UN Regulation No. 155, which continues to be regarded as a milestone for cybersecurity in the automotive industry, is now expanding its scope. In particular, manufacturers and suppliers who are not directly involved in the traditional production of ordinary cars are still confronted with the question of the extent to which UN R155 and the requirements for the CSMS affects them at all. Now we seem to have a decision: Vehicle Category L, Motorcycles, will be subject to the regulatory requirements of UN R155. All information related to this here.
Original equipment manufacturers (OEMs) of motorcycles and their suppliers are already prepared, in best case. Recently, it had already become apparent what has now (end of November 2023) been submitted as an official proposal by the associated working group for the enhancement of UN Regulation No. 155: Vehicle Category L (motorcycles) is falling under the scope of UN R155.
This means that the requirements relating to the implementation and verification of a Cybersecurity Management System (CSMS) now also apply to manufacturers of such vehicles.
The working group’s decision to implement Category L to the scope of UN R155, was expected by industry professionals and most importantly by consumers. For example, the well-known Austrian motorcycle manufacturer KTM joined AUTO-ISAC in March 2023 according to a publicly available news website. The proposal release came quicker than anticipated. For example, the adaptation of motorcycles in ISO 26262 Road vehicles- Functional safety was released seven years after its first publication in 2011. Whereas the first version of UN R155 was published recently in 2021.
However, this should come as no surprise as more EV and connectivity is demanded from motorcycle riders. The same new technologies implemented in our cars are expected to meet the same level of user experience and comfort in other modes of transportation. Modern motorcycles are quickly being developed with more software in sensors, electronic and smart dashboards, and digital infotainment systems—all with internet-facing [PR1] connectivity.
Cybersecurity on two wheels: The motorcycle in the sights of hackers?
Motorcycles, which have traditionally been less connected, are facing digital challenges just like the rest of the vehicle industry.
From infotainment systems to networked services – the integration of modern technologies into motorcycles has already taken off in the background, making motorcycles vulnerable to cyberattacks.
The peculiarities of two-wheelers in particular give rise to a variety of new challenges when it comes to implementing cybersecurity in motorcycles. Due to their size and design, motorcycles offer significantly less space for hardware security solutions. Physical access to ECU pins will require engineering creativity because “locking the door,” is no longer considered a minimum preventive security control[PR2] . Software must also be robust enough to function reliably under variable environmental conditions.
Overview of the UN R155 timeline for motorcycles
While the already adopted timeline for the scope of cars for July 2022 (new vehicle types) and July 2024 (all new vehicles) was already binding, a different cut-off date applies for motorcycles.
When does UN R155 apply to motorcycles?
Manufacturers of motorcycles (Vehicle category L) must present a Certificate of Compliance as evidence of a successfully audited CSMS by July 1, 2029 in order to obtain approval for the sale of their products within the UNECE member countries.
Cybersecurity in motorcycles: what does that mean in concrete terms?
An era of increased responsibility is dawning for motorcycle manufacturers. They must ensure that their CSMS is effective along the entire value chain, from suppliers to the end product. After all, one of the special requirements of UN R155 is that the manufacturer is responsible for the risks of its suppliers.
This requires a new level of cooperation with suppliers and service providers to ensure an adequate level of safety.
It is important to understand this from the outset: Compliance with UN R155 is not only a regulatory necessity, but also an opportunity to build trust with customers within the value chain and ultimately with the consumer.
At a time when data protection and security are increasingly coming into focus, manufacturers who act proactively and introduce robust cyber security measures can sustainably strengthen their market position around the motorcycle of the future.
In conclusion, the extension of UN R155 to motorcycles is an important step towards ensuring not only the safety of all road users but also the collaboration and underlying cybersecurity of technical ecosystems in an increasingly connected world.
Talk to our colleagues in consulting to take on this challenge and raise the cyber security of your products to the next level.
Paul Rusch is a Lead Senior Consultant at CYRES Consulting. His expertise includes cybersecurity engineering in Cloud and Automotive/Motorcycle technologies as well as Governance and Risk Management. At CYRES Consulting, he is involved in implementing Cybersecurity Management System’s around ISO/SAE 21434 and manages complex project landscapes. He is a TÜV certified automotive cybersecurity professional and a SAE member.