- The new UN / UNECE WP.29 regulation, which has been enforced by the European Commission came into force on January 22nd, 2021 and requires vehicles to get a certification to ensure that they are cybersecure throughout their whole life cycle.
- This affects cars, buses, trucks, vans, caravans, and trailers.
- The European Union has already announced that it will enforce the regulation from July 2022 and will affect all new vehicles from July 2024.
- EUROCYBCAR, based in Vitoria-Gasteiz, Spain, is the only company in the world that, currently, certifies the ‘Cybersecure Vehicle’ according to the UN / UNECE WP.29 regulation.
The European Commission has enforced the UN / UNECE WP.29 regulation, which requires vehicles to have a cybersecurity certificate and which came into force on January 22nd, 2021, in 54 of the 56 countries that make up the UNECE – except for the United States and Canada.
It will be mandatory in all the countries of the European Union and it will affect cars, vans, caravans, trucks and buses. It will affect, as well, quadricycles if equipped with automated driving functions from level 3 onwards, and trailers if they have, at least, one electronic control unit.
From July 2022, manufacters in the EU, obtaining approval for new vehicle types, must comply with this Regulation. The obligation will extend to all the new vehicles sold in this territory from July 1st, 2024.
To obtain the cybersecurity certification, manufacturers must show that their models are cyber protected against 70 vulnerabilities. This list of risks to avoid includes potential cyber-attacks during the whole process: development, production, and post-production of the vehicle, so those models that get the certification will be protected throughout their entire life cycle. In addition, it is specified that an Approval Authority/technical service, independent of the manufacturer, must certify whether the vehicle under evaluation meets these requirements.
In case that some manufacturer sells in the EU a vehicle that does not comply with the UN / UNECE WP.29 regulation or it is proven that they deceived the Approval Authority to obtain the certificate in an irregular way, they would face penalties of up to 30,000€ per vehicle and the homologation of the affected models could be withdrawn or suspended -which would prevent them from being sold-.
The regulation does not specify which measures must be taken by manufacturers against these 70 threats. Neither it indicates what types of tests must be done to know if a vehicle can obtain the cybersecurity certificate of compliance.
Nowadays, there is only a company in the world which has a test that evaluates if vehicles comply with the requirements from the regulation: EUROCYBCAR. The tests are carried out in a laboratory located in Vitoria-Gasteiz, Spain, where hackers, IT engineers, car testers and QTesters have been performing the cybersecurity technical evaluation, for many years- the EUROCYBCAR Test- to vehicles of public institutions and OEMs.Nowadays, there is only a company in the world which has a test that evaluates if vehicles comply with the requirements from the regulation: EUROCYBCAR. The tests are carried out in a laboratory located in Vitoria-Gasteiz, Spain, where hackers, IT engineers, car testers and QTesters have been performing the cybersecurity technical evaluation, for many years- the EUROCYBCAR Test- to vehicles of public institutions and OEMs.
Once the vehicle has undergone the EUROCYBCAR test protocol and passes the test -it is eligible- it is awarded with a cybersecurity certificate and it is stamped with a score ranging from three to five. The higher the score is, the better protection; meaning that the analyzed car come with a higher level of protection; i.e., that “it will be a guarantee that it protects the user’s data and privacy as well as the lives of those who travel on board”.
Azucena Hernández, EUROCYBCAR’s CEO, says that this regulation is drastic but very necessary: “the vehicles are big wheeled computers that must be protected, at least, as a smartphone or a computer is protected”. The CEO explains “the consequences of not being properly cyber protected could be tragic, not only by a premeditated cyberattack, but also for a bad use of the user: it could be produced for something as simple as downloading music from internet on a pendrive, connecting it to the USB port of our car and in doing so we are actually introducing, inadvertently, a virus or malware that blocks the vehicle’s operating system, causing the car to stop completely while driving, with the risk that this could entail”.
Link for download the report.
Link to the video EUROCYBCAR / UN regulation / UNECE.