The CS/OTA Task Force held its thirty-seventh session on 21-22 April 2026 by video conference. The group adopted the provisional agenda and minutes from the thirty-sixth session. Discussions addressed proposals for amendments to UN R155 concerning multi-stage vehicle approvals and separate technical units, for which a subworking group was established. Proposals were also considered on type approval authority responsibility for cyber security management systems and remote operation of automated driving systems. The group reviewed cyber and software requirements in the ADS GTR and WP.29/2022/60 as amended by WP.29/2023/87, and discussed application of RXSWIN to UN Regulations, selecting option 2 for presentation to GRVA with R155, R156, and R89 square bracketed. The IWG mandate renewal was discussed, with potential new items including component and STU approval and software numbering proposals.

The document requests guidance on the legal basis for provisions within UN Regulations extending beyond the End-of-Production date and which authority such provisions address. Examples include UN R171 requirements for manufacturers to demonstrate safety management systems to the Type Approval Authority every three years and report annually on Driven Coded Auxiliary System operation until production is discontinued, and UN R155 requirements for Cyber Security Management Systems to apply to the post-production phase when vehicles remain operational but are no longer produced. The document poses an additional question regarding vehicle safety when manufacturers cease operations and cannot fulfill post-deployment safety provisions.

The Informal Working Group on Cyber Security and Software Updates discussed amendments to UN R155 and UN R156 for multi-stage approval, including simplified handling for low-risk devices and clarification of intrinsic cyber risk assessment. The group reviewed proposals from GRVA-25-31 and GRVA-25-32 concerning continued validity of approvals and Certificate of Compliance issuance. A Sub-Working Group was established to develop component and separate technical unit approval concepts. Pending discussion include RXSWIN application to components, STUs, and the extent of application to UN R155 and UN R156, and type-approval numbering for software updates.

Proposal to insert provisions on software identification and software updates into UN R13, UN R13-H, UN R79, UN R89, UN R130, UN R131, UN R152, UN R155, UN R156, UN R157, UN R171, UN R175, and UN R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles, clarifying that production discontinuation does not apply when manufacturers seek approval extensions for software updates of registered vehicles, and amending communication forms to include software identification numbers and related information.

Proposal to amend para. 5.3.2. to require approval authorities to notify other approval authorities of methods and criteria used to assess measures taken in accordance with the Regulation, insert new para. 8.2. to exclude equipment with negligible intrinsic cyber security risk from further assessment where installation does not impinge on the cyber security management system and is connected exclusively via an approved interface, insert new para. 8.3. to exclude standard domestic, business or industrial equipment connected only for power from further assessment where the equipment is unmodified and complies with applicable regional and national cyber security requirements, and amend Annex 1 to include any equipment excluded from assessment pursuant to paras. 8.2. and 8.3.

Proposal to insert new Part C providing guidance on application of UN R155 to transformed vehicles. Part C defines when transformations require new approval, establishes terminology for original vehicle types, transformed vehicle types, transformations, and installations, identifies cyber-relevant transformations by evaluating impact on architecture and connection risks, addresses intrinsic cyber security risks, clarifies non-automotive equipment requirements, and specifies documentary evidence manufacturers must provide to approval authorities or technical services, including functional descriptions, connection details, software modifications, and component lists.

Proposal to amend para. 5.1.3. of UN R155 to add a refusal ground where the Certificate of Compliance for the Cyber Security Management System has not been issued by the same approval authority granting type approval, and insert new para. 5.4. into UN R156 to provide that approval authorities shall not grant any type approval if the Certificate of Compliance for the Software Update Management System has not been issued by the same approval authority granting type approval. The proposal, based on TFCS-37-02, ensures that Certificates of Compliance and type-approvals for UN R155 and UN R156 are issued by the same approval authority to enable holistic assessment and clarify reporting obligations.

The UN IWG on Cyber Security and OTA will meet April 21-22, 2026 via video conference. The agenda includes adoption of the provisional agenda and minutes from the previous session, proposals for amendments to UN R155 and its interpretation document regarding multistage vehicles and type approval authorities, review of cyber and software requirements in the ADS Regulation, discussion of RXSWIN application, renewal of the IWG mandate expiring November 2026, and confirmation of next steps.

Proposal to amend UN R155 by clarifying its scope to exclude certain equipment. The proposal amends paragraph 5.3.2. to require approval authorities to notify others of assessment methods and criteria. New paragraphs 8.2. and 8.3. establish that vehicle manufacturer installation of equipment with negligible intrinsic cyber security risk, or standard domestic, business or industrial equipment connected only for power, shall not require further assessment under paragraph 7, provided specified criteria are justified. Annex I is amended to include any equipment excluded from assessment pursuant to paragraphs 8.2. and 8.3.

Germany proposes that the TAA granting UN R155 or UN R156 type approvals shall be obliged to only use CSMS or SUMS certificates signed by the same TAA. Issues identified include that CSMS and SUMS are Management Systems covering entire manufacturers’ organizations, mandating the same TAA will have huge consequences for OEMs using multiple TAAs, and no such obligation exists for ISO 9001 and ISO 14001. A possible way forward in the short term is to keep text unchanged to allow different TAAs for Management Systems CoC and type approval based on voluntary acceptance and implement wording on information exchange and procedure if different TAAs involved.

Proposal to amend UN R13, 13-H, 79, 89, 130, 131, 139, 140, 152, 155, 156, 157, 171, 175, and 178 by introducing provisions on software identification and software updates. Amendments add new paragraphs referring to Software Identification Number definitions in Consolidated Resolution R.E.3, require manufacturers to provide Technical Services with information on hardware and software influencing performance, permit vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles while avoiding test duplication, and modify production discontinuation provisions to exclude cases where manufacturers seek approval extensions for software updates of registered vehicles.

The Informal Working Group on EV/HFCV Retrofit Systems held its seventh meeting on 5th March 2026. The group adopted the provisional agenda, approved minutes of the previous meeting, and acknowledged ongoing activities under GRPE, GRSP and GRVA. Electrical safety review will continue once clarification regarding UN R100 is available. Cybersecurity discussions covered very old vehicles, older vehicles without cybersecurity provisions, and modern vehicles compliant with UN R155. Braking aspects and the structure of the draft UN Regulation were discussed, including vehicle versus system approval approaches and minimum and maximum vehicle age within the regulation’s scope.

Questions concerning cyber security amendments for approvals of STU submitted by the expert from Japan that address timing of working document submission to GRVA, whether Part II components may include certificated base vehicle equipment under UN R155 multi-stage categorization, whether STU definition includes ECUs within base vehicle E/E architecture, examination of use cases and implementation challenges, consistency of applicant terminology between Section 3.3.1 and Section 7.6, whether approval authorities for Parts I, II, and III must be identical, clarification of end of support period requirements in para. 2.7(b), installation agreement requirements in para. 5.1.2.1(d), and whether total Cyber Security Risk Assessment Process for whole vehicle with other equipment than ESAs is necessary after ESA installation under para. 7.4.10.

This document presents an initial concept for approvals of devices as components or separate technical units according to UN R155, and the installation of such devices on vehicles already holding UN R155 approval, based on Supplement 3 to the original series. The regulation applies to vehicles of categories L₁–L₇, M₁–M₃, N₁–N₃, and O₁–O₄ with electronic control units, and to approval of components and separate technical units with regard to their cyber security. Approval authorities shall grant type approval only to vehicle or electrical/electronic sub-assembly types that satisfy the regulation’s requirements through document checks and testing. Manufacturers must demonstrate cyber security management systems covering development, production, and post-production phases, including risk assessment, mitigation implementation, monitoring, and response to cyber-attacks. Certificates of Compliance for Cyber Security Management Systems remain valid for three years.

TFCS-37-08 presents proposals to amend UN R155 to establish approval routes for electrical/electronic sub-assemblies and separate technical units. The regulation introduces three parts: Part I covers vehicle cyber security approval; Part II covers component and separate technical unit approval; Part III covers installation approval of approved components and separate technical units in vehicles. Updates include new definitions, application procedures by manufacturers or their representatives, approval conditions specifying connection limitations, and cyber security management system requirements. The proposal requests colleague review and feedback.

Proposal to amend Table A1 of Annex 5 to include high level and sub-level descriptions of vulnerability and threat including spoofing of messages, Sybil attacks, communication channels permitting code injection, manipulation, overwrite and erasure of vehicle held data and code, denial of service attacks, unauthorized access to vehicle systems, viruses in communication media, and malicious messages, and amend Table B1 of Annex 5 to provide corresponding mitigation measures. This proposal is a further elaboration of TFCS-35-07.

UN R155 addresses operator risks in automated driving systems. The ADS Regulation enables operators to offer services using automation and permits remote termination of the ADS. UN R155 mandates that supplier-related risks are managed, but operators are customers, not suppliers, creating downstream risks. An automated vehicle could be susceptible to unauthorised requests from an operator experiencing cyber attack. UN R155 does not define how downstream organisational risks are managed. Manufacturers should identify risks posed by operators and inform Third Party Operators of risks involved and expected minimum-security controls for workstations interfacing with an ADS. This could be achieved via Annex 5.

Proposal to provide guidance on application of UN R155 to transformed vehicles. Transformations require new approval unless clear evidence shows original approval remains valid. Cyber-relevant modifications include addition of electrical/electronic systems, inappropriate interface connections, and wiring protection modifications. The approval authority determines whether transformation is cyber-relevant by assessing impact on original vehicle architecture, connection risks, cybersecurity management systems, and whether non-automotive equipment complies with relevant regulations. Manufacturers must provide documentary evidence including functional descriptions, connection details, software modifications, and compliance with original manufacturer instructions.

Document includes in-session edits by the workshop.

Includes changes made during the Workshop.

Proposal to amend UN R155 and UN R156 to require that Certificates of Compliance for Cyber Security Management Systems and Software Update Management Systems be issued by the same approval authority that grants type approval. Germany reported a case where different authorities issued the certificate and type approval, creating assessment and enforcement issues. The proposal aims to ensure holistic cyber security evaluation and align both regulations.

Draft specific guidance for vehicle types that are based on another vehicle type. This specific guidance is without prejudice to national procedures (e.g. as defined in the R155 methods and criteria) and applies to various use cases, such as vehicles developed, produced and/or sold in collaboration with another manufacturer, completed and transformed vehicles, “multi-stage” vehicles, etc.

Proposal to set clear criteria for manufacturers of transformed vehicles to determine when a given transformed vehicle needs or needs not undergo a more detailed cyber security review according to the processes for transformed vehicles currently being discussed by the GRVA workshop on cybers ecurity and software updates.

Proposal to address two gaps identified in the requirements of UNR 155 regarding:

1. Software development and
2. Vehicle with an ADS Feature of Type 2 where vehicle operation is overseen by an organisation responsible for operating the vehicle or fleet of vehicles.

Proposal to prohibit the issuance of certificates by any entity other than the authority that granted the approval under UN R155.

Dynamic vehicle characteristics are (data) elements of a vehicle that keep changing during its lifecycle.

Proposal from the ADAS task force chair to introduce guidance on the use of the UN secure internet database “DETA” for the exchange of information on incidents related to DCAS operation between Type Approval Authorities. A new annex is proposed to accommodate such guidance, which is based on that provided for implementation of UN Regulation No. 155 on cybersecurity (document ECE/TRANS/WP.29/2022/61 adopted by WP.29).

Proposal to align the UN R155 Interpretation Document with the proposal to extend the scope of UN R155 to Category L vehicles.

Proposal to extend the scope of UN R155 to include all vehicles of Category L.

Proposals harmonising vehicle onboard authorisation concept and data privacy.

Proposal to extend the scope of UN R155 to include all vehicles of Category L.

Proposal to align the UN R155 Interpretation Document with the proposal to extend the scope of UN R155 to Category L vehicles.

Proposal to expand the scope of the Regulation to include all Category L and O vehicles if fitted with an electronic control unit.

Proposal in response to GRVA-17-13 with regard to T, R, S category machinery.

Inclusion of vehicles of Categories L, R, S and T into the scope if fitted with at least one electronic control unit.

The European Union, the recently proposed EU Cyber Resilience Act (CRA) will introduce a set of horizontal requirements aimed at strengthening cyber resilience for products across a large number of sectors. While the CRA is a significant legislative initiative, its generic nature might not fully address the specific needs of the automotive industry, in particular for L-category vehicles. UN Regulation No. 155 is already available, proven for the automotive industry, and fully compatible with the EU CRA requirements, making it a more suitable and focused solution for these vehicles.

Proposal to introduce an explanation clarifying the possibility for Approval Authorities to recognise Certificates of Compliance for Cyber Security Management Systems (CSMS) issued by the Approval Authority of another Contracting Party.

Proposal to improve explanations and examples for spoofing threats.

Proposal from the GRVA secretariat to amend the original proposal based on the input of a workshop on the implementation of UN R155 held during 12-13 Jan. 2023.

Proposal to improve the applicability of examples given in Tables A1 and B1 in Annex 5 in UN R155 regarding risks due to spoofing of messages or data received by the vehicle.

Proposal from the informal working group on Cyber Security and OTA issues (CS/OTA) to update the text:

1. Use of “802.11p” to refer to V2X communications is out of date: 802.11p is properly referred to as 802.11-OCB and other direct communication methods are in use. “V2X” is the preferred term.
2. Platooning is a niche V2X operation and not widely used: The proposal suggests to use more mainstream examples such as cooperative awareness or manoeuvre coordination.

Proposal from the informal group on on Cyber Security and OTA issues for amendments:

1. To reflect updates and the most current version of relevant standards, notably ISO/SAE 21434:2021 and ISO/PAS 5112, and
2. To update the text in line with Supplement 1 to UN R155 (WP.29/2022/54).

Amendments as agreed within the CS/OTA expert group through the 24th session.

Proposal to introduce an explanation of paragraph 5.1.1 in UN R155 which includes a reference to ISO PAS 5112.

Proposal to amend references to ISO/SAE 21434:2021.

Proposal to introduce an explanation clarifying the possibility for Approval Authorities to recognise Certificates of Compliance for Cyber Security Management Systems (CSMS) issued by the Approval Authority of another Contracting Party.

Amended version of document GRVA/2022/17 responding to comments received.

Amended document GRVA/2022/18 responding to comments received.

Comments on the proposal for amendments to the UN Regulation on Cyber Security Management.

Proposal to introduce amendments to references to ISO/SAE 21434:2021 and ISO PAS 5112 and clarify the interpretation of the requirement in the first line of Table B1 in Annex 5 in UN R155 regarding the authentication of Global Navigation Satellite System (GNSS) messages.

Proposal to clarify the mitigation provision to address threats of spoofing of messages (e.g. 802.11p V2X during platooning, GNSS messages, etc.) by impersonation.

Proposal for amendments to the UN R155 Interpretation Document.

Proposal to clarify the transition clauses specified in paragraph 7.3.1. and 7.3.4. with regard to the extension of type approvals first issue before 1 July 2024 and applied for such extension after that date.

Proposal to amend the guidance on interpretation of the type approval regulation on cybersecurity management systems (UN R155).

Proposal to confirm that the aspects of the CSMS related to the cyber security monitoring activities, as defined in paragraph 7.2.2.2.(g), continue to be applied properly after Development Phase and that the relevant cyber security mitigations implemented continue to be effective.

Provides clarification on the transition clauses specified in paragraph 7.3.1. and 7.3.4. with regards to the extension of type approvals first issue before 1 July 2024 and applied for such extension after that date

Input concerning extensions of type approvals as revised during the session.