The automotive industry is undergoing a historic transformation. As vehicles become increasingly connected, autonomous, and software-defined—including the rise of connected cars, autonomous vehicles, and advanced driver assistance systems—cybersecurity has shifted from a technical afterthought to a regulatory requirement.

At the heart of this transformation lies UN Regulation No. 155 (WP.29) — the global framework that mandates cybersecurity management across the entire vehicle lifecycle. Introduced by the United Nations Economic Commission for Europe (UNECE), WP.29 is now shaping automotive standards from Detroit to Delhi, Tokyo to Stuttgart, ensuring cybersecurity is integrated throughout the vehicle’s lifecycle.

But as we move through 2025, the regulation is only part of a larger trend. Nations are building on its foundation to address emerging risks — from over-the-air (OTA) updates and supply-chain software integrity to AI-driven vehicle systems. Addressing cyber risks is now essential to protect connected and autonomous vehicles from evolving threats.

For OEMs, Tier-1 suppliers, and mobility technology providers, the challenge is clear: security must now be designed, demonstrated, and automated at scale. Auto manufacturers, in particular, are responsible for implementing cybersecurity standards like WP.29 across global markets and throughout the vehicle’s lifecycle.

Introduction to the Automotive Industry

The automotive industry is experiencing a profound transformation as connected vehicles, autonomous features, and software-driven technologies become the new standard. Automotive manufacturers are leading this evolution, integrating advanced systems that deliver greater safety, convenience, and efficiency for drivers and passengers alike. The shift toward digital, interconnected vehicles is redefining how manufacturers design, build, and support their products, creating a dynamic ecosystem where vehicles are no longer isolated machines but part of a broader network.

However, this surge in connectivity brings new challenges. As vehicles become more reliant on digital systems and external communications, they are increasingly exposed to cyber threats that can compromise safety, privacy, and operational integrity. Automotive cybersecurity has therefore emerged as a critical priority for manufacturers, suppliers, and technology partners. To protect vehicles and their users, the industry must adopt comprehensive cybersecurity solutions that address vulnerabilities across all systems and technologies. By prioritizing security at every stage, automotive manufacturers can ensure that innovation goes hand-in-hand with resilience, safeguarding the future of connected mobility.

A New Era of Automotive Regulation

WP.29 marked a turning point for global vehicle cybersecurity. It requires manufacturers to establish two core frameworks:

1. Cybersecurity Management System (CSMS) — ensuring security risks are managed throughout design, production, and post-production. Both production processes and manufacturing processes are critical stages where cybersecurity must be integrated to protect connected vehicles.
2. Software Update Management System (SUMS) — guaranteeing secure software updates and version control across a vehicle’s lifecycle.

Initially applied to new vehicle types from 2021, WP.29 now extends to all newly produced vehicles. Compliance is mandatory in markets across Europe, Japan, South Korea, and increasingly, India and China. Securing systems throughout these production and manufacturing processes is essential to mitigate vulnerabilities and ensure regulatory compliance.

While the regulation sets a baseline, regional adaptations are expanding its reach — each adding layers of complexity that demand automation and advanced identity management.

Beyond Europe: Global Expansion of Automotive Cybersecurity Rules

Asia: India and China Lead Regional Adoption

India has committed to adopting WP.29 as part of its Bharat NCAP safety framework, with a strong emphasis on supply-chain accountability. Vehicle manufacturers play a crucial role in implementing these cybersecurity standards, ensuring that connected and autonomous vehicles meet regulatory requirements throughout their lifecycle.

China’s MIIT (Ministry of Industry and Information Technology) has gone even further, introducing requirements for vehicle-to-cloud identity verification, continuous risk reporting, and data residency compliance. Automotive IoT security is essential for meeting these requirements, as it protects connected vehicles from cyber threats and addresses vulnerabilities in IoT components to ensure regulatory compliance.

United States: From Voluntary to Mandated

In the US, NHTSA and CISA are aligning with WP.29 principles through executive orders and voluntary best-practice frameworks — but mandatory legislation is on the horizon. Automotive IoT devices connected to federal fleets must now comply with Executive Order 14028, which mandates Zero Trust and machine identity management. Organizations require a comprehensive solution to manage compliance and security for automotive IoT devices in this evolving regulatory environment.

Europe: Deepening Integration

Within the EU, WP.29’s implementation is converging with the Cyber Resilience Act (CRA), extending regulatory oversight to include components, ECUs, and digital services. Manufacturers must now demonstrate both product-level and system-level security governance. Managing each connected component within the vehicle’s electronic system is essential for compliance, ensuring that every part can be individually secured, tracked, and trusted.

Why WP.29 Compliance Requires Automation

Achieving compliance manually across an entire vehicle fleet is infeasible. Each car can contain over 100 million lines of code and hundreds of connected components.
Managing identities, certificates, and update authorisations manually is both error-prone and unscalable. Manual processes can also result in overlooked software vulnerabilities, increasing the risk of security breaches and compromising vehicle safety and data integrity.

Automation — specifically automated machine identity management — is the only viable path to achieving consistent, verifiable compliance.

The Role of Device Identity in Vehicle Trust

Every electronic control unit (ECU), sensor, and gateway within a connected vehicle must possess a unique cryptographic identity.
This identity enables secure communication, OTA updates, and data integrity validation.
Without it, attackers can inject malicious firmware, spoof data, or compromise telematics systems. Protecting these critical systems—such as ECUs, autonomous driving subsystems, and other essential control components—is vital to ensure vehicle safety and integrity.

Device Authority’s KeyScaler 2025 provides the automation layer that OEMs and suppliers need to secure and manage those identities seamlessly across the supply chain.

Explore KeyScaler 2025

KeyScaler 2025: Automotive-Grade Security Automation

KeyScaler 2025 automates trust for every device and component within the automotive ecosystem through:

• AI-Driven Discovery – Identifies every connected device within manufacturing, production, and post-sale environments.
• Automated Certificate Lifecycle Management – Issues, rotates, and revokes certificates automatically, ensuring continuous compliance.
• Secure OTA Validation – Authenticates and verifies all software updates against trusted signatures.
• Compliance Mapping – Aligns policies with WP.29, CRA, NIST, and ISO 21434 frameworks.
• Audit-Ready Reporting – Generates evidence of compliance for OEMs and regulators instantly.

Having the right expertise is essential to implement and manage these advanced solutions effectively, ensuring robust protection for production lines, vehicles, and supply chains.

These capabilities eliminate manual bottlenecks, delivering verifiable security at the scale demanded by global automotive manufacturing.

WP.29 and ISO 21434: A Unified Framework

WP.29 is underpinned by ISO/SAE 21434, the global standard for road-vehicle cybersecurity engineering. ISO 21434 provides the technical depth — defining how risk assessment, security design, and incident response must be integrated into vehicle development.

KeyScaler 2025 bridges the gap between regulation and execution by embedding ISO 21434 processes into automated policy engines. This ensures every ECU and subsystem maintains compliance throughout the software development and update lifecycle. Maintaining robust security is especially critical for automotive systems and IoT devices that must remain secure and operational over long lifecycles.

From Factory Floor to Connected Fleet: Lifecycle Security

Automotive cybersecurity doesn’t end at production; it extends across the entire vehicle lifespan.

KeyScaler 2025 enables continuous lifecycle security:

1. Manufacturing Phase: Secure provisioning of device identities during production. It is essential to monitor for new vulnerabilities that may arise even at this early stage.
2. Distribution Phase: Authentication of devices as they connect to OEM cloud services. As vehicles are distributed, organizations must address new vulnerabilities that could be introduced during transit or integration.
3. Operational Phase: Continuous monitoring and certificate renewal through OTA updates. Ongoing vigilance is required to detect and mitigate new vulnerabilities as vehicles operate in dynamic environments.
4. End-of-Life Phase: Revocation of credentials to prevent post-use exploitation. Even at end-of-life, new vulnerabilities can emerge, making secure decommissioning critical.

This end-to-end approach ensures that every vehicle remains compliant, trusted, and tamper-proof throughout its lifetime.

IoT Security Risks and Solutions

The rapid integration of IoT technologies into modern vehicles has expanded the attack surface for cyber threats, making robust cybersecurity measures essential for the automotive industry. Connected vehicles rely on a vast array of sensors, ECUs, and communication modules, all of which can be targeted by cyber attacks if not properly secured. Data breaches, unauthorized access, and vulnerabilities in connected devices pose significant risks—not only to vehicle systems but also to sensitive data and user safety.

Automotive manufacturers and suppliers must address these challenges by implementing secure coding practices, strong identity management, and secure storage solutions throughout the automotive supply chain. The complexity of this supply chain, with its reliance on third-party software and hardware, introduces additional cybersecurity risks that require vigilant oversight and continuous monitoring. By adopting advanced IoT security solutions, such as automated credential management and policy-based access control, the industry can mitigate emerging threats and protect connected vehicles from evolving cyber attacks.

Prioritizing IoT security not only helps safeguard vehicles and their occupants but also supports operational efficiency and ensures regulatory compliance. As the automotive sector continues to innovate, a proactive approach to cybersecurity will be vital for maintaining consumer trust, protecting sensitive data, and enabling the safe deployment of next-generation connected vehicles.

The Rise of AI-Driven Vehicle Security

As vehicles integrate more AI-based decision systems — from autonomous driving to predictive maintenance — their attack surface expands. Ironically, AI is also the key to defending them.

KeyScaler 2025 leverages AI to analyse behavioural data across connected fleets, automatically detecting anomalies such as unauthorised firmware changes or unusual communication patterns. Protecting sensitive information, including location data, is critical in this analysis to ensure vehicle safety, data privacy, and compliance with cybersecurity frameworks. This real-time intelligence strengthens the manufacturer’s ability to enforce Zero Trust principles at scale.

Learn more about AI-powered IoT security

Zero Trust for Automotive Networks

In the automotive context, Zero Trust means that no ECU, app, or cloud service is inherently trusted. Each must continuously prove its identity and integrity.

KeyScaler 2025 operationalises Zero Trust through:

• Identity-based Access: Every system component is authenticated before communication.
• Policy Enforcement: Contextual rules determine what data and commands each component can access.
• Continuous Verification: AI monitors trust scores and revokes access dynamically.

These measures enable seamless connectivity across automotive networks, ensuring secure, real-time data exchange and integration without compromising security.

This model replaces perimeter-based security with adaptive, identity-centric defence — a perfect alignment with WP.29’s continuous risk-management requirements.

Supply Chain Security: The Next Regulatory Frontier

Automotive security extends far beyond the OEM. Each supplier, software vendor, and connectivity provider represents a potential vulnerability. Under WP.29, OEMs must demonstrate not only their own security posture but also that of their supply chain partners.

KeyScaler 2025’s API-driven integration allows suppliers to manage device credentials within a unified trust framework — providing transparent assurance without revealing proprietary data. This federated approach simplifies compliance while maintaining accountability across complex global ecosystems. The key benefits of this approach include enhanced threat detection, streamlined regulatory compliance, secure connectivity, and improved safety for automotive supply chains.

Proving Compliance: Auditability and ROI

Regulators now require continuous proof of compliance, not annual audits. KeyScaler 2025 automates evidence generation, providing a tamper-proof record of every certificate, policy update, and identity change.

For OEMs, this means:

• Reduced audit preparation time from months to hours.
• Clear traceability for every device identity and update.
• Demonstrable alignment with NIST, CRA, and ISO standards.

Protecting sensitive information—such as location, biometric, and control data collected by connected vehicles—is essential for compliance, auditability, and maintaining trust.

Device Authority’s ROI Calculator quantifies the operational and financial value of this automation — helping CISOs and compliance leaders justify security investment.

Try the ROI Calculator

What’s Next: AI Regulation and Vehicle Autonomy

As vehicles become increasingly autonomous, regulators are already looking beyond WP.29. Upcoming standards are expected to include:

• AI System Assurance: Verifiable model integrity for autonomous decision-making. Securing the infotainment system in autonomous vehicles will be critical, as these systems are common entry points for cyberattacks.
• Data Sovereignty Requirements: Stricter localisation of connected-vehicle telemetry. Infotainment systems are particularly vulnerable components and must be included in future cybersecurity standards to protect sensitive data and ensure comprehensive vehicle security.
• Quantum-Safe Cryptography: Preparation for post-quantum threats.

Device Authority is actively developing solutions to address these emerging challenges, ensuring that KeyScaler 2025 remains future-proof for the next generation of mobility security.

Conclusion: From Compliance to Competitive Advantage

In the era of software-defined vehicles, cybersecurity is not just about compliance — it is about confidence.
Manufacturers that can demonstrate continuous, automated compliance will enjoy faster market access, stronger brand reputation, and greater customer trust.

Device Authority‘s KeyScaler 2025 turns WP.29 obligations into operational strength. By automating machine identity management, enforcing Zero Trust, and integrating AI-driven compliance, it enables the automotive industry to innovate securely and at scale.

The road ahead is connected, autonomous, and intelligent. With automated trust at its foundation, it can also be secure by design.

Discover how KeyScaler 2025 secures the future of automotive cybersecurity