Software updates

Vehicles are rapidly becoming more digital. There are now around 110 million connected cars on the road, a number that will run into 200 million in 2025. These technical innovations bring about new risks: cybercrime is on the rise.

Attacks on car systems, especially in smart and connected vehicles, pose a risk to the driver, passengers and other road users. This makes adequate software updates a matter of national and European interest.

The UNECE regulation for software updates, the R156, has been in force since January 2021. At UNECE level, the Netherlands played a key role in drafting these regulations. It is an important step in improving the digital safety of vehicles. The R156 is closely connected to the R155: the UNECE regulation for cybersecurity.

The R156 sets new requirements for manufacturers, starting with the design of the Software Updates Management System (SUMS). Manufacturers record and demonstrate how they safeguard, monitor and maintain the quality of the associated digital service. The quality is to be maintained by the SUMS at organisational level and by complying with specific requirements at vehicle-type level. The SUMS applies to the development and (post) production phase of the vehicle.

Once the SUMS has been developed, RDW or a technical service designated by the RDW tests it on the basis of an audit.
If the system complies with the regulations, RDW issues a Certificate of Compliance (COC). RDW issues this COC for a maximum of 3 years, provided that the requirements continue to be met. The RDW verifies this on an on-going basis with the aid of information and cooperation provided by the manufacturer. The COC can be changed or withdrawn before the end of its validity.

Once the COC has been issued, the RDW experts validate the tests or carry out tests themselves. In the Netherlands, a number of technical services have now been (pre-conditionally) designated to do this as well. If the quality management systems have passed the assessments, the manufacturer can apply for a type-approval for the vehicle with the certification department of RDW.
This application is carefully assessed: all safety aspects must have been met. Also, information is exchanged at European level. If all requirements are met, the vehicle is approved and may be produced as specified.

Manufacturers remain responsible for the proper functioning of the digital service and the interaction with the mechanics of the vehicle throughout its entire life cycle. The aim is to ensure that the protection of the vehicle against cyberattacks is always up-to-date, through continuous monitoring and if necessary by implementing improvements via software updates in the event of a cyber threat, danger or vulnerability.

The regulation does not only lay down requirements that the manufacturer of a SUMS must meet. It also holds the requirement that the type-approval authority and the designated technical services have skilled personnel in place, with the appropriate software update knowledge, and specific knowledge about vehicle cybersecurity risk assessments. It also looks at the implementation of procedures ensuring uniform assessments carried out in accordance with this regulation. The R156 regulation is an important step towards vehicle cybersecurity.

At the national level, RDW noticed at an early stage that the far-reaching increase in digitisation and cybercrime brings about a new dimension for the safety of the vehicle and therefore the citizen. This awareness has already led to the development of the Vehicle Safety & Security Framework (VSSF), a framework for assessing digital technologies used in vehicles.

Together with external partners such as other admission authorities, manufacturers and (foreign) technical services, RDW is working towards achieving safe traffic in the future. The manufacturer is responsible for cybersecurity and all associated systems. RDW checks whether the manufacturer takes up this responsibility.

RDW is among the European entities taking the lead in addressing these developments. As a Type Approval Authority and as a Technical Services organisation, RDW needs to be innovative and creative. After all, the playing field of cybersecurity is constantly changing.

From 6 July 2022, all new type-approvals that fall under the scope of the UNECE 156 regulation must comply with this regulation. From 7 July 2024, this obligation also applies to all relevant vehicles that are manufactured from then on, even if the manufacturing is based on existing type-approvals.