13. The expert from France shared the concerns of his delegation regarding transparency, the basis for building trust in AI technologies. He stressed the importance of being able to check the good functioning of such systems. He volunteered to elaborate on this statement at the next GRVA session.

14. The expert from OICA raised questions for clarification and asked why FIA preferred narrow AI and supervised learning (FIA answered that it was a conservative position). He agreed with FIA regarding online learning: he supported the view of GRVA that a new version of a type-approval relevant software based on AI was subject to approval, according to the provisions of UN Regulation No. 156, before deployment.

15. The expert from the Russian Federation supported that this matter was addressed by the IWG on Functional Requirements for Automated and Autonomous Vehicles (FRAV). The expert from OICA/CLEPA argued that this was also relevant for the IWG on VMAD.

16. The expert from Germany mentioned the importance of this work: sound definitions were the prerequisite before starting regulatory initiatives. He offered to comment the definitions proposed.

17. The expert from the United States of America questioned the need to regulate AI.

18. The expert from ITU stated the importance of understanding how AI works. He also stressed that software using AI would need to be frozen and tested before being deployed.

19. The expert from United Kingdom of Great Britain and Northern Ireland offered views on what could be subject to regulations. He mentioned as an example the risks related to discrimination. He suggested that future steps would be needed in the near future.

20. GRVA agreed to keep this item on its agenda. GRVA invited the expert from OICA to organize a workshop to finalize the work on definitions, with the assistance of the secretariat.

21. The expert from SAE International volunteered his members to assist in that process. GRVA invited SAE International to join the workshop.

Comments on the ADAS task force Master Document ADAS-07-02/Rev.1.

18. The expert from TF SR introduced an updated set of proposals for amendments to the Consolidated Resolution on the common specification of light source categories (R.E.5) and to UN Regulations Nos. 37 and 128 which introduce Light Emitting Diode (LED) replacement light sources (ECE/TRANS/WP.29/GRE/2020/15/Rev.1 as amended by GRE-84-32, ECE/TRANS/WP.29/GRE/2020/16/Rev.1 as amended by GRE-84-32, ECE/TRANS/WP.29/GRE/2020/17 and ECE/TRANS/WP.29/GRE/2021/3). GRE also noted equivalence criteria (GRE-83-15), a study on introducing LED replacement light sources into UN Regulation No. 37 (GRE-84-02) and an equivalence report for the C5W light source category (GRE-84-03).

19. Several experts supported the proposed package and posed clarifying questions. The expert from France pointed out that, in case the package was adopted, the Type Approval Authorities and Technical Services would not be in a position to verify compliance of LED replacement light sources without vehicle compatibility listings. The expert of FIA urged the Contracting Parties to adopt the proposals and pointed out their benefits for the consumers, environment, economy, and traffic safety (GRE-84-35).

20. Subject to abstention of France, GRE adopted the above proposals and requested the secretariat to submit it for consideration and vote at the November 2021 sessions of WP.29 and AC.1 as draft Supplement 48 to the 03 series of amendments to UN Regulation No. 37, draft Supplement 11 to UN Regulation No. 128 and draft amendment 7 to the Consolidated Resolution on the common specification of light source categories (R.E.5). GRE also requested the secretariat to publish GRE-83-15 on the UNECE website as a reference document.

30. The expert from FIA presented GRVA-07-41, referring to WP.29-181-10 and proposing to insert in UN Regulation No. 155 the Protection Profiles that they developed in cooperation with TüVIT. The expert from OICA responded to the proposal (GRVA-07-36). The expert from FIA agreed to respond to the challenges raised by the expert from OICA. The expert from the Russian Federation asked for more details about the Protection Profiles in practice. The expert from CEN recalled his submission of WP.29-179-27 provided for information to WP.29. The expert from China inquired about the nature of the Protection Profile, if it was a guidance or regulatory requirements. The expert from FIA responded that Protection Profiles are a methodology. GRVA invited the stakeholders to continue discussion at the IWG level. The expert from the Netherlands agreed to support this discussion.

23. The representative of FIA presented WP.29-181-10 introducing their report on the Protection Profile and Common Criteria methodology that could potentially address FIA’s concern regarding the performance and the maintenance of vehicles regarding cyber security over their lifetime.

24. The representative of United Kingdom of Great Britain and Northern Ireland recalled that such an approach was already discussed by the Informal Working Group on Cyber Security and Over-The-Air issues. He advised that the report would also be reviewed by the IWG on Periodic Technical Inspection.

25. WP.29 agreed that this report would be referred to the Working Party on Automated/autonomous and Connected Vehicles (GRVA) as well as other relevant groups.

30. The expert from FIA presented GRVA-07-41, referring to WP.29-181-10 and proposing to insert in UN Regulation No. 155 the Protection Profiles that they developed in cooperation with TüVIT. The expert from OICA responded to the proposal (GRVA-07-36). The expert from FIA agreed to respond to the challenges raised by the expert from OICA. The expert from the Russian Federation asked for more details about the Protection Profiles in practice. The expert from CEN recalled his submission of WP.29-179-27 provided for information to WP.29. The expert from China inquired about the nature of the Protection Profile, if it was a guidance or regulatory requirements. The expert from FIA responded that Protection Profiles are a methodology. GRVA invited the stakeholders to continue discussion at the IWG level. The expert from the Netherlands agreed to support this discussion.

Text submitted by the experts from EGEA, FIA, FIGIEFA and ETRMA for amendments and modifications to ECE/TRANS/WP29/GRVA/2020/2 & ECE/TRANS/WP29/GRVA/2020/3

25. The expert from the United Kingdom and Northern Ireland, Co-Chair of the Task Force (TF) on Cyber Security and Over-The-Air issues (CS/OTA), presented the outcome of the TF. He introduced the proposed draft UN Regulation on Cyber Security and Cyber Security Management System (ECE/TRANS/WP.29/GRVA/2020/2 (withdrawn), ECE/TRANS/WP.29/GRVA/2020/3 amended by GRVA-05-05). He mentioned that the revised proposal entailed a recent proposal from Germany and the European Commission (paragraphs 5.3.1.-5.3.3.) in square brackets. He recalled that the TF was planning to deliver further documents accompanying the UN Regulation: a resolution and an interpretation document. He stated that these documents would be further elaborated during the next session of the TF and would distillate the learnings of the test phase in 2019. He informed GRVA that the work on a UN Global Technical Regulation (GTR) had to start.

26. The expert from Japan introduced GRVA-05-20 proposing amendments to paragraph 7.3.8. on the use of cryptographic modules.

27. The expert from the European Commission introduced GRVA-05-22, aimed at clarifying the consequences of the Cyber Security Management System certificate expiration.

28. The expert from Japan introduced GRVA-05-13, expressing strong objections to the proposed paragraphs 5.3.1.-5.3.3. establishing prerequisites to the granting of type approvals not in line with the 1958 Agreement and posing a sovereignty risk. The expert from the Russian Federation expressed a similar position and proposed to draft an alternative proposal.

29. The expert from France introduced, GRVA-05-29 proposing an alternative to the proposed paragraphs 5.3.1.-5.3.3. as well as amendments proposal for paragraph 7.4 and Annex 5.

30. The expert from the European Commission introduced a compromise proposal (GRVA-05-42) for paragraphs 5.3.1.-5.3.3. aimed at addressing the proposals from Japan and France.

31. The expert from OICA introduced GRVA-05-33. He stated that the test phase’s general outcome was the confirmation of the applicability of the former draft. He explained their major concerns with the current text. He mentioned their concerns from the industry point of view regarding the major type approval procedure modifications introduced by paragraphs 5.3.1.-5.3.3. and the major delay associated risks.

32. He stated that insufficient considerations were given to existing vehicle architectures and requested the introduction of transitional provisions. He also stated that the reporting provisions were excessive. He called on GRVA to consider these concerns and to resolve them on a consensus basis.

33. The expert from FIGIEFA introduced GRVA-05-15, proposing a process flow for national/regional authorities to define objective minimum compliance criteria for the UNECE cybersecurity regulation and a way forward for aftermarket issues.

34. GRVA reviewed in detail GRVA-05-05, having in mind the presentations received (paragraphs 26-32 above).

1. GRVA discussed the scope of the draft Regulation (keeping vehicles of Categories S, R, T, O in square brackets).
2. GRVA discussed GRVA-05-17 and agreed to keep the proposed paragraph 1.4.
3. GRVA agreed that the Regulation and the 1958 Agreement would not be prescribing the mutual recognition, among Contracting Parties, of CSMS (and Software Update Management System) certificates.
4. The expert from Singapore requested clarifications concerning the reporting obligations according to the draft Regulation and wondered whether any reporting would only be shared among the Contracting Parties of the 1958 Agreement. The Co-Chair of the TF explained that the current draft did not impose reporting on existing cyber security threats. He explained that there were already information sharing platforms such as Automotive Information Sharing and Analysis Center (AutoISAC) in the United States of America. GRVA invited the TF to address the question raised.
5. GRVA resumed discussion on the paragraphs 5.3.1.-5.3.3. The expert from the Russian Federation explained that provisions regarding the competencies of Technical Services should be introduced in Schedule 2 to the 1958 Agreement. He added that GRVA-05-42 was not enough and that not trusting Approval Authorities was not a good idea, as it would be time consuming and expensive. He stated that the Database for Exchange of Type Approval documentation (DETA) could have a useful role to play, that the TF could be entitled to learn from type approvals and propose relevant Regulation amendments to GRVA, as necessary, and he proposed the corresponding regulatory wording (GRVA-05-51). The expert from the Republic of Korea stated that these paragraphs could be misused. The expert from CEN proposed an alternative procedure based on the so-called common criteria approach and referred to WP.29-179-28 and WP.29-179-29. The TF Co-Chair noted that the common criteria approach was not complete. The expert from FIA introduced GRVA-05-16. GRVA requested the TF to provide comments on this document. GRVA noted to availability of GRVA-05-02 reproducing ISO/SAE DIS 21434 addressing aspects of the draft Regulation but not the mutual recognition aspect.

35. The Secretary produced a consolidation of the draft Regulation based on the input received during the session (GRVA-05-05/Rev.1). GRVA agreed to use this consolidation as a basis for further work until the next GRVA session.

19. The representative of FIA presented WP.29-179-18 on consumer views on automated/autonomous vehicles emphasising the challenges associated with the cyber security performance of vehicles over their life time. He presented a possible solution to address the challenges. He admitted that the solution proposed was not design neutral. He explained that his purpose was to demonstrate that the challenge could be solved and that at least one solution would exist. He stated that the World Forum was the right place to address this issue. He proposed that WP.29 mandate GRVA to regulate Information Technology (IT) security in automotive products over their life time at the ECE level within the framework of the 1958 Agreement.

20. The representative of the United Kingdom, on behalf of the Co-Chair of the Task Force on Cyber Security and OTA issues, explained that the task force was facing difficulties of legal nature concerning what could be done within the frameworks of the 1958 and 1998 Agreements. He questioned whether, under the 1958 Agreement, manufacturers can be required to undertake to protect vehicles from cyber-attack throughout their lifetime. The representative of OICA supported this statement.

21. The representative of the Russian Federation, Co-Chair of IWG on PTI, supported the views expressed in the presentation. He invited delegates to participate in the work of IWG on PTI to work in the spirit proposed in the presentation.

22. The representative of CITA supported the idea proposed in the presentation. He clarified that the comparison of replacement parts (e.g. brake pads) with IT products did not reflect the complexity related to cyber security. He mentioned that it was certainly possible to draft technical provisions under the 1958 Agreement to address this challenge.

23. The representative of ITU supported the view of CITA. He recalled his previous compromise proposal that regulatory provisions require that manufacturers were responsible and able to address cyber security as long as the communication capability in the vehicle existed. He explained, that in practice, this would mean that manufacturers would have to apply security patches (as it is done in other industries) as long as the vehicle is equipped with a functioning communication capability.

24. The representative of Germany stated that there was no disagreement among WP.29, that cyber security would need to be archived over the life time of a vehicle. He stated that the main point was to find out how to reasonably achieve that goal from the regulatory perspective. He mentioned that his country would certainly be able to regulate this, but that given the international nature of road traffic, internationally harmonized provisions would be needed.

25. The representative of the United Kingdom noted that this issue had already been discussed at GRVA and that the key issue in the discussion was whether there was a legal basis to provide provisions. He invited the secretariat, possibly with the support of the Office of Legal Affairs, to provide guidance on this point for the next session of WP.29.

26. The representative of the United States of America suggested that the Task Force could continue its work and consider developing voluntary guidelines, while legal matters were clarified.

27. The representative of the Republic of Korea informed WP.29 about their plan to issue a national guideline for cyber security in the Republic of Korea. He stated that Korea would release a guideline for cyber security before the end of 2019, based on the activities of the Task Force on Cyber Security and Software Update and the research conducted in the Republic of Korea. He added that they would introduce their guideline in the upcoming Cyber Security and Software Update meeting in Washington, D.C.