Draft UN Regulation on Cyber Security Implementation issues for existing vehicle architectures

Background The draft cyber security regulation will have a strong impact on vehicle’s E/E architectures Since E/E architectures are shared across various vehicle models, they usually have a long application time (~10-15 years) For already developed E/E architectures it is not feasible to comply with requirements for the development phase retrospectively, since they simply were not known at that time This has been acknowledged during the 2nd coordination meeting in Leiden

Issue For already developed E/E architectures it is not feasible to comply with the vehicle type (E/E architecture) requirements, since they simply were not known at the time of development. This is also the case, since the requirements will not only impact the software but also the hardware on a vehicle. Additionally, it will not be possible to have the entire supply chain covered for existing vehicles.

Need for a solution Some Contracting Parties have already made clear that they intend to implement the new draft UN Regulations in their national/regional whole vehicle type approval framework, e.g. EU and Japan Since new UN Regulations cannot have any Transitional Provisions, Industry has strong concerns that the immediate implementation of the new UN Regulations could lead to severe issues for existing vehicles.

Potential way forward Industry is in favor of addressing the issue in a harmonized approach on UN level A potential way forward could be the stepwise introduction of the requirements: Introduction of an original (00) Series with a reduced set of requirements and an 01 Series with the full set of requirements Transitional Provisions for new types for the 01 Series of amendments

Content of the 00 Series The original series of the Cyber Security Regulation is proposed to cover solely the Cyber Security Management System (CSMS), since existing vehicle architectures cannot be brought into compliance without complete redesigns of the E/E aqrchitectures [The Monitoring and incidence response will be applied to all vehicles, including vehicles in use!] Proposal to add new wording to 7.2: 7.2.3. The vehicle manufacturer shall demonstrate that processes are implemented for [monitoring of and] incident response to vehicles in use.

Content of the 01 Series The 01 Series will cover the whole set of requirements (CSMS + type requirements) Transitional provisions proposed will ensure: Adequate lead time for new vehicle architectures to comply with the requirements Exclude existing vehicles from the application of the vehicle type (E/E architecture) requirements

Transitional Provisions Proposed wording (based on UN guideline): 12. Transitional Provisions 12.1. As from the official date of entry into force of the 01 series of amendments, no Contracting Party applying this Regulation shall refuse to grant or refuse to accept type approvals under this Regulation as amended by the 01 series of amendments. 12.2. As from 1 September [2022], Contracting Parties applying this Regulation shall not be obliged to accept type approvals to the 00 series of amendments, first issued after 1 September [2022]. 12.3. Contracting Parties applying this Regulation shall continue to accept type approvals issued according to the 00 series of amendments to this Regulation first issued before 1 September [2022]. 12.4. Contracting Parties applying this Regulation shall not refuse to grant type approvals according to any preceding series of amendments to this Regulation or extensions thereof.

Implementation timeline Entry into force Only 01 Series approvals obliged to be accepted for new types Example: Approval for a new type according to 01 Series E/E architecture requirements CSMS Example : Approval for an existing vehicle according to 00 Series CSMS Vehicles in use Monitoring and incidence response ~ End 2020 ? 1 Sep 2022