Proposal to amend para. 5.1.3. of UN R155 to add a refusal ground where the Certificate of Compliance for the Cyber Security Management System has not been issued by the same approval authority granting type approval, and insert new para. 5.4. into UN R156 to provide that approval authorities shall not grant any type approval if the Certificate of Compliance for the Software Update Management System has not been issued by the same approval authority granting type approval. The proposal, based on TFCS-37-02, ensures that Certificates of Compliance and type-approvals for UN R155 and UN R156 are issued by the same approval authority to enable holistic assessment and clarify reporting obligations.

Proposal to insert provisions on software identification and software updates into UN R13, UN R13-H, UN R79, UN R89, UN R130, UN R131, UN R152, UN R155, UN R156, UN R157, UN R171, UN R175, and UN R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles, clarifying that production discontinuation does not apply when manufacturers seek approval extensions for software updates of registered vehicles, and amending communication forms to include software identification numbers and related information.

Proposal to amend para. 5.3.2. to require approval authorities to notify other approval authorities of methods and criteria used to assess measures taken in accordance with the Regulation, insert new para. 8.2. to exclude equipment with negligible intrinsic cyber security risk from further assessment where installation does not impinge on the cyber security management system and is connected exclusively via an approved interface, insert new para. 8.3. to exclude standard domestic, business or industrial equipment connected only for power from further assessment where the equipment is unmodified and complies with applicable regional and national cyber security requirements, and amend Annex 1 to include any equipment excluded from assessment pursuant to paras. 8.2. and 8.3.

Proposal to insert new Part C providing guidance on application of UN R155 to transformed vehicles. Part C defines when transformations require new approval, establishes terminology for original vehicle types, transformed vehicle types, transformations, and installations, identifies cyber-relevant transformations by evaluating impact on architecture and connection risks, addresses intrinsic cyber security risks, clarifies non-automotive equipment requirements, and specifies documentary evidence manufacturers must provide to approval authorities or technical services, including functional descriptions, connection details, software modifications, and component lists.

The Informal Working Group on Cyber Security and Software Updates discussed amendments to UN R155 and UN R156 for multi-stage approval, including simplified handling for low-risk devices and clarification of intrinsic cyber risk assessment. The group reviewed proposals from GRVA-25-31 and GRVA-25-32 concerning continued validity of approvals and Certificate of Compliance issuance. A Sub-Working Group was established to develop component and separate technical unit approval concepts. Pending discussion include RXSWIN application to components, STUs, and the extent of application to UN R155 and UN R156, and type-approval numbering for software updates.

The document requests guidance on the legal basis for provisions within UN Regulations extending beyond the End-of-Production date and which authority such provisions address. Examples include UN R171 requirements for manufacturers to demonstrate safety management systems to the Type Approval Authority every three years and report annually on Driven Coded Auxiliary System operation until production is discontinued, and UN R155 requirements for Cyber Security Management Systems to apply to the post-production phase when vehicles remain operational but are no longer produced. The document poses an additional question regarding vehicle safety when manufacturers cease operations and cannot fulfill post-deployment safety provisions.