The Informal Working Group on Cyber Security and Software Updates will continue to consider how cyber security and software updates have a bearing on automotive safety and security, and whether any changes are necessary to the Regulations and guidance it has produced under WP.29. In particular, the IWG shall maintain official documents regarding UN R155, UN R156, and Recommendations on uniform provisions concerning cyber security and software updates; develop amendments to relevant documents; develop a proposal to amend UN Regulations under the responsibility of GRVA to record details of an RXSWIN where applicable which have been mandated by the 01 series of UN Regulation No. 156; develop proposals to amend UN Regulation No. 155 and its interpretation document to support application in national/regional frameworks for aspects such as multi-stage manufacturing; consider and develop deliverables regarding software updates after registration potentially creating a proposal for modification to the type approval numbering or a classification of update categories; support and review the application of cyber security and software update provisions across GRs notably for the Global Technical Regulation on Automated Driving Systems; and provide opportunities to participants to share knowledge, experience and ideas from implementation of national regulation/standards regarding CS/OTA as well as UN R155 and R156. The IWG will continue its activities until November 2029.

Answers to questions on separate technical unit approvals under UN R155 clarify that a base vehicle must already hold an R155 type approval before an ESA can be added at Part III; approval authorities for different parts may differ with mutual recognition applying; the end of support period for an ESA manufacturer must be communicated to the vehicle manufacturer, with implications to be discussed by the IWG; installation of ESAs must follow vehicle manufacturer instructions without necessarily requiring separate agreement; STU data sharing agreements are required; and after ESA installation, a whole vehicle cyber security risk assessment is not necessary, though Part III must consider risks where ESA and base vehicle interactions occur. A working document is planned for submission to GRVA in January 2027. The IWG will explore whether Part II components may include equipment from certificated base vehicles under UN R155 multi-stage categorization and discuss incorporating STU into original approvals.

Questions address whether minimum vehicle architecture approval should be required before Part III can be used for additional devices; whether approved ESAs can be incorporated in original vehicle approval or as an extension to Part I approval; whether different terminology should replace CSMS for Part III approvals; whether second Part III approvals are permissible for vehicles already approved to Parts I and III; and what implications arise from end-of-support by ESA manufacturers.

The agenda includes review of proposals for amendments to R155 concerning multistage vehicles, separate technical units and component approval, approval-authority requirements for CSMS CoC and vehicle type approval, and remote operation for ADS; review of cyber and software requirements in the ADS Regulation based on WP.29/2022/60 as amended by WP.29/2023/87; discussion of RXWIN application amendments; and consideration of terms of reference renewal ahead of mandate expiration in November 2026.

Vehicles of categories M₁, N, O, R, S and T may fall out of scope of UN R155 or UN R156 if they lack ECUs or do not permit software updates. Approval authorities currently make individual determinations regarding whether vehicles are in or out of scope, and justification for out-of-scope decisions must be recorded to ensure vehicles remain out of scope during the lifetime of whole vehicle approval. UN Regulation No. 10 provides precedent by allowing approvals for vehicles where certain equipment is not relevant. A similar provision could be incorporated into UN R155 and UN R156 by amending the scope and adding provisions to section 5 allowing manufacturers to obtain approvals for vehicles that do not permit software updates, with requirements of paragraph 7 not applying.

The CS/OTA Task Force held its thirty-seventh session on 21-22 April 2026 by video conference. The group adopted the provisional agenda and minutes from the thirty-sixth session. Discussions addressed proposals for amendments to UN R155 concerning multi-stage vehicle approvals and separate technical units, for which a subworking group was established. Proposals were also considered on type approval authority responsibility for cyber security management systems and remote operation of automated driving systems. The group reviewed cyber and software requirements in the ADS GTR and WP.29/2022/60 as amended by WP.29/2023/87, and discussed application of RXSWIN to UN Regulations, selecting option 2 for presentation to GRVA with R155, R156, and R89 square bracketed. The IWG mandate renewal was discussed, with potential new items including component and STU approval and software numbering proposals.

The UN IWG on Cyber Security and OTA will meet April 21-22, 2026 via video conference. The agenda includes adoption of the provisional agenda and minutes from the previous session, proposals for amendments to UN R155 and its interpretation document regarding multistage vehicles and type approval authorities, review of cyber and software requirements in the ADS Regulation, discussion of RXSWIN application, renewal of the IWG mandate expiring November 2026, and confirmation of next steps.

Proposal to amend UN R155 by clarifying its scope to exclude certain equipment. The proposal amends paragraph 5.3.2. to require approval authorities to notify others of assessment methods and criteria. New paragraphs 8.2. and 8.3. establish that vehicle manufacturer installation of equipment with negligible intrinsic cyber security risk, or standard domestic, business or industrial equipment connected only for power, shall not require further assessment under paragraph 7, provided specified criteria are justified. Annex I is amended to include any equipment excluded from assessment pursuant to paragraphs 8.2. and 8.3.

Germany proposes that the TAA granting UN R155 or UN R156 type approvals shall be obliged to only use CSMS or SUMS certificates signed by the same TAA. Issues identified include that CSMS and SUMS are Management Systems covering entire manufacturers’ organizations, mandating the same TAA will have huge consequences for OEMs using multiple TAAs, and no such obligation exists for ISO 9001 and ISO 14001. A possible way forward in the short term is to keep text unchanged to allow different TAAs for Management Systems CoC and type approval based on voluntary acceptance and implement wording on information exchange and procedure if different TAAs involved.

Proposal to amend UN R13, 13-H, 79, 89, 130, 131, 139, 140, 152, 155, 156, 157, 171, 175, and 178 by introducing provisions on software identification and software updates. Amendments add new paragraphs referring to Software Identification Number definitions in Consolidated Resolution R.E.3, require manufacturers to provide Technical Services with information on hardware and software influencing performance, permit vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles while avoiding test duplication, and modify production discontinuation provisions to exclude cases where manufacturers seek approval extensions for software updates of registered vehicles.

Proposal to amend Table A1 of Annex 5 to include high level and sub-level descriptions of vulnerability and threat including spoofing of messages, Sybil attacks, communication channels permitting code injection, manipulation, overwrite and erasure of vehicle held data and code, denial of service attacks, unauthorized access to vehicle systems, viruses in communication media, and malicious messages, and amend Table B1 of Annex 5 to provide corresponding mitigation measures. This proposal is a further elaboration of TFCS-35-07.

UN R155 addresses operator risks in automated driving systems. The ADS Regulation enables operators to offer services using automation and permits remote termination of the ADS. UN R155 mandates that supplier-related risks are managed, but operators are customers, not suppliers, creating downstream risks. An automated vehicle could be susceptible to unauthorised requests from an operator experiencing cyber attack. UN R155 does not define how downstream organisational risks are managed. Manufacturers should identify risks posed by operators and inform Third Party Operators of risks involved and expected minimum-security controls for workstations interfacing with an ADS. This could be achieved via Annex 5.

TFCS-37-08 presents proposals to amend UN R155 to establish approval routes for electrical/electronic sub-assemblies and separate technical units. The regulation introduces three parts: Part I covers vehicle cyber security approval; Part II covers component and separate technical unit approval; Part III covers installation approval of approved components and separate technical units in vehicles. Updates include new definitions, application procedures by manufacturers or their representatives, approval conditions specifying connection limitations, and cyber security management system requirements. The proposal requests colleague review and feedback.

This document presents an initial concept for approvals of devices as components or separate technical units according to UN R155, and the installation of such devices on vehicles already holding UN R155 approval, based on Supplement 3 to the original series. The regulation applies to vehicles of categories L₁–L₇, M₁–M₃, N₁–N₃, and O₁–O₄ with electronic control units, and to approval of components and separate technical units with regard to their cyber security. Approval authorities shall grant type approval only to vehicle or electrical/electronic sub-assembly types that satisfy the regulation’s requirements through document checks and testing. Manufacturers must demonstrate cyber security management systems covering development, production, and post-production phases, including risk assessment, mitigation implementation, monitoring, and response to cyber-attacks. Certificates of Compliance for Cyber Security Management Systems remain valid for three years.

Questions concerning cyber security amendments for approvals of STU submitted by the expert from Japan that address timing of working document submission to GRVA, whether Part II components may include certificated base vehicle equipment under UN R155 multi-stage categorization, whether STU definition includes ECUs within base vehicle E/E architecture, examination of use cases and implementation challenges, consistency of applicant terminology between Section 3.3.1 and Section 7.6, whether approval authorities for Parts I, II, and III must be identical, clarification of end of support period requirements in para. 2.7(b), installation agreement requirements in para. 5.1.2.1(d), and whether total Cyber Security Risk Assessment Process for whole vehicle with other equipment than ESAs is necessary after ESA installation under para. 7.4.10.

Proposal to provide guidance on application of UN R155 to transformed vehicles. Transformations require new approval unless clear evidence shows original approval remains valid. Cyber-relevant modifications include addition of electrical/electronic systems, inappropriate interface connections, and wiring protection modifications. The approval authority determines whether transformation is cyber-relevant by assessing impact on original vehicle architecture, connection risks, cybersecurity management systems, and whether non-automotive equipment complies with relevant regulations. Manufacturers must provide documentary evidence including functional descriptions, connection details, software modifications, and compliance with original manufacturer instructions.

Proposal to amend UN R155 and UN R156 to require that Certificates of Compliance for Cyber Security Management Systems and Software Update Management Systems be issued by the same approval authority that grants type approval. Germany reported a case where different authorities issued the certificate and type approval, creating assessment and enforcement issues. The proposal aims to ensure holistic cyber security evaluation and align both regulations.