| CS/OTA Task Force: Agenda for the 38th (June 2026) session |
| Reference Number: TFCS-38-01/Rev.3 |
|
The agenda includes review of proposals for amendments to R155 concerning multistage vehicles, separate technical units and component approval, approval-authority requirements for CSMS CoC and vehicle type approval, and remote operation for ADS; review of cyber and software requirements in the ADS Regulation based on WP.29/2022/60 as amended by WP.29/2023/87; discussion of RXWIN application amendments; and consideration of terms of reference renewal ahead of mandate expiration in November 2026. |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 29 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management and UN Regulation No. 156 | Software Update Processes and Management Systems |
| Click here to view the full document file |
| CS/OTA: Draft updated terms of reference |
| Reference Number: TFCS-38-02/Rev.1 |
|
The Informal Working Group on Cyber Security and Software Updates will continue to consider how cyber security and software updates have a bearing on automotive safety and security, and whether any changes are necessary to the Regulations and guidance it has produced under WP.29. In particular, the IWG shall maintain official documents regarding UN R155, UN R156, and Recommendations on uniform provisions concerning cyber security and software updates; develop amendments to relevant documents; develop a proposal to amend UN Regulations under the responsibility of GRVA to record details of an RXSWIN where applicable which have been mandated by the 01 series of UN Regulation No. 156; develop proposals to amend UN Regulation No. 155 and its interpretation document to support application in national/regional frameworks for aspects such as multi-stage manufacturing; consider and develop deliverables regarding software updates after registration potentially creating a proposal for modification to the type approval numbering or a classification of update categories; support and review the application of cyber security and software update provisions across GRs notably for the Global Technical Regulation on Automated Driving Systems; and provide opportunities to participants to share knowledge, experience and ideas from implementation of national regulation/standards regarding CS/OTA as well as UN R155 and R156. The IWG will continue its activities until November 2029. |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 30 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management and UN Regulation No. 156 | Software Update Processes and Management Systems |
| Click here to view the full document file |
| UN R155 and R156: Approvals for ‘out-of-scope’ vehicles |
| Reference Number: TFCS-38-03 |
|
Vehicles of categories M1, N, O, R, S and T may fall out of scope of UN R155 or UN R156 if they lack ECUs or do not permit software updates. Approval authorities currently make individual determinations regarding whether vehicles are in or out of scope, and justification for out-of-scope decisions must be recorded to ensure vehicles remain out of scope during the lifetime of whole vehicle approval. UN Regulation No. 10 provides precedent by allowing approvals for vehicles where certain equipment is not relevant. A similar provision could be incorporated into UN R155 and UN R156 by amending the scope and adding provisions to section 5 allowing manufacturers to obtain approvals for vehicles that do not permit software updates, with requirements of paragraph 7 not applying. |
| Submitted by: VCA |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 23 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management and UN Regulation No. 156 | Software Update Processes and Management Systems |
| Click here to view the full document file |
| UN R155: Questions concerning separate technical units |
| Reference Number: TFCS-38-04 |
|
Questions address whether minimum vehicle architecture approval should be required before Part III can be used for additional devices; whether approved ESAs can be incorporated in original vehicle approval or as an extension to Part I approval; whether different terminology should replace CSMS for Part III approvals; whether second Part III approvals are permissible for vehicles already approved to Parts I and III; and what implications arise from end-of-support by ESA manufacturers. |
| Submitted by: UK |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 23 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| UN R155: Response to questions concerning separate technical unit approvals |
| Reference Number: TFCS-38-05 |
|
Answers to questions on separate technical unit approvals under UN R155 clarify that a base vehicle must already hold an R155 type approval before an ESA can be added at Part III; approval authorities for different parts may differ with mutual recognition applying; the end of support period for an ESA manufacturer must be communicated to the vehicle manufacturer, with implications to be discussed by the IWG; installation of ESAs must follow vehicle manufacturer instructions without necessarily requiring separate agreement; STU data sharing agreements are required; and after ESA installation, a whole vehicle cyber security risk assessment is not necessary, though Part III must consider risks where ESA and base vehicle interactions occur. A working document is planned for submission to GRVA in January 2027. The IWG will explore whether Part II components may include equipment from certificated base vehicles under UN R155 multi-stage categorization and discuss incorporating STU into original approvals. |
| Submitted by: UK |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 23 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| UN R155: Review of points for approval of separate technical units |
| Reference Number: TFCS-38-06 |
|
A comprehensive cyber security risk assessment without gaps between Parts I, II, and III is required for component or separate technical unit approval. Risk assessment is difficult for manufacturers alone; contracts are required to share vulnerability information. Identification of realistic installation use cases, information sharing between approval authorities, and clarification of responsibilities are necessary. Components with no communication to the vehicle or only mechanical and power connection do not require new approval. Components sending data to the vehicle or controlling it require Part II approval and joint risk analysis by the original equipment manufacturer and installer. |
| Submitted by: NTSEL |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 26 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| UN R156: Question on 01 series of amendments interpretation |
| Reference Number: TFCS-38-07 |
|
The document clarifies two interpretation points regarding UN R156-01. First, software updates to registered vehicles require that an RXSWIN be assigned to every Regulation No. X type approval assessed during the update process, unless the manufacturer does not plan software updates for that particular system Regulation. Second, regarding para. 7.2.1.2.2., it is proposed to delete the requirement that software version changes be declared each time they are updated, since software versions are declared for each regulation subject to software updates following amendments to RE.3 Annex 7. |
| Submitted by: NTSEL |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 26 Jun 26 |
| Relevant to: UN Regulation No. 156 | Software Update Processes and Management Systems |
| Click here to view the full document file |
| UN R155: Proposal to address approvals by one or more authorities |
| Reference Number: TFCS-38-08 |
|
Proposal to add para. 3.2.3.1. requiring manufacturers to provide additional information on the Cyber Security Management System at request of the Approval Authority when the Certificate of Compliance for CSMS is issued by a different Approval Authority, add para. 5.1.5. allowing the Approval Authority to refuse type approval if insufficient information on the CSMS and its implementation was provided, and add para. 7.4.1.1. requiring all granting Approval Authorities to be included in reporting when different Approval Authorities are used for the Certificate of Compliance for CSMS and type approval of the vehicle type. |
| Submitted by: OICA and CLEPA |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 29 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| Component/STU type approval under UN R155 |
| Reference Number: TFCS-38-09 |
|
CLEPA welcomes questions raised by Japanese experts under doc TFCS-37-06 and identifies points requiring further clarification regarding component and STU type approval scope, technical integration, STU definition, implementation, risk assessment, impact and benefit, and post-market monitoring. CLEPA proposes that components or STUs required for initial vehicle type approval under Part I should not be subject to separate approval under Part II, noting that vehicle cybersecurity depends on vehicle-level system interactions and E/E architecture, the OEM has full visibility of system architecture, and Part I approval ensures integrated assessment. |
| Submitted by: CLEPA |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 29 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| UN R155: Proposal to amend GRVA-25-32 |
| Reference Number: TFCS-38-10 |
|
Amend para. AI to replace the heading “Examples of documents/evidence that could be provided” with “Explanation of the requirement” and insert text stating that Part C of this document provides further guidance on the application of the Regulation to vehicles which have been modified by carrying out a transformation of the vehicle. |
| Submitted by: UK |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 29 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| Cyber security: Vehicle modification use cases |
| Reference Number: TFCS-38-11 |
|
The document presents vehicle modification use cases categorized into four cases and additional scenarios. Case 1 covers components with negligible risk or cyber-relevant non-automotive devices. Case 2 addresses cyber-relevant automotive devices approved to specific regulatory requirements, requiring installation approval and vehicle type re-approval. Case 3a addresses cyber-relevant devices not approved to specific requirements, requiring component or STU approval. Case 3b covers devices controlling vehicle functions, also requiring component or STU approval. Case 4 encompasses invasive modifications or complex interactions not covered by other cases. |
| Submitted by: UK |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 01 Jul 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| Cyber security: Modifications to GRVA-25-30 |
| Reference Number: TFCS-38-12 |
|
Proposal to insert provisions on software identification and software updates into UN R13, UN R13-H, UN R79, UN R89, UN R130, UN R131, UN R152, UN R156, UN R157, UN R171, UN R175, and UN R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles, clarifying that production discontinuation does not apply when manufacturers seek approval extensions for software updates of registered vehicles, and amending communication forms to include software identification numbers and related information. |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 30 Jun 26 |
| Relevant to: UN Regulation No. 13 | Heavy-Duty Vehicle Braking, UN Regulation No. 13-H | Light-Duty Vehicle Braking, UN Regulation No. 79 | Steering Equipment, UN Regulation No. 89 | Speed Limitation Devices, UN Regulation No. 131 | Advanced Emergency Braking Systems, UN Regulation No. 130 | Lane Departure Warning Systems, UN Regulation No. 178 | Emergency Lane-Keeping Systems, UN Regulation No. 155 | Cyber Security and Cyber Security Management, UN Regulation No. 156 | Software Update Processes and Management Systems, UN Regulation No. 152 | Automatic Emergency Braking for M1/N1 vehicles, UN Regulation No. 157 | Automated Lane-Keeping Systems (ALKS), UN Regulation No. 171 | Driver-Control Assistance Systems (DCAS), and UN Regulation No. 175 | Acceleration Control for Pedal Error |
| Click here to view the full document file |
| CS/OTA Task Force: Minutes of the 38th (June 2026) session |
| Reference Number: TFCS-38-13 |
|
The UN IWG on Cyber Security and OTA held its 38th session 29 June–1 July 2026 in London with remote participation. The group adopted the provisional agenda and minutes from the 37th session. Three items from the IWG were presented at the May GRVA meeting: multistage vehicle documents to become working documents for September; RXWIN documents with elements in square brackets to be resolved; and SUMs document returned for further discussion. For R155, the group agreed to forward multistage amendment proposals as working documents to September GRVA. The UK proposal on STU and component approval for R155 was discussed extensively; the UK will draft a proposal for components only. The UK proposal on remote operation for ADS requires further development. The group will review ADS GTR cyber and software provisions. RXWIN proposal documents were adapted; R155 was removed and R89 and R156 sections amended; reviewers may address concerns by 31 July 2026. Germany’s proposal requiring the same Type-Approval Authority for CSMS and vehicle type approval was discussed; a dedicated meeting will be scheduled. The UK proposal on approvals for out-of-scope vehicle types was introduced. Draft Terms of Reference were revised and will be forwarded to GRVA for September approval. The next meeting is scheduled for 3 September 2026, 12:00–15:00 CET. |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 03 Jul 26 |
| Relevant to: United Nations Agreement | RE3 Construction of Vehicles, UN Regulation No. 155 | Cyber Security and Cyber Security Management, UN Regulation No. 156 | Software Update Processes and Management Systems, GTR No. 26 | Automated Driving Systems, and UN Regulation No. 185 | Approval of vehicles with regard to their Automated Driving Systems |
| Click here to view the full document file |
No matching documents.
No matching documents.