June 24, 2021

What is WP29 in the Automotive industry and more importantly what is UN 155?

connected car

Having looked (albeit it brief) at the WP29 directive:

“WP.29 is the UN World Forum dedicated to technical regulations applied to the broad automotive sector, addressing the safety and environmental performance of wheeled vehicles, their subsystems and parts.”

It became clear to me that the source of the market noise was actually around UN Regulation No. 155, which is a component of WP29.

No need for the rest of the blog I hear you say! Absolute clarity delivered.

Like all initiatives in every sector, the high level is underpinned by various frameworks of what good should look like, and a set of processes to adhere to. The challenge here is always:

  • How do you integrate multiple systems, contact points and services?
  • Who is ultimately responsible within an organisation?
  • What are the timelines?
  • What is the impact of failure?


So, let’s look specifically at the UN 155 element of WP29 (Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system CSMS). The principal elements are around

  • Obtaining a Certificate of Compliance for the CSMS.
  • Demonstrate how the CSMS will operate in Development, Production and Postproduction phases.
  • Proactive and frequent reporting of how the system is working and complying
  • Outline how you can deal with a range of threat vectors (This list is not small)
  • Articulate the process for reporting new threats, and importantly how they will deal with them, or not!


The latter two points are not new and fall under the purview of CISO/CSO vulnerability disclosure.  The upshot of failure to meet the requirements in any of these areas is the ability to refuse approval for that car model/type. This will effectively make it impossible to sell that car within the European Union marketplace after June 2022. Consequently, Tier 1 and Tier 2 manufacturers, and hardware and software suppliers must give evidence about their capabilities, including their organisational and engineering cybersecurity processes.

There are many considerations as you get further into the minutiae of what the CSMS should cover and how to manage/mitigate threats. At the heart of it must be Identity and Access control. As we rush towards the next generation of connected cars, connected geographies, autonomous driving, always on services and pervasive interactions, it’s very clear that strong Identity control will be the difference between at best compromised data, but at worst life and death.

Connected car was originally implemented to allow real-time feedback on car performance for iterative improvement. The new paradigm will allow for transient ownership, adaptable experience through service zones, C2C communications, car to roadside communications, all of which require strong trust models. For the ill-prepared, UN155 will be a Pandora’s box as they try to navigate through the reality of how their connected car of tomorrow will operate.

For more information about how Device Authority can play a role in simplifying identity management for the Automotive industry please read more here, or reach out to our team of experts at: automotive@deviceauthority.com





Paul Lockley