The Informal Working Group on Cyber Security and Software Updates will continue to consider how cyber security and software updates have a bearing on automotive safety and security, and whether any changes are necessary to the Regulations and guidance it has produced under WP.29. In particular, the IWG shall maintain official documents regarding UN R155, UN R156, and Recommendations on uniform provisions concerning cyber security and software updates; develop amendments to relevant documents; develop a proposal to amend UN Regulations under the responsibility of GRVA to record details of an RXSWIN where applicable which have been mandated by the 01 series of UN Regulation No. 156; develop proposals to amend UN Regulation No. 155 and its interpretation document to support application in national/regional frameworks for aspects such as multi-stage manufacturing; consider and develop deliverables regarding software updates after registration potentially creating a proposal for modification to the type approval numbering or a classification of update categories; support and review the application of cyber security and software update provisions across GRs notably for the Global Technical Regulation on Automated Driving Systems; and provide opportunities to participants to share knowledge, experience and ideas from implementation of national regulation/standards regarding CS/OTA as well as UN R155 and R156. The IWG will continue its activities until November 2029.

Vehicles of categories M₁, N, O, R, S and T may fall out of scope of UN R155 or UN R156 if they lack ECUs or do not permit software updates. Approval authorities currently make individual determinations regarding whether vehicles are in or out of scope, and justification for out-of-scope decisions must be recorded to ensure vehicles remain out of scope during the lifetime of whole vehicle approval. UN Regulation No. 10 provides precedent by allowing approvals for vehicles where certain equipment is not relevant. A similar provision could be incorporated into UN R155 and UN R156 by amending the scope and adding provisions to section 5 allowing manufacturers to obtain approvals for vehicles that do not permit software updates, with requirements of paragraph 7 not applying.

The agenda includes review of proposals for amendments to R155 concerning multistage vehicles, separate technical units and component approval, approval-authority requirements for CSMS CoC and vehicle type approval, and remote operation for ADS; review of cyber and software requirements in the ADS Regulation based on WP.29/2022/60 as amended by WP.29/2023/87; discussion of RXWIN application amendments; and consideration of terms of reference renewal ahead of mandate expiration in November 2026.

Proposal to amend Appendix 1 to Annex 1 to revise the model of declaration of compliance for Software Update Management System Manufacturers and amend Annex 4 to revise the model of Certificate of Compliance for Software Update Management System.

The CS/OTA Task Force held its thirty-seventh session on 21-22 April 2026 by video conference. The group adopted the provisional agenda and minutes from the thirty-sixth session. Discussions addressed proposals for amendments to UN R155 concerning multi-stage vehicle approvals and separate technical units, for which a subworking group was established. Proposals were also considered on type approval authority responsibility for cyber security management systems and remote operation of automated driving systems. The group reviewed cyber and software requirements in the ADS GTR and WP.29/2022/60 as amended by WP.29/2023/87, and discussed application of RXSWIN to UN Regulations, selecting option 2 for presentation to GRVA with R155, R156, and R89 square bracketed. The IWG mandate renewal was discussed, with potential new items including component and STU approval and software numbering proposals.

China supports establishing a new task force or informal working group on vehicle data security and sees the need for a dedicated UN Regulation or Global Technical Regulation. Work can begin with applicability analysis of existing regulations, gradually establishing the main framework of the standard, the scope of data management, and handling of special cases. China is ready to act as a key contributor, offering typical use cases, design questionnaires based on GB 44497 and GB 44464, delivering terms of reference with other Contracting Parties, and proposing basic framework and specific requirements by February 2028.

The Informal Working Group on Cyber Security and Software Updates discussed amendments to UN R155 and UN R156 for multi-stage approval, including simplified handling for low-risk devices and clarification of intrinsic cyber risk assessment. The group reviewed proposals from GRVA-25-31 and GRVA-25-32 concerning continued validity of approvals and Certificate of Compliance issuance. A Sub-Working Group was established to develop component and separate technical unit approval concepts. Pending discussion include RXSWIN application to components, STUs, and the extent of application to UN R155 and UN R156, and type-approval numbering for software updates.

Proposal to insert provisions on software identification and software updates into UN R13, UN R13-H, UN R79, UN R89, UN R130, UN R131, UN R152, UN R155, UN R156, UN R157, UN R171, UN R175, and UN R178 by adding definitions referencing Consolidated Resolution R.E.3 Annex 7, requiring manufacturers to provide Technical Services with information on hardware and software influencing performance, permitting vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles, clarifying that production discontinuation does not apply when manufacturers seek approval extensions for software updates of registered vehicles, and amending communication forms to include software identification numbers and related information.

Proposal to amend UN R155 and UN R156 regarding approval authority requirements:

• Add a refusal ground to para. 5.1.3. of UN R155 where the Certificate of Compliance for the Cyber Security Management System has not been issued by the same approval authority granting type approval
• Insert new para. 5.4. into UN R156 to provide that approval authorities shall not grant any type approval if the Certificate of Compliance for the Software Update Management System has not been issued by the same approval authority granting type approval.

The UN IWG on Cyber Security and OTA will meet April 21-22, 2026 via video conference. The agenda includes adoption of the provisional agenda and minutes from the previous session, proposals for amendments to UN R155 and its interpretation document regarding multistage vehicles and type approval authorities, review of cyber and software requirements in the ADS Regulation, discussion of RXSWIN application, renewal of the IWG mandate expiring November 2026, and confirmation of next steps.

Germany proposes that the TAA granting UN R155 or UN R156 type approvals shall be obliged to only use CSMS or SUMS certificates signed by the same TAA. Issues identified include that CSMS and SUMS are Management Systems covering entire manufacturers’ organizations, mandating the same TAA will have huge consequences for OEMs using multiple TAAs, and no such obligation exists for ISO 9001 and ISO 14001. A possible way forward in the short term is to keep text unchanged to allow different TAAs for Management Systems CoC and type approval based on voluntary acceptance and implement wording on information exchange and procedure if different TAAs involved.

Proposal to amend UN R13, 13-H, 79, 89, 130, 131, 139, 140, 152, 155, 156, 157, 171, 175, and 178 by introducing provisions on software identification and software updates. Amendments add new paragraphs referring to Software Identification Number definitions in Consolidated Resolution R.E.3, require manufacturers to provide Technical Services with information on hardware and software influencing performance, permit vehicle manufacturers to apply for new approvals differentiating software versions for registered versus new vehicles while avoiding test duplication, and modify production discontinuation provisions to exclude cases where manufacturers seek approval extensions for software updates of registered vehicles.

Proposal to amend the Interpretation Document for UN R156. The document clarifies requirements in paragraph 7 and Annex 1 concerning software update and software update management systems to promote uniform assessments and align with the 01 series of amendments. The document provides non-mandatory guidance for demonstrating compliance with UN R156 requirements through documentation, presentation, and audit, with supporting reference to ISO 24089:2023. The proposal addresses processes for software updates after vehicle registration, including assessment of compliance impacts, documentation procedures, security measures, over-the-air update safeguards, and vehicle user notification requirements.

Proposal to amend UN R155 and UN R156 to require that Certificates of Compliance for Cyber Security Management Systems and Software Update Management Systems be issued by the same approval authority that grants type approval. Germany reported a case where different authorities issued the certificate and type approval, creating assessment and enforcement issues. The proposal aims to ensure holistic cyber security evaluation and align both regulations.

UN R156 requires administrative provisions under the 1958 Agreement to demonstrate that vehicles comply with its requirements at specific points in time, not solely at market placement. The action plan involves developing a numbering system for amending approval extensions to account for software updates, considering how updates impact existing type approvals, and reviewing related 1958 Agreement aspects.