smartnuts … the world on the cabaret-style dissecting table

Cybersecurity Type Approval in Germany: A Layered Guide (As of 2025)

By Michael Bunzel
In ACS Regulation, Automotive Cybersecurity, Law and Legal Action
19 Stunden ago
11 Min Read
C

A Preliminary Note …

The motivation for this post was follow-up questions prompted by several more technically focused or legally specific articles that asked for a general discussion of the normative foundations of automotive cybersecurity as a type-approval-relevant element. Here it is.

Executive Summary

Cybersecurity is now a non-negotiable entry ticket for vehicles in the EU, and Germany enforces it with typical German precision. At the top sits UN Regulation No. 155 (UN R155), which demands a functioning Cybersecurity Management System (CSMS) and vehicle-level protections across the lifecycle. The EU’s framework regulation 2018/858 supplies the type-approval machinery, roles, and market-surveillance teeth. The EU’s General Safety Regulation 2019/2144 then plugs cybersecurity into that machinery by pointing to UN R155, and to UN R156 for software-update governance (SUMS/OTA). Germany operationalises the whole package through the Federal Ministry for Digital and Transport (BMDV) by linking approval to registration via StVG and FZV and leverages the Kraftfahrt-Bundesamt (KBA) for in-service oversight, recalls, and sanctions.

Key dates are simple enough to remember: cybersecurity per UN R155 has applied to new types since 6 July 2022 and to all new registrations since 7 July 2024. Nearby frameworks matter too: the Radio Equipment Delegated Regulation 2022/30 starts 1 August 2025 for certain radio-equipped products, and the Cyber Resilience Act ramps in phases to 11 December 2027 for most digital products outside the dedicated vehicle regime.

What to do now: close gaps in CSMS/SUMS, harden supply-chain governance with ISO/SAE 21434-based evidence, industrialise PSIRT and telemetry, align OTA processes with UN R156 end to end, and maintain a permanent state of type-approval and KBA readiness. Day-2 operations are where most programs struggle. Don’t.

Why This Matters Now

  • Approval gate: No CSMS/SUMS, no type approval. No vehicle on the road.
  • Lifecycle duty: Obligations don’t end at SoP. Monitoring, vulnerability handling, incident response, and safe updates are ongoing.
  • Enforcement: Under 2018/858, authorities can refuse or withdraw approval, impose recalls, and cooperate EU-wide. In Germany, the KBA is an active market-surveillance authority.
  • Ecosystem pressure: Software, backends, and radio equipment drag in adjacent EU regimes (RED 2022/30; CRA) that may not target vehicles directly but still touch parts of your stack.

The Three Layers

1) International Baseline: UN R155

Purpose and scope:

  • UN R155 sets uniform requirements for protecting vehicles against cyberattacks and for the manufacturer’s CSMS. It covers the full cybersecurity lifecycle for categories M and N (and certain O trailers when relevant), from concept through decommissioning.

Core obligations:

  • CSMS approval: A documented, audited management system that governs risk assessment (TARA), design and validation of controls, monitoring, vulnerability and incident handling, and continuous improvement.
  • Vehicle-level requirements: Demonstrate that each approved type implements appropriate technical and organisational measures aligned to the risks.
  • Lifecycle coverage: From design to in-use operation to end-of-life, with explicit duties to respond to emerging threats.

Evidence types:

  • Policies and procedures
  • TARA outputs
  • Security goals and concepts
  • V&V results
  • Update governance artefacts
  • PSIRT records
  • Field telemetry and anomaly analysis
  • Supplier controls and work-products.

Oversight:

  • Approval of the CSMS and of the vehicle type. Continuous surveillance via market monitoring, incident follow-up, and update audits. Authorities can ask for evidence at any time.

Software updates:

  • UN R155 is inseparable from UN R156, which defines the Software Update Management System (SUMS) and the technical/organisational controls for safe OTA updates, including integrity, authenticity, rollback, customer information, and campaign governance.

2) EU Layer: How Cybersecurity Enters Type Approval

Regulation (EU) 2018/858 — The Machinery of Approval

This is the backbone of EU type approval. It defines the roles of approval authorities and technical services, Conformity of Production (CoP), the EU safeguard clause, and the market-surveillance toolbox. It also sets sanctions, including the option for the Commission to impose significant administrative fines per non-compliant unit. In cybersecurity, 2018/858 matters because it is the procedural chassis into which the substantive requirements of UN R155 and R156 are mounted.

Regulation (EU) 2019/2144 (General Safety Regulation) — Plugging in UN R155/R156

Annex II of the GSR adds “protection of vehicle against cyberattacks” as a safety requirement, explicitly referencing UN R155. Timing flags in the annex make cybersecurity mandatory for new types from 6 July 2022 and for all new registrations from 7 July 2024. For software updates and OTA governance, the EU relies on UN R156, published in the Official Journal alongside R155.

What it means in practice.

  • Your type-approval dossier now includes CSMS evidence and vehicle-level cybersecurity artefacts.
  • Your SUMS/OTA processes are assessed in line with UN R156 when they are part of vehicle conformity and in-service safety.
  • Market surveillance under 2018/858 can trigger corrective actions, mandatory recalls, or approval withdrawal if cybersecurity is found lacking in the field.

Other EU Instruments That Touch the Perimeter

  • Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive activates security requirements for certain radio equipment from 1 August 2025. It can bite on on-board or connected devices depending on your architecture and radio classes.
  • Cyber Resilience Act (EU) 2024/2847 is horizontal. Most type-approved vehicles fall outside its core scope, but many non-vehicle digital products and back-end services around your vehicle ecosystem may fall in. Key milestones are mid-2026 notifications and incident/vulnerability reporting, with full application by 11 December 2027.

3) Germany’s National Layer: Who Does What and How

Authorities:

  • Bundesministerium für Digitales und Verkehr (BMDV): political lead and high-level coordination for road transport market surveillance.
  • Kraftfahrt-Bundesamt (KBA): Germany’s type-approval and market-surveillance authority. It grants approvals, monitors in-service performance, orders and publishes recalls, and can impose administrative measures up to approval withdrawal. Furthermore the KBA maintains the central CoC database.

Legal instruments:

  • KBAG (Gesetz über die Errichtung eines Kraftfahrt-Bundesamtes): establishes the KBA and its tasks.
  • Marktüberwachungsgesetz (MüG): implements the EU’s horizontal market-surveillance regime domestically and supports the measures defined by 2018/858.
  • Straßenverkehrsgesetz (StVG) authorises the ministry to issue the implementing ordinances that carry the registration interface.
  • Fahrzeug-Zulassungsverordnung (FZV) links approval to registration.
  • Verwaltungsvorschrift Benennung von Technischen Diensten (A, B, D) im KBA-Typgenehmigungsverfahren where the KBA publishes the procedures for designated bodies which categorizes in
    • Category A: Qwn-lab testing and reviews for R155 aspects or R156 update mechanisms.
    • Category B: Supervision and witnessing of tests at manufacturer or third-party labs.
    • Category D: CoP surveillance via inspections and production-sample testing, including verification of update-campaign evidence.

Processes you will feel:

  • Type approval: Submission of your CSMS certificate/evidence, vehicle-level cybersecurity dossier, and SUMS/OTA artefacts where applicable.
  • In-service conformity: Ongoing evidence requests, product sampling, incident follow-up, verification of update campaigns, and cooperation duties.
  • Recalls and sanctions: If cybersecurity defects impact safety or compliance, the KBA can order corrective actions and recalls, publish them, and escalate to approval suspension/withdrawal for persistent or serious issues.

How it all connects in KBA approvals under R155:

  • What to meet: UN R155 set the technical and organisational bar.
  • Why it is mandatory: GSR 2019/2144 pulls them into binding EU type approval.
  • How it is assessed: 2018/858 provides the procedures, CoP, market surveillance and Technical Services.
  • Who tests: KBA-designated Technical Services in A/B/D perform testing, supervision and CoP surveillance for R155/R156.
  • When it reaches the road: FZV requires the CoC for registration, linking EU conformity to German road access.
  • Multi-stage specifics: KBA material clarifies evidence paths and Technical Service involvement for multi-stage approvals under R155.

Mapping UN R155 to ISO/SAE 21434: Same Music, Different Stage

ISO/SAE 21434 is the engineering standard your teams already know. UN R155 turns those practices to a certain amount into legal obligations with authority oversight.

  • Organisation and governance: UN R155’s CSMS aligns with 21434 clauses on organisation, distributed activities, and supplier management. The difference is the approval step and the auditability of your management system.
  • Risk and concept: R155’s TARA and security goals track to 21434 risk assessment and concept development deliverables.
  • Development and validation: Traceability from cybersecurity requirements to design and V&V is expected under both.
  • Operations and EoL: R155 explicitly binds you to monitoring, vulnerability handling, and secure decommissioning. 21434 supports that with operational clauses and work-products.
  • Work-products: Use 21434 Annex A as your artefact checklist. R155 expects you to have these in some way, mature and current, at audit time.

Where R155 goes beyond 21434: approval of the management system itself, vehicle-type approval dependent on cybersecurity, and regulatory enforcement if you fail in the field.

Obligations by Actor: What Each Player Owes

  • OEMs: Operate an approved CSMS, meet vehicle-level cybersecurity requirements, run continuous monitoring, vulnerability intake, and incident response, and manage safe OTA updates under UN R156. Provide full evidentiary packages in the type-approval dossier and on request.
  • Tier-1 suppliers: Deliver 21434-conformant processes and artefacts that cleanly integrate into the OEM’s CSMS, disclose vulnerabilities and relevant changes, and support update campaigns. Contractual obligations should match regulatory expectations.
  • Software providers: Prove secure development, provide SBOM excerpts where appropriate, ship patches with proper signing and metadata, and support SUMS/OTA governance and disclosure.
  • Backend service operators: Maintain monitoring, forensics, and incident response that tie into the OEM’s PSIRT and regulatory reporting pathways.
  • Importers and distributors: Place only compliant vehicles on the market, keep documentation, and support corrective actions and recalls.

Timeline at a Glance

  • 9 March 2021: UN R155 and UN R156 published in the EU’s Official Journal.
  • 6 July 2022: Cybersecurity applies to new vehicle types under the GSR.
  • 7 July 2024: Cybersecurity applies to all new registrations.
  • 1 August 2025: Radio Equipment Delegated Regulation (EU) 2022/30 applies for relevant categories.
  • 11 June & 11 September 2026: CRA notifications and reporting duties begin for in-scope products.
  • 11 December 2027: CRA full application.

A Practical Compliance Roadmap

Phase 1: Foundation

  • CSMS hardening: Close gaps against UN R155 Annex 5. Set crisp RACI, KPIs, and escalation paths.
  • SUMS/OTA alignment: Implement UN R156 end to end. That means signing, staged rollout, rollback, customer information, and campaign evidence captured by design.
  • Supplier governance: Embed ISO/SAE 21434 clauses into contracts. Require named work-products and audit rights. Stand up a supplier cybersecurity scorecard.

Phase 2: Engineering and Evidence

  • TARA and security goals: One per type and per feature set that materially changes risk.
  • Traceability and V&V: Make the chain from risk to requirement to test result audit-ready. Automate where you can; auditors will sample.
  • PSIRT build-out: 24/7 intake, triage, threat intel, and coordinated disclosure. Define SLAs that survive weekends and holidays.

Phase 3: Approval and Readiness

  • Dossier orchestration: Prepare a stable, reusable type-approval evidence pack. Keep a live register of referenced artefacts and owners.
  • Internal audits and witness tests: Run pre-mortems. If you wouldn’t defend it in front of the KBA, fix it now.
  • CoP integration: Production controls must preserve the cybersecurity configuration you got approved.

Phase 4: Day-2 Operations

  • Telemetry and anomaly detection: Use purpose-built, privacy-respecting telemetry for detection and post-incident forensics.
  • Campaign discipline: Updates are product safety. Treat them with the same seriousness as hardware recalls.
  • Regulator communications: Maintain current contact trees and standard templates for KBA dialogue, incident notifications, and follow-ups.
  • Lessons learned loop: Every incident, field fix, or near-miss should round-trip into your CSMS and SUMS.

Enforcement Snapshot: What Happens If You Miss

  • Refusal or withdrawal of type approval for non-compliant vehicles.
  • EU market-surveillance actions with coordinated corrective measures or recalls.
  • Germany/KBA measures, from administrative instructions to mandatory recalls and publication of the case.
  • Financial exposure via EU-level administrative fines under 2018/858 plus the usual business costs of downtime, remediation, and reputational damage.

Final Take

Approval is the starting line, not the finish. The combination of UN R155, EU 2018/858, and EU 2019/2144 has turned cybersecurity into a regulated lifecycle discipline with real-world oversight. Germany enforces this through a well-defined authority setup and pragmatic processes. If your CSMS/SUMS, supplier governance, OTA discipline, and day-2 operations are all genuinely audit-ready, you will sail through approvals and sleep better when the next zero-day hits. If not, the KBA will help you find your gaps the hard way.

Glossary

  • CSMS (Cybersecurity Management System): The organisational system that governs risk, design, validation, monitoring, and incident response.
  • SUMS (Software Update Management System): Processes and controls for safe software updates, including OTA campaigns.
  • Type approval: The mandatory regulatory approval for a vehicle type before it can be placed on the EU market.
  • CoP (Conformity of Production): Ensures the vehicle built matches the approved specification.
  • Market surveillance: Authority oversight of products already on the market, with powers to order corrective measures.
  • OTA (Over-the-Air): Wireless update delivery; in scope of UN R156 when part of vehicle conformity and safety.
  • PSIRT: Product Security Incident Response Team; the operational nucleus for handling vulnerabilities and incidents.
  • ISO/SAE 21434: The reference engineering standard for road-vehicle cybersecurity.
  • SoP (Start of Production). In automotive programs it’s the day series production begins (“Job 1”). In cybersecurity terms, SoP is the immovable gate by which type approval and security readiness must be complete.

References

About the author

Michael Bunzel

Michael Bunzel (aka maschasan) is a lawyer and engineer currently living in Germany. He has been working in the field of Cybersecurity and related laws and regulations for over 25 years now.

Mike took on various roles and functions in the context of Information Security, Cybersecurity, and SCADA/Shopfloor Security at a German car manufacturer in southern Germany for more than fifteen years - currently in the R&D resort, with focus on E/E-systems in the context of automotive cybersecurity and related regulations in different markets (e.g. UN, EU, China, Korea, India, US, and others).

Mike has worked with global organizations across dozens of countries, cultures and languages, well-travelled in EMEIA, APAC and the Americas.

All articles in this blog do NOT reflect the opinion of his employer, but are all an expression of his personal view of things.

View all posts

Read more

EU In-Vehicle-Data-Access vs. Automotive Cybersecurity (ACS)

By Michael Bunzel
In Automotive Cybersecurity
1 Monat ago
8 Min Read
E

Im November 2023 verabschiedete die EU die Verodnung (EU) 2023/2854 “über harmonisierte Vorschriften für einen fairen Datenzugang und eine faire Datennutzung“ (nachfolgend als “Data Act” bezeichnet). Der Data Act wird zum 12. September 2025 anwendbar und regelt ab diesem Zeitpunkt Nutzer- und Drittzugriffsrechte auf Daten vernetzter Produkte, zugleich aber Sicherheits- und...

Read on

Insolvenzvorsorge im Lichte der UN-R155

By Michael Bunzel
In Automotive Cybersecurity
1 Monat ago
3 Min Read
I

Die UN-R155 hat die Automobilwelt aufgemischt: Sie verpflichtet Hersteller, ein Cybersecurity Management System (CSMS) nachzuweisen, um neue Fahrzeugtypen überhaupt genehmigt zu bekommen. Klingt erstmal nach einem reinen OEM-Thema – doch wer genauer hinsieht, erkennt: Auch Supplier stehen unter Druck. Denn der OEM trägt die volle Verantwortung für die Cybersicherheit der Lieferkette. Wenn ein...

Read on

Schutz fahrzeuggenerierter Daten gemäß EU-Verordnung 2024/1257 (Euro 7)

By Michael Bunzel
In Automotive Cybersecurity
3 Monaten ago
14 Min Read
S

Hintergrund: Euro 7-Regulierung und Datenintegrität im Fahrzeug Die EU-Verordnung 2024/1257 (Euro 7) führt neue Anforderungen ein, um sicherzustellen, dass Kraftfahrzeuge emissions- und umweltbezogene Vorgaben über ihre gesamte Lebensdauer erfüllen. Dazu gehört erstmals eine umfassende Überwachung von Emissionen und der Batteriedauerhaltbarkeit im Fahrbetrieb. Fahrzeuge müssen...

Read on

Updates on the GB/T Semiconductor CS Standard (DfC)

By Michael Bunzel
In Automotive Cybersecurity, Hardware Security, Standardization, Technology
3 Monaten ago
4 Min Read
U

1. Progression to Public Consultation The July 2025 version marks a significant step in the regulatory process, transitioning from an internal draft to a public consultation phase. This indicates that the specification is nearing finalization and is now open for feedback from stakeholders, paving the way for broader industry adoption and regulatory enforcement. 2. Structural Refinements and...

Read on
By Michael Bunzel 19 Stunden ago
smartnuts … the world on the cabaret-style dissecting table

Get in touch

Tags

ACS (4) AI (6) Automotive Chips (2) automotive cybersecurity (2) Car Hacking (3) China (4) CRA (2) Crypto (2) Cryptographic Keys (2) Cyberpolitik (4) ECU (3) EU (2) EU-Kommission (2) Euro-NCAP (2) FDP (2) GB/T (2) GB 44495-2024 (5) Glitching Attack (3) Hacker (6) Hardware Attack (1) HSM (3) Kowalczuk (2) Large Language Models (2) LLM (3) Made in China 2025 (2) McKinsey (2) NCAP (2) NIS2 (2) OEM (3) Ostdeutschland (2) PCB (3) Secure Boot (2) Secure Element (2) Silicon (2) software quality (2) SPD (2) Tamper Resistance (2) Umfallerpartei (2) UN-R155 (2) UN R155 (10) Vehicle Security (2) Vehicle Security Measures (2) Vehicle Type Approval (2) VO (EU) 2019/2144 (2) VSDPS (2)