On June 24, 2020, the United Nations Economic Commission for Europe (“UNECE”)* adopted two regulations that will have a significant impact on manufacturers of connected and autonomous vehicles (“CAVs”). These regulations impose obligations relating to cybersecurity and software updates for passenger cars, vans, trucks, and buses, while the cybersecurity regulations also reach light four-wheeler vehicles if equipped with automated driving functionalities from level 3 (conditional automation) onward. The regulations will enter into force in January 2021.

The European Union, South Korea, and Japan are expected to take steps to adopt these UNECE regulations in their respective national laws in the next couple of years. Given the widespread use of UN Regulations in the automotive sector globally, we anticipate that other countries will also adopt these regulations. Once implemented, any manufacturer that sells vehicles in the implementing countries must comply with the regulatory requirements, including by ensuring that its supply chain would not prevent compliance. As a result, the effects of the regulations are likely to flow down to vehicle manufacturers even in countries that do not adopt them, such as the United States.

These new regulations come at a time when the CAV market is poised for rapid changes and growth. By 2030, industry observers expect connected vehicles to contain 300 million lines of code, and the software and electrical/electronic vehicle component market is expected to grow to $469 billion. While some countries have issued best practices for CAV engineering, such as Automated Driving Systems 2.0 in the United States and the National Guidelines for Developing the Standards System of the Telematics Industry in China, the UNECE regulations are the first binding requirements on cybersecurity and software. As such, their creation and implementation may significantly influence how growth in the CAV market occurs.

The Regulations

Under these regulations, vehicle manufacturers must demonstrate, before placing their vehicles in the market, that the vehicles meet requirements relating to cybersecurity and software updates for the life of the vehicle. Manufacturers must certify regulatory compliance with each regulation and successfully complete a government audit of compliance in order to sell the vehicles in implementing countries.  Both UNECE regulations provide requirements and a framework for manufacturers to reference when creating their compliant processes, some of which we set out below.

Cybersecurity Regulation

Vehicle manufacturers are required to:

  • Create a cybersecurity management system that applies to the development, production, and post-production phases of a vehicle’s lifecycle;
  • Identify both critical risks and mitigation measures;
  • Verify the effectiveness of mitigation measures;
  • Monitor and respond to cyber threats, including through use of vehicle data and logs and data forensics; and
  • Provide yearly reports on any cybersecurity risks found through the required monitoring and the ongoing effectiveness of the risk mitigation measures in place.

Software Updates Regulation

Vehicle manufacturers are required to:

  • Create a software update management system;
  • Assess the interdependence of systems in need of an update and whether the update affects safety or safe driving;
  • Identify which vehicles need a system update and inform users of the updates;
  • Document the need for changes, the vehicle systems affected by the changes, whether the changes require additional government approvals, and the verification and validation procedures performed on the software update;
  • Secure the software update and the delivery system during its development and deployment; and
  • Ensure over-the-air updates can be completed safely, are performed when the vehicle has adequate power, and do not prevent functionality if the update fails.

Several countries have already announced their domestic timetables to implement these regulations.  In the EU, all new vehicle types must comply with these regulations by July 2022; by July 2024 these requirements will apply to all new vehicles.  Japan will apply the regulations once they enter into force in January 2021.  South Korea will implement the regulations as guidelines to be released later in 2020, and will formally implement the regulations at a later date.

* The UNECE is one of the five regional commissions of the United Nations, and its aim is to promote pan-European economic integration.  UNECE includes 56 member states in Europe, North America and Asia.  Its regulations do not have direct effect to all members, but members of the UNECE may adopt UNECE regulations into their national laws.

This post is a part of Covington’s CAV blog series, which covers CAV developments across the world. To access prior CAV blog posts and webinars and to learn more about our team and our work, please visit Covington’s CAV website.