Cybersecurity assessment for road vehicles

Ensure your intelligent vehicles comply with cybersecurity regulations and standards.

Pictogram in .SVG for Automotive Cybersecurity 2

What is involved in cybersecurity assessment for vehicles, components, and systems?

Technologies within modern, connected and autonomous vehicles have become so complex that automotive cybersecurity is now a necessity. From the development process to decommissioning, manufacturers and suppliers must approach cybersecurity holistically. They must assess security levels of vehicles, components and systems throughout the entire organisation and product lifecycle.

From products at the early design phase to final checks and assessments, TÜV SÜD ensures robust cybersecurity management.

Why vehicle cybersecurity is important

Manufacturers and suppliers must develop, produce and operate safe road vehicles and components and ensure that appropriate development processes are followed throughout the product life cycle. By addressing cybersecurity threats according to the latest standards and best practices, and developing resilient automotive systems and components, you can protect both road users and your business. Additionally, by accurately assessing and effectively mitigating cybersecurity risks, you will increase customer trust. Moreover, you can gain a competitive edge by partnering with an independent third-party service provider like TÜV SÜD, whose international network of experts have extensive experience in automotive cybersecurity.

Manufacturers and suppliers must develop and operate safe road vehicles and components by adhering to robust cybersecurity standards throughout the product lifecycle. By addressing cybersecurity threats and developing resilient automotive systems, they can protect both road users and their business while increasing customer trust.

With evolving industry standards and advancing cyber threats, companies must manage cybersecurity systems, conduct risk assessments, and ensure secure data transfer. Compliance with UNECE Regulations R155 (Cybersecurity Management Systems) and R156 (Software Update Management Systems) is essential to detect and respond to security incidents and ensure driver safety. By staying ahead of existing cybersecurity challenges, companies can gain a competitive edge, avoid costly breaches, and build a reputation for delivering safe, secure and reliable products.

You can also gain a competitive advantage by partnering with an independent third party such as TÜV SÜD, whose international network of experts has extensive experience in automotive cybersecurity.

How TÜV SÜD helps you with cybersecurity assessment for road vehicles

With over a century of experience in automotive safety and performance, TÜV SÜD supports manufacturers and suppliers in designing and producing robust vehicles, components, and systems that can withstand cyber threats. Our expertise ensures that appropriate development processes are followed throughout the product lifecycle, with cybersecurity measures aligned with cybersecurity regulations such as ISO/SAE 21434 and UNECE WP.29 R155 and R156. We offer comprehensive cybersecurity assessments that help you design, verify, and implement secure automotive systems and components for connected and automated vehicles.

We have developed a cybersecurity assessment method that is specifically tailored for the automated vehicle approval process and is based on international cybersecurity standards. Our expertise in homologation, combined with in-depth knowledge of cybersecurity regulations and standards, enables us to deliver tailored solutions for your innovative road vehicles. Designed to provide an efficient transition to the upcoming automotive cybersecurity regulations, our cybersecurity assessment is regularly aligned with technology developments and industry best practices. This means we constantly adapt it to keep pace with the latest cybersecurity threats.

Our experts actively participate in developing automotive cybersecurity standards (ISO/SAE 21434). We also participate in UNECE committees to develop cybersecurity and software updates regulations (UNECE WP.29 GRVA). With this, you gain access to the latest industry knowledge and best practices.

Get started with TÜV SÜD

Start your automotive cybersecurity assessment journey with us today.

What our cybersecurity assessment and certification services for intelligent road vehicles and systems include

TÜV SÜD ensures that robust cybersecurity management is present across the entire organisation, from products at the early design phase to final checks and assessment. This includes the product lifecycle, and compliance with relevant automotive cybersecurity standards, regulations and best practices.

We provide cybersecurity assessment and certification services according to Regulation UNECE R155:

Conformity assessment
Auditing and certification of the Cybersecurity Management System (CSMS)
Assessment of UNECE R155 compliance regarding type approval for road vehicles

We provide cybersecurity assessment and certification services according to standard ISO/SAE 21434:

Confirmation review
Process audit and certification
Product assessment and certification

We support your compliance preparations, so you can gain global market access. Our enablement services include:

Training (basic / advanced)
Pre-audit
Pre-assessment
Clarification workshops
Coaching
Gap analyses

As a result, you receive the following deliverables:

A full technical assessment report, which highlights the product lifecycle’s strengths and weaknesses at different phases.
List of critical elements.
Recommendations for improvements towards conformity.

Frequently asked questions (FAQs)

What are the cybersecurity challenges for connected vehicles?

Faster development cycles
Product development can be expensive. You may be under pressure to prepare for future developments and speed up timetables without compromising quality or return on investment.

Building a secure backend
You must take a broad defence against cyber-attacks and sweat the finer details, such as securing intellectual property like board documents.

Strengthening your position as a technology enabler
Savvy operators must consolidate their role with customers, starting with planning and mitigating risks along the value chain.

Monitoring security incidents
Suppliers and manufacturers must prioritise cybersecurity, establishing processes and strategies to secure the fleet in a dynamic environment.

Providing reliable products and secure connected solutions
To protect today's complex vehicles, go beyond security measures—rigorously test products to ensure compliance, detect defects early, and guarantee safety.

Supporting a reliable production process
You must avoid interrupting or compromising reliable production processes. This means proactively handling challenges to the process chain, including downtime and asset failures.

What issues does a cybersecurity assessment for automated and connected vehicles address?

AVs have a complex architecture, as they integrate multiple automated driving functions and a wide variety of communication interfaces. An external attacker successfully compromising such functions endangers the safety of road users. It can also cause serious privacy, financial and operational harm to businesses and passengers. As vehicle connectivity increases, so the potential risk of cyberattacks escalates. TÜV SÜD has therefore extended its approach to include cybersecurity in the evaluation of vehicle prototypes.

Which standards should be considered for cybersecurity assessment and certification of intelligent road vehicles?

Currently there is the regulation UNECE R155 and the international standard ISO/SAE 21434. Compliance according to UNECE R155 is required to achieve road vehicle type approval. ISO /SAE 21434 is a complimentary standard which proves your product development process fulfils cybersecurity requirements.

As the cybersecurity landscape is developing fast, there are many new standards and regulations under development. At TÜV SÜD we are aware of those market and regulatory developments. We always take them into account to ensure the best solution.

Do we need to consider any additional requirements for connected vehicles?

It is mandatory to ensure additional compliance according to the Radio Equipment Directive RED 2014/53/EU.

The standard mandates cybersecurity, personal data and privacy protection for devices that can:
• 3.3d – Communicate over the internet, either directly or via any other equipment.
• 3.3e – Process personal data, traffic data or location data.
• 3.3f – Enable users to transfer money, monetary value or virtual currency.

Do I need to consider cybersecurity as a second stage manufacturer, known in the industry also as "bodybuilder"?

Second stage manufacturer must develop as Cybersecurity Management System (CSMS) which is compliant according to UNECE R155. Maintaining a connection with the original manufacturer is essential in case there is ever a cybersecurity issue.

What does the process look like for a cybersecurity certification?

Stage 1 assesses the manufacturer’s documents. This ensures that general cybersecurity requirements, according to UNECE R155 and ISO/SAE 21434, are fulfilled. We check if the provided documents are sufficient for certification.

A stage 2 audit is a more in-depth assessment. This ensures that requirements are not just fulfilled but that they also comply with UNECE R155 and ISO/SAE 21434. To ensure the documented processes are being implemented, we conduct this audit on-site.