On June 19, 2025, at the 4th China Internet of Vehicles Security Conference, Qin Zhen, Director of the Digital Technology and Safety Department of Zhiji Automotive Technology Co., Ltd., explained in detail the background, core content and pair of UN R155 certificationIntelligent networkingRequirements for automotive network security management. He pointed out that UN R155 is the world’s first mandatory regulation on automotive cybersecurity, requiring automakers to establish a cybersecurity management system covering the entire life cycle of vehicles, and ensure vehicle cybersecurity through two major certification links: CSMS and VTA.
Qin Zhen also discussed the current situation, challenges and key points of intelligent networked vehicle network security management. Qin Zhen emphasized that with the continuous advancement of technology, intelligent connected vehicles face multiple challenges such as technical complexity, supply chain security, data privacy protection and regulatory compliance. To address these challenges, he proposed key points such as building a sound demand management balance mechanism, strengthening supply chain security management, continuous monitoring, and user privacy protection. Finally, Qin Zhen looked forward to the future development trend of intelligent connected vehicle network security management, including the optimization of laws and regulations, the unification of industry standards, and network security technology innovation.
Qin Zhen | Director of Digital Technology and Safety Department of Zhiji Automotive Technology Co., Ltd
The following is a summary of the speech:
UN R155 certification and core interpretation
In recent years, competition in the automobile market has become more and more fierce. At the same time, with the continuous advancement of technology, intelligent connected vehicles are rapidly integrating into people’s daily lives. While intelligent connected vehicles bring convenience and comfort to driving, they have also raised public concerns about their network security. In recent years, the country’s regulatory requirements and laws and regulations for intelligent networked vehicles have become increasingly stringent. I will combine Zhiji Automobile’s practical experience in the process of UN R155 certification to expound my views on the network security management of intelligent connected vehicles.
UN R155 certification was released by the United Nations World Forum for Harmonization of Vehicle Regulations in June 2020 and is the world’s first mandatory regulation for automotive cybersecurity, mainly applicable to vehicles exported to EU countries and regions. The regulation aims to require automakers to establish a cybersecurity management system covering the entire life cycle of the vehicle to ensure that the cybersecurity risks of the vehicle are controllable in all aspects.
UN R155 certification mainly covers two aspects, one is network security management system certification, and the other is vehicle type certification. Among them, CSMS mainly reviews the network security management process established by manufacturers throughout the vehicle life cycle, that is, from design and development, manufacturing, operation to scrapping. These processes include but are not limited to organizational processes, risk management and control processes, incident handling processes, and supply chain security management processes, aiming to ensure that corresponding risk control measures are in place throughout the entire life cycle of vehicles. CSMS acts as a safety compass, guiding vehicles in the direction of safety at all stages.
VTA mainly reviews the specific work in the process of vehicle information security development to ensure that the safety protection technology of the vehicle submitted for inspection is sufficiently complete during the review process. Its main assessment content covers all 32 security benchmark requirements in Appendix 5, including software security, access encryption control and other related content. VTA is a verification of the implementation of CSMS, like a comprehensive safety physical examination of the vehicle, to ensure that the vehicle’s protective measures are complete and effective.
Source: Speaker material
Both the UN R155 regulation and the ISO 21434 standard require the establishment of a cybersecurity risk management system covering the entire vehicle life cycle. As a technical support, the ISO 21434 standard plays an auxiliary role in the specific implementation and engineering implementation of UN R155 regulations. If the company can meet the requirements of the ISO 21434 standard, it can usually also comply with the relevant provisions of the UN R155 regulation.
At present, in the traditional global vehicle development process of many car companies, cybersecurity-related content is becoming more and more deeply embedded. In the entire development process, from the perspective of the upper part of the process, it mainly involves the work that the network security team of the car company needs to carry out; The second half of the process is to distribute cybersecurity requirements to component manufacturers. After obtaining these safety requirements, component manufacturers will carry out corresponding work based on them, including formulating technical specifications, architectural design, and carrying out security development, integration and testing.
Source: Speaker material
For the network security team of the OEM, in the early stage of the project, it is mainly responsible for project management. This includes asset management, threat analysis, and risk assessment. At the same time, according to the requirements of current laws and regulations, network security-related requirements are transformed into specific security requirements, and these requirements are conveyed to relevant departments through effective methods such as training and publicity, and then these departments convey them to suppliers.
After the vehicle development process is completed, the network security team needs to verify all completed network security development functions and implementations, and confirm the relevant functions through penetration testing and other means. After the verification work, the team also needs to participate in the review and evaluation of the entire network security.
Currently, many automakers are actively integrating cybersecurity-related content into their existing global vehicle development processes. At present, we have built an integrated vehicle development process that fully integrates safety-related content into the entire vehicle development process.
UN R155Certification requirements for network security management
UN R155 regulations put forward specific requirements for automotive cybersecurity management. Based on CSMS, enterprises need to build a complete network security management system. First of all, in terms of organizational structure and responsibilities, enterprises should establish a clear organizational structure for network security management and reasonably allocate responsibilities to ensure that each employee is clearly aware of their responsibilities and tasks. Secondly, enterprises need to formulate company-level network security policies and related processes to provide institutional guarantee for network security management. Furthermore, in view of the complexity of the vehicle supply chain, enterprises should jointly evaluate safety management capabilities with all links in the supply chain, achieve information sharing, and form a strong network security management synergy with suppliers. From a technical point of view, regulations require comprehensive coverage of software communication security, software security and hardware security to ensure the overall network security of the vehicle. Finally, in the operation stage, enterprises should use the platform to conduct real-time monitoring, respond to risks and deal with relevant incidents in a timely manner to ensure the effectiveness of vehicle safety protection.
From the practical application of UN R155 regulations, I think it is of great significance to enterprises in many ways. First of all, UN R155 regulations cover the entire link security of automobiles from management system to vehicle technology, providing crucial safety basis and standards for enterprises. Secondly, the regulation establishes unified compliance requirements for car companies in many overseas countries, which helps reduce the compliance costs of car companies. Finally, UN R155 regulations help car companies prevent security risks or privacy leaks caused by network security attacks through mandatory measures and technical requirements.
In terms of the current situation of safety management of intelligent networked vehicles, from the level of regulations, our country is targetingNew energy vehiclesLaws and regulations are gradually improving. The relevant laws and regulations that have been introduced before and the relevant laws and regulations that will be officially implemented in 2026 have put forward safety compliance requirements for car companies, and car companies can refer to these regulations to carry out compliance work.
Source: Speaker material
At present, major car companies are actively engaged in the practice of network security-related matters, including building corresponding network security management systems to meet regulatory requirements. This is not only a mandatory requirement of laws and regulations for car companies, but also a measure taken by car companies out of their own development needs. On the one hand, this will help improve the overall safety of the vehicle; On the other hand, it can enhance the market competitiveness of vehicles.
From a technical point of view, intelligent connected vehicle technology has developed rapidly in recent years. The level of assisted driving technology continues to improve, V2X and other technologies continue to evolve, and the application of large models in the automotive field has become more and more widely in the past two years. In this context, car companies need to introduce more layers of security protection measures, not limited to traditional threat attack detection and response systems and other protection methods, and take deeper protective measures for emerging technologies such as large models.
Data security should not be overlooked. Intelligent networked vehicles collect a large amount of vehicle data and user data, and how to ensure user privacy and ensure the safe use of data is an urgent problem to be solved.
Challenges in the management of network security of intelligent connected vehicles
Based on the above problems, we are currently facing many challenges. The first is the challenge posed by technical complexity. With the introduction of many cutting-edge technologies into the automotive field, a variety of cutting-edge technologies are integrated with each other, which brings greater difficulty and challenges to safety protection work.
The second is supply chain security issues. Automobile production involves a large number of suppliers, and when car companies issue safety requirements and requirements to suppliers, it can be found that the capabilities of each supplier are uneven. Supply chain security has become an important risk point for vehicle safety.
The third is data privacy protection. On the one hand, it is necessary to use technical means to encrypt and store data; On the other hand, privacy terms and agreements should be established to prevent information leakage.
Fourth, the challenge of regulatory compliance. In the process of continuous technological development, national laws and regulations are also constantly adjusted. In the future, relevant standards and mandatory requirements will be issued for hidden door handles, assisted driving and other issues. Car companies need to keep up with changes in laws and regulations and adjust their safety strategies in a timely manner.
Key points of network security management of intelligent connected vehicles
Based on the current situation and challenges of intelligent connected vehicles, this paper reviews the UN R155 certification work carried out by Zhiji Automobile for overseas projects. At that time, the certification was a stepping stone for car companies to open the European market, but it was essentially a test of the safety capabilities of car companies. Combined with the implementation of future mandatory standards in China, we believe that there are several key points in network security management.
The first is to build a sound demand management balance mechanism. Combined with the GVDP system process, from the issuance of safety requirements, to the safety intervention and design review in the process of parts development and design, to the testing and certification of parts, and finally to the review of vehicle test results, this series of processes constitutes a closed-loop management of safety requirements. In this way, complemented by an evaluation mechanism, it is ensured that all issued safety requirements are ultimately met on the vehicle as required.
The second is to strengthen supply chain security management. Throughout the process, it is necessary to ensure that suppliers in the supply chain meet safety requirements to ensure the safety and reliability of products.
We believe that the second key is continuous monitoring and user privacy protection. In terms of continuous monitoring, the existing safety operation center platform and the response mechanism of the safety emergency response center can be used to monitor safety incidents on the vehicle and respond in a timely manner. In the future, VTA and other methods can be used to ensure the safety and stability of the entire system state.
In terms of user privacy protection, the attention paid to data security in the field of vehicle security in the past was relatively insufficient. With the promulgation and implementation of the Data Security Law of the People’s Republic of China, as well as the annual data security reporting carried out by the Ministry of Industry and Information Technology, the automotive industry attaches more importance to data security year by year. The data collected by vehicles is diverse and large, covering users’ personal usage habits, personal data, car driving data, and highly sensitive data such as important geographical locations of countries. In this process, in order to ensure that data is not leaked and avoid data leakage, on the one hand, it is necessary to encrypt the data, and new technologies such as privacy computing can be introduced in the future. On the other hand, it is necessary to formulate reasonable privacy terms and agreements to clarify the rights and interests between users and car companies and protect their privacy rights.
Future trends and prospects
From the perspective of laws and regulations, laws, regulations and standards will continue to be optimized to meet the development needs of the industry and promote the safety management of intelligent networked vehicles to move towards a more standardized and refined direction. From an industry perspective, the industry will promote information sharing, promote the gradual unification of industry standards, and build a healthy competitive environment. From the perspective of corporate compliance costs, enterprises need to balance security investment and economic benefits to achieve efficient compliance and avoid market losses or legal risks due to security incidents.
Source: Speaker material
From a technical point of view, more continuous innovation of network security technologies will emerge in the future, significantly improving the protection capabilities of intelligent networked vehicles. From a consumer perspective, consumers are paying more and more attention to network security, which has prompted car companies to continuously improve their security capabilities to meet market demand. In terms of future development, the high requirements for network security will promote car companies to continuously optimize protective measures and improve the overall security level of intelligent connected vehicles to meet market expectations.
(The above content comes from the keynote speech “Network Security Management of Intelligent Connected Vehicles from the Perspective of UN R155 Certification” delivered by Qin Zhen, Director of the Digital Technology and Safety Department of Zhiji Automotive Technology Co., Ltd., at the 4th China Internet of Vehicles Security Conference on June 19, 2025.) )
