A comprehensive cyber security risk assessment without gaps between Parts I, II, and III is required for component or separate technical unit approval. Risk assessment is difficult for manufacturers alone; contracts are required to share vulnerability information. Identification of realistic installation use cases, information sharing between approval authorities, and clarification of responsibilities are necessary. Components with no communication to the vehicle or only mechanical and power connection do not require new approval. Components sending data to the vehicle or controlling it require Part II approval and joint risk analysis by the original equipment manufacturer and installer.