On June 24, 2020, the United Nations Economic Commission for Europe (“UNECE”)* adopted two regulations that will have a significant impact on manufacturers of connected and autonomous vehicles (“CAVs”). These regulations impose obligations relating to cybersecurity and software updates for passenger cars, vans, trucks, and buses, while the cybersecurity regulations also reach light four-wheeler vehicles if equipped with automated driving functionalities from level 3 (conditional automation) onward. The regulations will enter into force in January 2021.

The European Union, South Korea, and Japan are expected to take steps to adopt these UNECE regulations in their respective national laws in the next couple of years. Given the widespread use of UN Regulations in the automotive sector globally, we anticipate that other countries will also adopt these regulations. Once implemented, any manufacturer that sells vehicles in the implementing countries must comply with the regulatory requirements, including by ensuring that its supply chain would not prevent compliance. As a result, the effects of the regulations are likely to flow down to vehicle manufacturers even in countries that do not adopt them, such as the United States.

These new regulations come at a time when the CAV market is poised for rapid changes and growth. By 2030, industry observers expect connected vehicles to contain 300 million lines of code, and the software and electrical/electronic vehicle component market is expected to grow to $469 billion. While some countries have issued best practices for CAV engineering, such as Automated Driving Systems 2.0 in the United States and the National Guidelines for Developing the Standards System of the Telematics Industry in China, the UNECE regulations are the first binding requirements on cybersecurity and software. As such, their creation and implementation may significantly influence how growth in the CAV market occurs.

The Regulations

Under these regulations, vehicle manufacturers must demonstrate, before placing their vehicles in the market, that the vehicles meet requirements relating to cybersecurity and software updates for the life of the vehicle. Manufacturers must certify regulatory compliance with each regulation and successfully complete a government audit of compliance in order to sell the vehicles in implementing countries.  Both UNECE regulations provide requirements and a framework for manufacturers to reference when creating their compliant processes, some of which we set out below.

Cybersecurity Regulation

Vehicle manufacturers are required to:

  • Create a cybersecurity management system that applies to the development, production, and post-production phases of a vehicle’s lifecycle;
  • Identify both critical risks and mitigation measures;
  • Verify the effectiveness of mitigation measures;
  • Monitor and respond to cyber threats, including through use of vehicle data and logs and data forensics; and
  • Provide yearly reports on any cybersecurity risks found through the required monitoring and the ongoing effectiveness of the risk mitigation measures in place.

Software Updates Regulation

Vehicle manufacturers are required to:

  • Create a software update management system;
  • Assess the interdependence of systems in need of an update and whether the update affects safety or safe driving;
  • Identify which vehicles need a system update and inform users of the updates;
  • Document the need for changes, the vehicle systems affected by the changes, whether the changes require additional government approvals, and the verification and validation procedures performed on the software update;
  • Secure the software update and the delivery system during its development and deployment; and
  • Ensure over-the-air updates can be completed safely, are performed when the vehicle has adequate power, and do not prevent functionality if the update fails.

Several countries have already announced their domestic timetables to implement these regulations.  In the EU, all new vehicle types must comply with these regulations by July 2022; by July 2024 these requirements will apply to all new vehicles.  Japan will apply the regulations once they enter into force in January 2021.  South Korea will implement the regulations as guidelines to be released later in 2020, and will formally implement the regulations at a later date.

* The UNECE is one of the five regional commissions of the United Nations, and its aim is to promote pan-European economic integration.  UNECE includes 56 member states in Europe, North America and Asia.  Its regulations do not have direct effect to all members, but members of the UNECE may adopt UNECE regulations into their national laws.

This post is a part of Covington’s CAV blog series, which covers CAV developments across the world. To access prior CAV blog posts and webinars and to learn more about our team and our work, please visit Covington’s CAV website.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Claire O'Rourke Claire O'Rourke

Working with emerging, national, and multinational companies and non-profits, Claire O’Rourke handles matters involving a range of data privacy and cybersecurity issues.

Claire works with clients in the technology, financial services, life sciences, and healthcare industries, among others. She provides strategic advice on…

Working with emerging, national, and multinational companies and non-profits, Claire O’Rourke handles matters involving a range of data privacy and cybersecurity issues.

Claire works with clients in the technology, financial services, life sciences, and healthcare industries, among others. She provides strategic advice on preparation for, response to, and legal obligations and risk mitigation after a cybersecurity incident. Claire also counsels clients on compliance with generally applicable and sector-specific federal and state privacy laws. She has assisted clients in drafting and reviewing privacy policies and terms of service, designing new products and services to comply with applicable privacy laws, and reviewing contract or other agreements for potential privacy issues.

Prior to practicing law, Claire was a congressional staffer and worked for a trade association that assists small businesses.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.