| Proposal for amendments to UN Regulations Nos. 13, 13-H, 79, 89, 130, 131, 152, 155, 156, 157, 171, 175, and 178 |
| Reference Number: GRVA/2026/27 |
|
Proposal to insert provisions on Software Identification Numbers and software updates across UN R13, R13-H, R79, R89, R130, R131, R152, R155, R156, R157, R171, R175, and R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7 paragraph 2, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance with test reports, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered vehicles from new vehicles where type approval regulations are updated or hardware changes occur in series production with test duplication avoided where possible, clarifying that production is not considered definitively discontinued if manufacturers obtain subsequent extensions for software updates of registered vehicles, renumbering and inserting new items in approval communication annexes for R13SWIN, R13-HSWIN, R79SWIN, R89SWIN, R130SWIN, R131SWIN, R152SWIN, R155SWIN, R157SWIN, R171SWIN, R175SWIN, and R178SWIN information including whether held on vehicle and relevant parameter identification lists, and amending R157 and R171 to align software update requirements with R156 technical specifications and transitional provisions. |
| Submitted by: TFCS |
| Meeting Sessions: 26th GRVA session (14-18 Sep) |
| Document date: 06 Jul 26 |
| Document status: Formal GR review |
| Relevant to: UN Regulation No. 13 | Heavy-Duty Vehicle Braking, UN Regulation No. 13-H | Light-Duty Vehicle Braking, UN Regulation No. 79 | Steering Equipment, UN Regulation No. 89 | Speed Limitation Devices, UN Regulation No. 131 | Advanced Emergency Braking Systems, UN Regulation No. 130 | Lane Departure Warning Systems, UN Regulation No. 178 | Emergency Lane-Keeping Systems, UN Regulation No. 155 | Cyber Security and Cyber Security Management, UN Regulation No. 156 | Software Update Processes and Management Systems, UN Regulation No. 152 | Automatic Emergency Braking for M1/N1 vehicles, UN Regulation No. 157 | Automated Lane-Keeping Systems (ALKS), UN Regulation No. 171 | Driver-Control Assistance Systems (DCAS), and UN Regulation No. 175 | Acceleration Control for Pedal Error |
| Click here to view the full document file |
| UN R155: Proposal for a Supplement |
| Reference Number: GRVA/2026/29 |
|
Proposal to insert new Part C providing guidance for the application of UN R155 to transformed vehicles. Part C addresses identification of cyber-relevant transformations, impact on original vehicle architecture, connection risks, and impact on cyber security management systems. It specifies that transformations require new approval unless the manufacturer provides clear evidence that the original approval remains valid, and outlines critical factors and examples of cyber-relevant actions. It details documentary evidence expected from manufacturers regarding functional descriptions, connections with original vehicle types, added components and functions, and arguments demonstrating negligible intrinsic risk. |
| Submitted by: TFCS |
| Meeting Sessions: 26th GRVA session (14-18 Sep) |
| Document date: 06 Jul 26 |
| Document status: Formal GR review |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| UN R155: Proposal for a Supplement |
| Reference Number: GRVA/2026/28 |
|
Proposal to amend para. 5.3.2. to require notification of assessment methods and criteria including paras. 8.2. and 8.3., insert new paras. 8.2. and 8.3. establishing criteria for equipment installation without further assessment, and amend Annex 1 to require disclosure of equipment excluded from assessment pursuant to paras. 8.2. and 8.3. The amendments clarify that equipment with negligible intrinsic cyber security risk installed according to manufacturer specifications and not introducing cyber security risk, and standard non-automotive equipment connected solely for power supply with no increased cyber security risk, shall not invalidate approval of the original vehicle type under UN Regulation No. 155. |
| Submitted by: TFCS |
| Meeting Sessions: 26th GRVA session (14-18 Sep) |
| Document date: 03 Jul 26 |
| Document status: Formal GR review |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| Proposal to amend UN R155 and UN R156 |
| Reference Number: GRVA/2026/30 |
|
Proposal to amend UN R155 by inserting new para. 5.1.3.(e) establishing that the Certificate of Compliance for the Cyber Security Management System shall not be issued by a different Approval Authority than the one granting type approval, and amend UN R156 by inserting new para. 5.4. establishing that Approval Authorities shall not grant type approval if the Certificate of Compliance for the Software Update Management System has not been issued by the same Approval Authority granting type approval. Justification includes ensuring holistic cybersecurity assessment, clarifying reporting obligations under para. 7.2.2.2.(g), addressing unharmonized mutual recognition of management system certificates, maintaining consistency between regulations, and upholding the fundamental principle that approval authorities retain responsibility for all aspects of type approval. |
| Submitted by: France, Germany, Luxembourg, Netherlands, and UK |
| Meeting Sessions: 26th GRVA session (14-18 Sep) |
| Document date: 03 Jul 26 |
| Document status: Formal GR review |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management and UN Regulation No. 156 | Software Update Processes and Management Systems |
| Click here to view the full document file |
| CS/OTA Task Force: Minutes of the 38th (June 2026) session |
| Reference Number: TFCS-38-13 |
|
The UN IWG on Cyber Security and OTA held its 38th session 29 June–1 July 2026 in London with remote participation. The group adopted the provisional agenda and minutes from the 37th session. Three items from the IWG were presented at the May GRVA meeting: multistage vehicle documents to become working documents for September; RXWIN documents with elements in square brackets to be resolved; and SUMs document returned for further discussion. For R155, the group agreed to forward multistage amendment proposals as working documents to September GRVA. The UK proposal on STU and component approval for R155 was discussed extensively; the UK will draft a proposal for components only. The UK proposal on remote operation for ADS requires further development. The group will review ADS GTR cyber and software provisions. RXWIN proposal documents were adapted; R155 was removed and R89 and R156 sections amended; reviewers may address concerns by 31 July 2026. Germany’s proposal requiring the same Type-Approval Authority for CSMS and vehicle type approval was discussed; a dedicated meeting will be scheduled. The UK proposal on approvals for out-of-scope vehicle types was introduced. Draft Terms of Reference were revised and will be forwarded to GRVA for September approval. The next meeting is scheduled for 3 September 2026, 12:00–15:00 CET. |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 03 Jul 26 |
| Relevant to: United Nations Agreement | RE3 Construction of Vehicles, UN Regulation No. 155 | Cyber Security and Cyber Security Management, UN Regulation No. 156 | Software Update Processes and Management Systems, GTR No. 26 | Automated Driving Systems, and UN Regulation No. 185 | Approval of vehicles with regard to their Automated Driving Systems |
| Click here to view the full document file |
| Cyber security: Vehicle modification use cases |
| Reference Number: TFCS-38-11 |
|
The document presents vehicle modification use cases categorized into four cases and additional scenarios. Case 1 covers components with negligible risk or cyber-relevant non-automotive devices. Case 2 addresses cyber-relevant automotive devices approved to specific regulatory requirements, requiring installation approval and vehicle type re-approval. Case 3a addresses cyber-relevant devices not approved to specific requirements, requiring component or STU approval. Case 3b covers devices controlling vehicle functions, also requiring component or STU approval. Case 4 encompasses invasive modifications or complex interactions not covered by other cases. |
| Submitted by: UK |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 01 Jul 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| CS/OTA: Draft updated terms of reference |
| Reference Number: TFCS-38-02/Rev.1 |
|
The Informal Working Group on Cyber Security and Software Updates will continue to consider how cyber security and software updates have a bearing on automotive safety and security, and whether any changes are necessary to the Regulations and guidance it has produced under WP.29. In particular, the IWG shall maintain official documents regarding UN R155, UN R156, and Recommendations on uniform provisions concerning cyber security and software updates; develop amendments to relevant documents; develop a proposal to amend UN Regulations under the responsibility of GRVA to record details of an RXSWIN where applicable which have been mandated by the 01 series of UN Regulation No. 156; develop proposals to amend UN Regulation No. 155 and its interpretation document to support application in national/regional frameworks for aspects such as multi-stage manufacturing; consider and develop deliverables regarding software updates after registration potentially creating a proposal for modification to the type approval numbering or a classification of update categories; support and review the application of cyber security and software update provisions across GRs notably for the Global Technical Regulation on Automated Driving Systems; and provide opportunities to participants to share knowledge, experience and ideas from implementation of national regulation/standards regarding CS/OTA as well as UN R155 and R156. The IWG will continue its activities until November 2029. |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 30 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management and UN Regulation No. 156 | Software Update Processes and Management Systems |
| Click here to view the full document file |
| Cyber security: Modifications to GRVA-25-30 |
| Reference Number: TFCS-38-12 |
|
Proposal to insert provisions on software identification and software updates into UN R13, UN R13-H, UN R79, UN R89, UN R130, UN R131, UN R152, UN R156, UN R157, UN R171, UN R175, and UN R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles, clarifying that production discontinuation does not apply when manufacturers seek approval extensions for software updates of registered vehicles, and amending communication forms to include software identification numbers and related information. |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 30 Jun 26 |
| Relevant to: UN Regulation No. 13 | Heavy-Duty Vehicle Braking, UN Regulation No. 13-H | Light-Duty Vehicle Braking, UN Regulation No. 79 | Steering Equipment, UN Regulation No. 89 | Speed Limitation Devices, UN Regulation No. 131 | Advanced Emergency Braking Systems, UN Regulation No. 130 | Lane Departure Warning Systems, UN Regulation No. 178 | Emergency Lane-Keeping Systems, UN Regulation No. 155 | Cyber Security and Cyber Security Management, UN Regulation No. 156 | Software Update Processes and Management Systems, UN Regulation No. 152 | Automatic Emergency Braking for M1/N1 vehicles, UN Regulation No. 157 | Automated Lane-Keeping Systems (ALKS), UN Regulation No. 171 | Driver-Control Assistance Systems (DCAS), and UN Regulation No. 175 | Acceleration Control for Pedal Error |
| Click here to view the full document file |
| UN R155: Proposal to address approvals by one or more authorities |
| Reference Number: TFCS-38-08 |
|
Proposal to add para. 3.2.3.1. requiring manufacturers to provide additional information on the Cyber Security Management System at request of the Approval Authority when the Certificate of Compliance for CSMS is issued by a different Approval Authority, add para. 5.1.5. allowing the Approval Authority to refuse type approval if insufficient information on the CSMS and its implementation was provided, and add para. 7.4.1.1. requiring all granting Approval Authorities to be included in reporting when different Approval Authorities are used for the Certificate of Compliance for CSMS and type approval of the vehicle type. |
| Submitted by: OICA and CLEPA |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 29 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| CS/OTA Task Force: Agenda for the 38th (June 2026) session |
| Reference Number: TFCS-38-01/Rev.3 |
|
The agenda includes review of proposals for amendments to R155 concerning multistage vehicles, separate technical units and component approval, approval-authority requirements for CSMS CoC and vehicle type approval, and remote operation for ADS; review of cyber and software requirements in the ADS Regulation based on WP.29/2022/60 as amended by WP.29/2023/87; discussion of RXWIN application amendments; and consideration of terms of reference renewal ahead of mandate expiration in November 2026. |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 29 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management and UN Regulation No. 156 | Software Update Processes and Management Systems |
| Click here to view the full document file |
| UN R155: Proposal to amend GRVA-25-32 |
| Reference Number: TFCS-38-10 |
|
Amend para. AI to replace the heading “Examples of documents/evidence that could be provided” with “Explanation of the requirement” and insert text stating that Part C of this document provides further guidance on the application of the Regulation to vehicles which have been modified by carrying out a transformation of the vehicle. |
| Submitted by: UK |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 29 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| Component/STU type approval under UN R155 |
| Reference Number: TFCS-38-09 |
|
CLEPA welcomes questions raised by Japanese experts under doc TFCS-37-06 and identifies points requiring further clarification regarding component and STU type approval scope, technical integration, STU definition, implementation, risk assessment, impact and benefit, and post-market monitoring. CLEPA proposes that components or STUs required for initial vehicle type approval under Part I should not be subject to separate approval under Part II, noting that vehicle cybersecurity depends on vehicle-level system interactions and E/E architecture, the OEM has full visibility of system architecture, and Part I approval ensures integrated assessment. |
| Submitted by: CLEPA |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 29 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| UN R155: Review of points for approval of separate technical units |
| Reference Number: TFCS-38-06 |
|
A comprehensive cyber security risk assessment without gaps between Parts I, II, and III is required for component or separate technical unit approval. Risk assessment is difficult for manufacturers alone; contracts are required to share vulnerability information. Identification of realistic installation use cases, information sharing between approval authorities, and clarification of responsibilities are necessary. Components with no communication to the vehicle or only mechanical and power connection do not require new approval. Components sending data to the vehicle or controlling it require Part II approval and joint risk analysis by the original equipment manufacturer and installer. |
| Submitted by: NTSEL |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 26 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| UN R155: Response to questions concerning separate technical unit approvals |
| Reference Number: TFCS-38-05 |
|
Answers to questions on separate technical unit approvals under UN R155 clarify that a base vehicle must already hold an R155 type approval before an ESA can be added at Part III; approval authorities for different parts may differ with mutual recognition applying; the end of support period for an ESA manufacturer must be communicated to the vehicle manufacturer, with implications to be discussed by the IWG; installation of ESAs must follow vehicle manufacturer instructions without necessarily requiring separate agreement; STU data sharing agreements are required; and after ESA installation, a whole vehicle cyber security risk assessment is not necessary, though Part III must consider risks where ESA and base vehicle interactions occur. A working document is planned for submission to GRVA in January 2027. The IWG will explore whether Part II components may include equipment from certificated base vehicles under UN R155 multi-stage categorization and discuss incorporating STU into original approvals. |
| Submitted by: UK |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 23 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| UN R155: Questions concerning separate technical units |
| Reference Number: TFCS-38-04 |
|
Questions address whether minimum vehicle architecture approval should be required before Part III can be used for additional devices; whether approved ESAs can be incorporated in original vehicle approval or as an extension to Part I approval; whether different terminology should replace CSMS for Part III approvals; whether second Part III approvals are permissible for vehicles already approved to Parts I and III; and what implications arise from end-of-support by ESA manufacturers. |
| Submitted by: UK |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 23 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management |
| Click here to view the full document file |
| UN R155 and R156: Approvals for ‘out-of-scope’ vehicles |
| Reference Number: TFCS-38-03 |
|
Vehicles of categories M1, N, O, R, S and T may fall out of scope of UN R155 or UN R156 if they lack ECUs or do not permit software updates. Approval authorities currently make individual determinations regarding whether vehicles are in or out of scope, and justification for out-of-scope decisions must be recorded to ensure vehicles remain out of scope during the lifetime of whole vehicle approval. UN Regulation No. 10 provides precedent by allowing approvals for vehicles where certain equipment is not relevant. A similar provision could be incorporated into UN R155 and UN R156 by amending the scope and adding provisions to section 5 allowing manufacturers to obtain approvals for vehicles that do not permit software updates, with requirements of paragraph 7 not applying. |
| Submitted by: VCA |
| Meeting Sessions: 38th TFCS session (30 Jun-1 Jul) |
| Document date: 23 Jun 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management and UN Regulation No. 156 | Software Update Processes and Management Systems |
| Click here to view the full document file |
| Request for guidance on vehicle compliance after the end of production |
| Reference Number: GRVA-25-48 |
|
The document requests guidance on the legal basis for provisions within UN Regulations extending beyond the End-of-Production date and which authority such provisions address. Examples include UN R171 requirements for manufacturers to demonstrate safety management systems to the Type Approval Authority every three years and report annually on Driven Coded Auxiliary System operation until production is discontinued, and UN R155 requirements for Cyber Security Management Systems to apply to the post-production phase when vehicles remain operational but are no longer produced. The document poses an additional question regarding vehicle safety when manufacturers cease operations and cannot fulfill post-deployment safety provisions. |
| Submitted by: Germany |
| Meeting Sessions: 25th GRVA session (18-22 May) |
| Document date: 21 May 26 |
| Relevant to: United Nations Agreement | 1958 Agreement, WP.29 Regulatory Project | Automated Driving Systems, UN Regulation No. 155 | Cyber Security and Cyber Security Management, and UN Regulation No. 171 | Driver-Control Assistance Systems (DCAS) |
| Click here to view the full document file |
| CS/OTA Task Force: Minutes of the 37th (April 2026) session |
| Reference Number: TFCS-37-12 |
|
The CS/OTA Task Force held its thirty-seventh session on 21-22 April 2026 by video conference. The group adopted the provisional agenda and minutes from the thirty-sixth session. Discussions addressed proposals for amendments to UN R155 concerning multi-stage vehicle approvals and separate technical units, for which a subworking group was established. Proposals were also considered on type approval authority responsibility for cyber security management systems and remote operation of automated driving systems. The group reviewed cyber and software requirements in the ADS GTR and WP.29/2022/60 as amended by WP.29/2023/87, and discussed application of RXSWIN to UN Regulations, selecting option 2 for presentation to GRVA with R155, R156, and R89 square bracketed. The IWG mandate renewal was discussed, with potential new items including component and STU approval and software numbering proposals. |
| Meeting Sessions: 37th TFCS session (21-22 Apr) |
| Document date: 21 May 26 |
| Relevant to: UN Regulation No. 89 | Speed Limitation Devices, WP.29 Regulatory Project | Automated Driving Systems, UN Regulation No. 155 | Cyber Security and Cyber Security Management, and UN Regulation No. 156 | Software Update Processes and Management Systems |
| Click here to view the full document file |
| Status of China's vehicle data security standard and proposals for GRVA consideration |
| Reference Number: GRVA-25-39 |
|
China supports establishing a new task force or informal working group on vehicle data security and sees the need for a dedicated UN Regulation or Global Technical Regulation. Work can begin with applicability analysis of existing regulations, gradually establishing the main framework of the standard, the scope of data management, and handling of special cases. China is ready to act as a key contributor, offering typical use cases, design questionnaires based on GB 44497 and GB 44464, delivering terms of reference with other Contracting Parties, and proposing basic framework and specific requirements by February 2028. |
| Submitted by: NTCAS and CATARC |
| Meeting Sessions: 25th GRVA session (18-22 May) |
| Document date: 20 May 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management, UN Regulation No. 156 | Software Update Processes and Management Systems, WP.29 Regulatory Project | Data Storage Systems for Automated Driving, and WP.29 Discussion Topic | Vehicle data access and protection |
| Click here to view the full document file |
| Cyber Security task force (aka CS/OTA) status report to GRVA |
| Reference Number: GRVA-25-35 |
|
The Informal Working Group on Cyber Security and Software Updates discussed amendments to UN R155 and UN R156 for multi-stage approval, including simplified handling for low-risk devices and clarification of intrinsic cyber risk assessment. The group reviewed proposals from GRVA-25-31 and GRVA-25-32 concerning continued validity of approvals and Certificate of Compliance issuance. A Sub-Working Group was established to develop component and separate technical unit approval concepts. Pending discussion include RXSWIN application to components, STUs, and the extent of application to UN R155 and UN R156, and type-approval numbering for software updates. |
| Submitted by: TFCS |
| Meeting Sessions: 25th GRVA session (18-22 May) |
| Document date: 20 May 26 |
| Relevant to: UN Regulation No. 155 | Cyber Security and Cyber Security Management and UN Regulation No. 156 | Software Update Processes and Management Systems |
| Click here to view the full document file |
No matching documents.