35. The expert from the United Kingdom of Great Britain and Northern Ireland, Co-Chair of the IWG on Cyber Security and Over-the-Air issues (CS/OTA), reported on the activities of the group (GRVA-11-05).

36. He introduced ECE/TRANS/WP.29/GRVA/2021/20, with recommendations on uniform provisions concerning cyber security and software updates, suitable for the purpose of the Contracting Parties of the 1998 and 1958 Agreements. He explained that no UN Global Technical Regulation was envisaged because of the difficulty to define acceptance criteria, which would depend on how a vehicle is equipped. He stated that these recommendations, covering cyber security and software updates and permitting the use of Regulation No. X Software Identification Number (RxSWIN), can be followed and adapted to national circumstances.

37. He reported on the activities of the group concerning the review of the request by the expert from CEMA to remove vehicle categories S, T and T from the scope of UN Regulation No. 156. He explained, that following a technical discussion, the group confirmed that vehicles of these categories were using Over-the-air Software updates and that the scope of UN Regulation No. 156 was fine. He suggested that the scope of UN Regulation No. 155 could be expanded to vehicles of Categories S, R and T as both regulations went hand in hand.

38. He also reported on group’s activities on ECE/TRANS/WP.29/GRVA/2021/20 following a request for clarification on the transition clauses specified in paragraphs 7.3.1. and 7.3.4. with regards to the extension of type approvals first issued before 1 July 2024 and applied for such extension after that date. He explained that the group developed amendments to (a) the UN Regulation No. 155 (Cyber Security and Cyber Security Management System, and (b) the respective Interpretation Documents for UN Regulation No. 155 (ECE/TRANS/WP.29/2021/59), in order to clarify under which circumstances extensions were possible and which additional information was expected to be provided by the vehicle manufacturer applying for approval.

39. The expert from Canada stated the world of cyber security was very active including on vulnerability assessment tools. He mentioned existing services as suitable mitigation tools. He highlighted that Canada published Transport Canada’s Vehicle Cyber Security Strategy as well as Canada’s vehicle cyber security guidance. He stated that the work of the IWG was not completed.

40. The expert from the United Kingdom of Great Britain and Northern Ireland, Co-Chair of the group, acknowledged that the world of cyber security was evolving, and that regulations and other activities, as those mentioned above, were going hand in hand.

41. The expert from the United States of America proposed that ECE/TRANS/WP.29/GRVA/2021/20 should be kept at GRVA level for the time being.

42. The expert from the European Commission recalled that the document was mandated by the Framework Document on Automated Vehicles and wondered why it should not be transmitted to WP.29.

43. The Secretary of the IWG explained that some elements were missing in the document and that he would try to provide a corrected version as soon as possible.

44. GRVA agreed that there was no urgency and agreed to consider a revised document at its January 2022 session.