificate of Compliance issuance. A Sub-Working Group was established to develop component and separate technical unit approval concepts. Pending discussion include RXSWIN application to components, STUs, and the extent of application to UN R155 and UN R156, and type-approval numbering for software updates.

OICA-CLEPA-EME comments on German proposal GRVA-25-07 to require the approval authority granting UN R155 or UN R156 type approvals to use CSMS or SUMS certificates signed by the same approval authority. OICA-CLEPA-EME identify that CSMS and SUMS are Management Systems covering entire manufacturer organizations, and mandating the same approval authority for Management Systems certificates and approvals will have significant consequences for original equipment manufacturers typically using multiple approval authorities in homologation. The submission proposes keeping text unchanged to allow different approval authorities for Management Systems certificates and type approval based on voluntary acceptance, implementing wording on information exchange if different approval authorities are involved, and establishing a horizontal approach for Management Systems with mutual recognition aspects considered.

Proposal to amend para. 5.1.3. of UN R155 to add a refusal ground where the Certificate of Compliance for the Cyber Security Management System has not been issued by the same approval authority granting type approval, and insert new para. 5.4. into UN R156 to provide that approval authorities shall not grant any type approval if the Certificate of Compliance for the Software Update Management System has not been issued by the same approval authority granting type approval. The proposal, based on TFCS-37-02, ensures that Certificates of Compliance and type-approvals for UN R155 and UN R156 are issued by the same approval authority to enable holistic assessment and clarify reporting obligations.

Proposal to insert provisions on software identification and software updates into UN R13, UN R13-H, UN R79, UN R89, UN R130, UN R131, UN R152, UN R155, UN R156, UN R157, UN R171, UN R175, and UN R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles, clarifying that production discontinuation does not apply when manufacturers seek approval extensions for software updates of registered vehicles, and amending communication forms to include software identification numbers and related information.

Proposal to amend para. 5.3.2. to require approval authorities to notify other approval authorities of methods and criteria used to assess measures taken in accordance with the Regulation, insert new para. 8.2. to exclude equipment with negligible intrinsic cyber security risk from further assessment where installation does not impinge on the cyber security management system and is connected exclusively via an approved interface, insert new para. 8.3. to exclude standard domestic, business or industrial equipment connected only for power from further assessment where the equipment is unmodified and complies with applicable regional and national cyber security requirements, and amend Annex 1 to include any equipment excluded from assessment pursuant to paras. 8.2. and 8.3.

Proposal to insert new Part C providing guidance on application of UN R155 to transformed vehicles. Part C defines when transformations require new approval, establishes terminology for original vehicle types, transformed vehicle types, transformations, and installations, identifies cyber-relevant transformations by evaluating impact on architecture and connection risks, addresses intrinsic cyber security risks, clarifies non-automotive equipment requirements, and specifies documentary evidence manufacturers must provide to approval authorities or technical services, including functional descriptions, connection details, software modifications, and component lists.

The Informal Working Group on Cyber Security and Software Updates discussed amendments to UN R155 and UN R156 for multi-stage approval, including simplified handling for low-risk devices and clarification of intrinsic cyber risk assessment. The group reviewed proposals from GRVA-25-31 and GRVA-25-32 concerning continued validity of approvals and Certificate of Compliance issuance. A Sub-Working Group was established to develop component and separate technical unit approval concepts. Pending discussion include RXSWIN application to components, STUs, and the extent of application to UN R155 and UN R156, and type-approval numbering for software updates.

OICA-CLEPA-EME comments on German proposal GRVA-25-07 to require the approval authority granting UN R155 or UN R156 type approvals to use CSMS or SUMS certificates signed by the same approval authority. OICA-CLEPA-EME identify that CSMS and SUMS are Management Systems covering entire manufacturer organizations, and mandating the same approval authority for Management Systems certificates and approvals will have significant consequences for original equipment manufacturers typically using multiple approval authorities in homologation. The submission proposes keeping text unchanged to allow different approval authorities for Management Systems certificates and type approval based on voluntary acceptance, implementing wording on information exchange if different approval authorities are involved, and establishing a horizontal approach for Management Systems with mutual recognition aspects considered.

Proposal to amend para. 5.1.3. of UN R155 to add a refusal ground where the Certificate of Compliance for the Cyber Security Management System has not been issued by the same approval authority granting type approval, and insert new para. 5.4. into UN R156 to provide that approval authorities shall not grant any type approval if the Certificate of Compliance for the Software Update Management System has not been issued by the same approval authority granting type approval. The proposal, based on TFCS-37-02, ensures that Certificates of Compliance and type-approvals for UN R155 and UN R156 are issued by the same approval authority to enable holistic assessment and clarify reporting obligations.

Proposal to insert provisions on software identification and software updates into UN R13, UN R13-H, UN R79, UN R89, UN R130, UN R131, UN R152, UN R155, UN R156, UN R157, UN R171, UN R175, and UN R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles, clarifying that production discontinuation does not apply when manufacturers seek approval extensions for software updates of registered vehicles, and amending communication forms to include software identification numbers and related information.

Proposal to amend para. 5.3.2. to require approval authorities to notify other approval authorities of methods and criteria used to assess measures taken in accordance with the Regulation, insert new para. 8.2. to exclude equipment with negligible intrinsic cyber security risk from further assessment where installation does not impinge on the cyber security management system and is connected exclusively via an approved interface, insert new para. 8.3. to exclude standard domestic, business or industrial equipment connected only for power from further assessment where the equipment is unmodified and complies with applicable regional and national cyber security requirements, and amend Annex 1 to include any equipment excluded from assessment pursuant to paras. 8.2. and 8.3.

Proposal to insert new Part C providing guidance on application of UN R155 to transformed vehicles. Part C defines when transformations require new approval, establishes terminology for original vehicle types, transformed vehicle types, transformations, and installations, identifies cyber-relevant transformations by evaluating impact on architecture and connection risks, addresses intrinsic cyber security risks, clarifies non-automotive equipment requirements, and specifies documentary evidence manufacturers must provide to approval authorities or technical services, including functional descriptions, connection details, software modifications, and component lists.

The Informal Working Group on Cyber Security and Software Updates discussed amendments to UN R155 and UN R156 for multi-stage approval, including simplified handling for low-risk devices and clarification of intrinsic cyber risk assessment. The group reviewed proposals from GRVA-25-31 and GRVA-25-32 concerning continued validity of approvals and Certificate of Compliance issuance. A Sub-Working Group was established to develop component and separate technical unit approval concepts. Pending discussion include RXSWIN application to components, STUs, and the extent of application to UN R155 and UN R156, and type-approval numbering for software updates.

OICA-CLEPA-EME comments on German proposal GRVA-25-07 to require the approval authority granting UN R155 or UN R156 type approvals to use CSMS or SUMS certificates signed by the same approval authority. OICA-CLEPA-EME identify that CSMS and SUMS are Management Systems covering entire manufacturer organizations, and mandating the same approval authority for Management Systems certificates and approvals will have significant consequences for original equipment manufacturers typically using multiple approval authorities in homologation. The submission proposes keeping text unchanged to allow different approval authorities for Management Systems certificates and type approval based on voluntary acceptance, implementing wording on information exchange if different approval authorities are involved, and establishing a horizontal approach for Management Systems with mutual recognition aspects considered.

Proposal to amend para. 5.1.3. of UN R155 to add a refusal ground where the Certificate of Compliance for the Cyber Security Management System has not been issued by the same approval authority granting type approval, and insert new para. 5.4. into UN R156 to provide that approval authorities shall not grant any type approval if the Certificate of Compliance for the Software Update Management System has not been issued by the same approval authority granting type approval. The proposal, based on TFCS-37-02, ensures that Certificates of Compliance and type-approvals for UN R155 and UN R156 are issued by the same approval authority to enable holistic assessment and clarify reporting obligations.

Proposal to insert provisions on software identification and software updates into UN R13, UN R13-H, UN R79, UN R89, UN R130, UN R131, UN R152, UN R155, UN R156, UN R157, UN R171, UN R175, and UN R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles, clarifying that production discontinuation does not apply when manufacturers seek approval extensions for software updates of registered vehicles, and amending communication forms to include software identification numbers and related information.

Proposal to amend para. 5.3.2. to require approval authorities to notify other approval authorities of methods and criteria used to assess measures taken in accordance with the Regulation, insert new para. 8.2. to exclude equipment with negligible intrinsic cyber security risk from further assessment where installation does not impinge on the cyber security management system and is connected exclusively via an approved interface, insert new para. 8.3. to exclude standard domestic, business or industrial equipment connected only for power from further assessment where the equipment is unmodified and complies with applicable regional and national cyber security requirements, and amend Annex 1 to include any equipment excluded from assessment pursuant to paras. 8.2. and 8.3.

Proposal to insert new Part C providing guidance on application of UN R155 to transformed vehicles. Part C defines when transformations require new approval, establishes terminology for original vehicle types, transformed vehicle types, transformations, and installations, identifies cyber-relevant transformations by evaluating impact on architecture and connection risks, addresses intrinsic cyber security risks, clarifies non-automotive equipment requirements, and specifies documentary evidence manufacturers must provide to approval authorities or technical services, including functional descriptions, connection details, software modifications, and component lists.

The Informal Working Group on Cyber Security and Software Updates discussed amendments to UN R155 and UN R156 for multi-stage approval, including simplified handling for low-risk devices and clarification of intrinsic cyber risk assessment. The group reviewed proposals from GRVA-25-31 and GRVA-25-32 concerning continued validity of approvals and Certificate of Compliance issuance. A Sub-Working Group was established to develop component and separate technical unit approval concepts. Pending discussion include RXSWIN application to components, STUs, and the extent of application to UN R155 and UN R156, and type-approval numbering for software updates.

OICA-CLEPA-EME comments on German proposal GRVA-25-07 to require the approval authority granting UN R155 or UN R156 type approvals to use CSMS or SUMS certificates signed by the same approval authority. OICA-CLEPA-EME identify that CSMS and SUMS are Management Systems covering entire manufacturer organizations, and mandating the same approval authority for Management Systems certificates and approvals will have significant consequences for original equipment manufacturers typically using multiple approval authorities in homologation. The submission proposes keeping text unchanged to allow different approval authorities for Management Systems certificates and type approval based on voluntary acceptance, implementing wording on information exchange if different approval authorities are involved, and establishing a horizontal approach for Management Systems with mutual recognition aspects considered.