New regulations for vehicle type approvals placing an obligation on cyber security certification and security of vehicle software updates

Starting 2022, the evidence will be required within the European Union to demonstrate compliance in two new areas: the Cyber Security Management System (CSMS) and the Software Update Management System (SUMS).
One option to meet these principles is to have certification conducted by our company. ŠKODA AUTO a.s. was the first to express interest in this particular certification. The CSMS pre-audit is scheduled at the turn of 2020/2021, and the initial certification will take place in the middle of 2021. The date of SUMS certification will be specified after the standard has been officially issued.

Current status of documentation of new systems:

The main compliance criteria are the documents currently being completed by the UN Task Force on Cyber Security and Over-the-Air Issues, the UN Economic Commission for Europe (UN ECE) and the UNECE World Forum on Cyber Security and Over-the-Air Issues for the harmonization of vehicles related regulations (WP.29).
The current Draft Recommendation on Cyber Security defines principles to address threats and vulnerabilities identified in order to assure vehicle safety in case of cyber-attacks. Cyber security is required to be implemented over the lifecycle of the vehicle.
Vehicles process a range of different types of data. The document defines principles to be achieved to protect this data from unauthorized access, amendment or deletion both when it is stored and when it is transmitted. It further defines detailed guidance or measures for how to meet these principles. This includes examples of processes and technical approaches. Finally, it considers what assessments or evidence may be required to demonstrate compliance or certification with any requirements identified.
The Draft Recommendation on Software Updates defines principles according to which vehicle software updates should be adopted for the purpose of the certification in order to ensure they are conducted safely in compliance with legal requirements. Further, it describes how software updates should be managed to ensure they are conducted safely wirelessly or using other alternative means.
Given managing software updates, type approval processes and the 1st registration of the vehicle are carried out according to national legal requirements, some principles may need further revision to comply with national legislations. ISO/SAE 21434 – Road Vehicles – Cyber Safety and ISO and ISO 24089 - Road Vehicles - Software Updates, the two standards issued by the International Organization for Standardization will ensure the systems conform to the above principles. The standards will explicitly define the audit and certification criteria.

Having regard to the certifications according to ISO / SAE 21434 and ISO 24089, ŠKODA AUTO a.s. and TÜV NORD Czech will be facing the challenge of a crucial importance over the next two years.


Further information: PhDr. Mgr. Viktor Šaroch,, +420 602 664 895