Skip to content
Melina Security

FAQ

What's the difference between UN-R 155 and ISO/SAE 21434 — do I need both?

No. UN-R 155 is a regulation; ISO/SAE 21434 is a standard. UN-R 155 mandates the *outcome* (a Cybersecurity Management System must exist and operate); ISO/SAE 21434 specifies *how* to implement it. In practice manufacturers comply with UN-R 155 by implementing ISO/SAE 21434, but the two are distinct artifacts and you can fail at one while passing the other.

Short answer

No. UN-R 155 is a regulation; ISO/SAE 21434 is a standard. UN-R 155 mandates the *outcome* (a Cybersecurity Management System must exist and operate); ISO/SAE 21434 specifies *how* to implement it. In practice manufacturers comply with UN-R 155 by implementing ISO/SAE 21434, but the two are distinct artifacts and you can fail at one while passing the other.

Long answer

UN-R 155 is United Nations Regulation No. 155 on Cyber Security and Cyber Security Management System. Adopted by UNECE WP.29 in 2020 and mandatory in the European Union and many other UNECE-aligned markets since 2024, it makes type approval of new vehicles conditional on the manufacturer operating a CSMS that covers: cybersecurity governance, risk identification, risk treatment, supplier management, incident response, and post-production monitoring.

UN-R 155 specifies *what* must exist but is deliberately silent on *how*. Manufacturers can implement using whatever framework satisfies their type-approval authority. In practice, ISO/SAE 21434 is the universally accepted implementation framework — the standard's process model, work products, and TARA methodology are recognized by approval authorities as sufficient evidence of a working CSMS.

The most common confusion in scoping cybersecurity engagement work is treating UN-R 155 compliance as the goal. The actual goal of the OEM or Tier-1 cybersecurity team is type approval. Type approval requires CSMS evidence. CSMS evidence is most efficiently produced through ISO/SAE 21434 work products. UN-R 155 compliance is then a side effect of ISO/SAE 21434 implementation done correctly, not a separate program.

A vehicle program can fail at UN-R 155 while complying with ISO/SAE 21434 (process is correct but the manufacturer cannot demonstrate it to the approval authority). Conversely, an OEM can claim ISO/SAE 21434 alignment without satisfying UN-R 155 (because UN-R 155 also covers supplier management evidence, post-production monitoring infrastructure, and incident-response capability that some ISO/SAE 21434 implementations underweight).

Related

- ISO/SAE 21434 - UN-R 155 - TARA - Automotive cybersecurity service

---