Cybersecurity
Type approvals, testing, the APK/MOT, the registration obligation for (agricultural) construction vehicles: RDW is always focused on improving safety. As vehicles become smarter and autonomous driving is approaching reality, 'safety' takes on a new dimension. Cybersecurity is a game changer.
Vehicles are rapidly becoming more digital. There are now around 110 million connected cars on the road, a number that will run into 200 million in 2025. These technical innovations bring about new risks: cybercrime is on the rise.
Attacks on car systems, especially in smart and connected vehicles, pose a risk to the driver, passengers and other road users. This makes cybersecurity a matter of national and European interest.
The R155 sets new requirements for manufacturers, starting with the design of the Cyber Security Management System (CSMS). Manufacturers record and demonstrate how they safeguard, monitor and maintain the quality of the associated digital service.
Once the CSMS has been developed, RDW or a technical service that is designated by the RDW tests it on the basis of an assessment. If the CSMS complies with the regulations, RDW issues a Certificate of Compliance. The manufacturer can then request a vehicle type assessment and certification, to check whether a vehicle is cybersecure.
The RDW experts assess compliancy of the vehicle type to R155. Of course, this can also be done by another designated technical service. If the vehicle type has passed, the manufacturer can apply for a type-approval for the vehicle with the certification department.
This application is carefully assessed: all safety aspects must have been met. Also, information is exchanged at European level. If all requirements are met, the vehicle is approved and may be produced as specified.
Manufacturers remain responsible for the cybersecurity of the vehicle throughout its entire life cycle. This responsibility comes in addition to the manufacturer's obligation to meet the requirements laid down in existing laws and regulations. The aim is to ensure that the vehicle is always protected against cyberattacks with an up-to-date system, through continuous monitoring and if necessary by implementing improvements via software updates in the event of a cyber threat, danger or vulnerability.
The regulation does not only lay down requirements that the manufacturer of a cybersecure vehicle type must meet. It also holds the requirement that the type-approval authority and the designated technical services have skilled personnel in place, with the appropriate cybersecurity knowledge, in particular about vehicle cybersecurity risk assessments. It also looks at the implementation of procedures ensuring uniform assessments carried out in accordance with this regulation. The R155 regulation is an important step towards vehicle cybersecurity.
The R155 Cybersecurity regulation is part of a series of regulations addressing vehicle cybersecurity. This series also includes the R156, Software Updates and the R157, Automated Lane Keeping System (ALKS).
At the national level, RDW noticed at an early stage that the far-reaching increase in digitisation and cybercrime brings about a new dimension for the safety of the vehicle and therefore the citizen. This awareness had already led to the development of the Vehicle Safety & Security Framework (VSSF), a framework for assessing digital technologies used in vehicles.
Together with external partners such as other admission authorities, manufacturers and (foreign) technical services, RDW is working towards achieving safe traffic in the future. The manufacturer is responsible for cybersecurity and all associated systems. RDW checks whether the manufacturer takes up this responsibility.
RDW is among the European entities taking the lead in addressing these developments. As a testing body, RDW needs to be innovative and creative. After all, the playing field of cybersecurity is constantly changing.