Cybersecurity in the automotive sector: how to avoid fines of up to 30,000 euros
ZIUR has published a report on the UNECE/R155 regulations that the automotive sector must comply with to avoid fines that can amount to up to 30,000 euros. The objective pursued by the center with this document is that this industry of great importance in the Basque Country, which brings together 50% of the automotive components companies in the State with 300 companies that have a turnover of more than 20,000 million euros, knows first-hand hand these regulations and know how to apply them. This regulation will affect all new vehicles sold from July 1, 2024 and must be applied by both manufacturers and third parties, which is why ZIUR asks the sector to work together to ensure compliance with the regulations.
The technological revolution in vehicles in recent years has been extraordinary. It is increasingly common for cars to include functionalities such as proximity sensors and systems to create networks that interconnect different vehicles or to share information about the state of the road to identify the most optimal route, among other examples.
But, as usual, this increase in technology has significantly increased cybersecurity risks. Specifically, cyber attackers now have a larger surface area to attack, since they can take advantage of vulnerabilities to access vehicle systems, steal information and even disable driving systems, which would seriously endanger the safety of vehicles. people. In addition, there is a great financial and reputational risk for both manufacturers and third parties involved in the life cycle of the vehicle that does not meet the minimum requirements and is, therefore, attacked.
This issue is of such importance that the UNECE Global Forum for the Harmonization of Vehicle Regulations (WP.29), a working group within the Sustainable Transport Division of the United Nations Economic Commission for Europe, developed and published the UNECE/R115 regulation. Vehicles, therefore, are required to have this cybersecurity certificate and, in the case of failing to comply with said regulations, the sector faces fines of up to 30,000 euros for each unit sold. UNECE/R115 currently affects all models approved by European Union manufacturers from July 1, 2022 and will affect all new vehicles sold from July 1, 2024.
Cybersecurity Management System
However, for those approvals that were carried out before July 1, 2024, if the vehicle could not be developed in accordance with the Cybersecurity Management System (CSMS), the manufacturer must demonstrate that cybersecurity has been one of the aspects considered throughout the life cycle of the affected model. Thus, the regulations include a list of 70 cybersecurity threats that vehicles must be prepared against, a fact that must be accredited by an entity external to the manufacturer.
With the aim of clearing up any doubts that the Basque automotive sector may have about complying with cybersecurity regulations, ZIUR has prepared this report in which the entire approval process is detailed, the checks that must be carried out and the actions to be carried out by part of the different companies involved. In addition, it also accounts for another cybersecurity regulation, UNECE/R156, which focuses on remote software update management systems and which will also affect all new vehicles that are marketed from July 1, 2024.