The agenda includes review of proposals for amendments to R155 concerning multistage vehicles, separate technical units and component approval, approval-authority requirements for CSMS CoC and vehicle type approval, and remote operation for ADS; review of cyber and software requirements in the ADS Regulation based on WP.29/2022/60 as amended by WP.29/2023/87; discussion of RXWIN application amendments; and consideration of terms of reference renewal ahead of mandate expiration in November 2026.

The Informal Working Group on Cyber Security and Software Updates will continue to consider how cyber security and software updates have a bearing on automotive safety and security, and whether any changes are necessary to the Regulations and guidance it has produced under WP.29. In particular, the IWG shall maintain official documents regarding UN R155, UN R156, and Recommendations on uniform provisions concerning cyber security and software updates; develop amendments to relevant documents; develop a proposal to amend UN Regulations under the responsibility of GRVA to record details of an RXSWIN where applicable which have been mandated by the 01 series of UN Regulation No. 156; develop proposals to amend UN Regulation No. 155 and its interpretation document to support application in national/regional frameworks for aspects such as multi-stage manufacturing; consider and develop deliverables regarding software updates after registration potentially creating a proposal for modification to the type approval numbering or a classification of update categories; support and review the application of cyber security and software update provisions across GRs notably for the Global Technical Regulation on Automated Driving Systems; and provide opportunities to participants to share knowledge, experience and ideas from implementation of national regulation/standards regarding CS/OTA as well as UN R155 and R156. The IWG will continue its activities until November 2029.

Vehicles of categories M₁, N, O, R, S and T may fall out of scope of UN R155 or UN R156 if they lack ECUs or do not permit software updates. Approval authorities currently make individual determinations regarding whether vehicles are in or out of scope, and justification for out-of-scope decisions must be recorded to ensure vehicles remain out of scope during the lifetime of whole vehicle approval. UN Regulation No. 10 provides precedent by allowing approvals for vehicles where certain equipment is not relevant. A similar provision could be incorporated into UN R155 and UN R156 by amending the scope and adding provisions to section 5 allowing manufacturers to obtain approvals for vehicles that do not permit software updates, with requirements of paragraph 7 not applying.

Questions address whether minimum vehicle architecture approval should be required before Part III can be used for additional devices; whether approved ESAs can be incorporated in original vehicle approval or as an extension to Part I approval; whether different terminology should replace CSMS for Part III approvals; whether second Part III approvals are permissible for vehicles already approved to Parts I and III; and what implications arise from end-of-support by ESA manufacturers.

Answers to questions on separate technical unit approvals under UN R155 clarify that a base vehicle must already hold an R155 type approval before an ESA can be added at Part III; approval authorities for different parts may differ with mutual recognition applying; the end of support period for an ESA manufacturer must be communicated to the vehicle manufacturer, with implications to be discussed by the IWG; installation of ESAs must follow vehicle manufacturer instructions without necessarily requiring separate agreement; STU data sharing agreements are required; and after ESA installation, a whole vehicle cyber security risk assessment is not necessary, though Part III must consider risks where ESA and base vehicle interactions occur. A working document is planned for submission to GRVA in January 2027. The IWG will explore whether Part II components may include equipment from certificated base vehicles under UN R155 multi-stage categorization and discuss incorporating STU into original approvals.