Next week I’ll be in Busan/KOREA with my much-appreciated colleague Felix Roth for the 2025 KSNC/ASCON conference on “All about Advanced Vehicles.” We’ll be talking about the challenges and practical ways to run a global CSMS that covers different automotive cybersecurity regulations across the various markets.
The automotive industry has reached the point where cybersecurity can no longer be handled country by country or project by project. Vehicle platforms live for more than a decade. Software updates will follow them for even longer. At the same time, regulators in Europe, China, the United States and a growing list of importing countries are raising the bar on how OEMs must demonstrate cyber resilience over the entire vehicle lifecycle.
This is the backdrop for the talk “One CSMS to Rule Them All. A Unified Approach to Global Automotive Cybersecurity Compliance.”
The problem we are actually solving
Most manufacturers now operate in more than 150 markets. Each market brings its own interpretation of UNECE R155, its own audit practice, and in some cases its own national cybersecurity framework. On top of this you have horizontal European legislation such as the Cyber Resilience Act, NIS2 and data-protection requirements that touch automotive systems in some way. Trying to build a separate cybersecurity management setup for every single market would create bureaucracy, delays and inconsistent evidence. It would also make type approvals unnecessarily risky.
The smarter option is to design one CSMS that is strong enough to:
- demonstrate conformity with UNECE R155 and ISO/SAE 21434,
- incorporate Chinese requirements such as GB 44495-2024 and its operation guidance,
- map to US regulatory and policy initiatives on connected vehicles,
- and still be usable by engineering departments and supplier management in day-to-day development.
This is precisely what the talk will walk through.
What a unified CSMS looks like in practice
The talk uses the BMW Group model to show how cybersecurity is embedded across the three major phases of the vehicle lifecycle: development, production and post-production/operations. Instead of treating backend security, supplier security, vehicle E/E security and incident response as separate silos, the CSMS links them in a single process chain. That is what allows the organisation to produce one coherent set of evidence for multiple authorities.
Key elements you will see:
- risk-based security architecture in development,
- mandatory cybersecurity testing and validation, including penetration testing,
- supplier security management aligned with automotive standards,
- fleet monitoring and intrusion detection as operational safeguards,
- and documentation/readiness checks that are actually audit-proof.
The benefit is simple. One set of controls. One process language. One place to demonstrate that cybersecurity is planned, implemented, monitored and improved throughout the lifecycle.
Why this matters now
Several markets have already moved from “recommendations” to “show me your certificate.” That includes UNECE contracting parties requiring R155 CSMS approval for type approval, and it increasingly includes China for connected and intelligent vehicles. Running a single CSMS across all regions makes audit preparation faster and reduces the cost of explaining your organisation fifteen times.
Just as important, it raises maturity. When regional audits come back with slightly different interpretations, the feedback can be fed into the global CSMS. Over time this creates a harmonised, continuously improving system instead of a patchwork of local exceptions.
What the session will cover
The talk will not be an academic tour of standards. It will focus on operational questions for OEMs and large suppliers:
- How do you translate regulatory and legal requirements into something that development teams can actually implement?
- How do you keep pace with new rules such as the EU CRA or updates in China without rewriting your CSMS every quarter?
- How do you structure your evidence so that “one CSMS fits many” is not just a slogan but something you can hand to KBA, Chinese authorities and other market surveillance bodies?
- How do you run cooperation models (CSMS as a service) for affiliated brands or partners without diluting compliance?
Participants will see how an automotive organisation scaled cybersecurity from an initial, reactive setup to a forward-looking, regulation-aware model that is fully integrated into the E/E development lifecycle.
Who should read this and attend
- Automotive cybersecurity managers who are currently maintaining multiple CSMS documents for different regions.
- Legal and compliance teams who must prove that the company has a structured response to UNECE R155, GB 44495 and upcoming EU horizontal rules.
- E/E and software leads who want to align security with already-tight release schedules instead of adding it as a late-stage hurdle.
- Supplier managers who need to pull the supply chain into a uniform security posture.
Takeaway
Cybersecurity in automotive is becoming a licence-to-operate topic. The question is not whether to have a CSMS, but whether to have a single, scalable CSMS that works everywhere. This talk will show a concrete, battle-tested way to do exactly that, including the uncomfortable bits such as diverging audit practices, continuous recertification and the need to keep regulators in the loop.
