When UNECE WP.29 came into force, it transformed the global automotive industry. For the first time, cybersecurity became a mandatory requirement for modern vehicles — not a marketing feature, not a technical add-on, but a regulated obligation. WP.29 forced manufacturers to rethink how vehicles were designed, updated and secured, requiring formal Cybersecurity Management Systems (CSMS) and Software Update Management Systems (SUMS) across the entire vehicle lifecycle. This marked a significant global regulatory shift, as vehicle regulations now establish mandatory cybersecurity management systems, compliance protocols, and safety standards to ensure the security and reliability of connected vehicles worldwide.

However, three years on, the global landscape has shifted. While Europe initiated the change, India and China are now shaping the next evolution of automotive cybersecurity, moving faster, imposing broader requirements and influencing how multinational OEMs structure their entire security architecture. Device Authority highlighted this shift in its July blog update, noting the increasing pressure on manufacturers to support emerging markets and meet their rapidly developing regulatory frameworks. As technological advancements such as autonomous driving and increased connectivity emerge, these regulatory changes are introducing new cybersecurity challenges that require updated frameworks and proactive approaches.

This article explores how WP.29 set the foundation, how India and China are accelerating the pace, and what this means for OEMs, Tier 1 suppliers and the wider connected vehicle ecosystem.

How WP.29 Changed the Rules for Everyone

Before WP.29, cybersecurity expectations varied widely. Some manufacturers built robust secure-by-design practices; others outsourced vehicle security or relied on fragmented supplier controls. WP.29 changed this by establishing a universal baseline across markets that adopted UNECE standards.

WP.29 requires OEMs to:

• Implement a Cybersecurity Management System (CSMS)
• Monitor threats and vulnerabilities across the vehicle lifecycle
• Manage software updates through SUMS
• Protect vehicle ECUs, communication channels and cloud services
• Demonstrate compliance for regulatory approval and ongoing audits

System security is now recognized as essential for comprehensive protection of vehicle networks, safety-critical functions, and overall vehicle integrity to mitigate cyber threats and ensure regulatory compliance.

Rather than treating security as isolated engineering work, WP.29 forced the entire industry to adopt a lifecycle approach, where security is designed, verified, monitored and maintained continuously. This lifecycle approach is fundamental to advancing cyber security in the automotive sector, ensuring unified and regulated practices for protecting connected and autonomous vehicles.

These requirements reshaped automotive architectures — but they also revealed gaps, especially in rapidly expanding markets where vehicle connectivity is accelerating faster than regulation.

Why India and China Are Now Leading the Next Phase

While Europe laid the groundwork, India and China are the markets forcing OEMs to evolve fastest. Their regulatory changes, vast manufacturing ecosystems, and enormous fleets of connected vehicles have prompted new, stricter cybersecurity expectations that go beyond WP.29’s original scope. As a result, organizations must implement robust cybersecurity measures to ensure strong protections for connected vehicles and automotive systems.

These evolving requirements are designed to address emerging threats and mitigate risks across the entire vehicle lifecycle.

India: Scaling Regulation Across a Huge, Emerging Market

India’s automotive market is one of the world’s largest — and fastest digitising. With the rise of connected scooters, electric vehicles, telematics units and government-supported smart mobility initiatives, the Indian regulator has placed cybersecurity at the centre of national automotive strategy.

India’s evolving regulations increasingly mirror — and in some areas intensify — WP.29 principles. Manufacturers are expected to demonstrate:

• Secure identity provisioning for every vehicle component
• Tamper-resistant telematics and ECU communication
• Real-time update integrity
• Strong cryptographic controls for over-the-air (OTA) systems
• End-to-end visibility across the supply chain
• Comprehensive risk assessment processes to identify, categorize, prioritize, and manage security risks as part of regulatory compliance

Unlike smaller markets, India’s regulatory direction is shaped by scale. The number of vehicles entering roads each year makes manual processes, siloed PKI systems or non-automated update mechanisms unworkable. As a result, India’s cybersecurity expectations emphasise automation, lifecycle identity management and scalable PKI, making it a key driver of global best practice. A software update management system is also a critical requirement in India’s regulatory framework, ensuring secure and compliant management of OTA updates.

China: Security Requirements Driven by Data and Sovereignty

China’s influence on vehicle cybersecurity comes from two angles: its enormous domestic market and its strong regulatory stance on data protection, supply chain integrity and software localisation.

China has introduced sweeping requirements for:

• Local validation of cybersecurity frameworks
• Strict control over vehicle data leaving national borders
• Transparent, auditable software supply chains
• Verified identities for every connected component
• Secure OTA update flows with traceable provenance
• Rapid reporting and response to vulnerabilities, including deployment of critical security patches to address emerging threats

Managing supply chain and third-party suppliers also means identifying and controlling external dependencies, such as hardware components and data sources, to ensure the overall security and integrity of automotive systems.

These requirements go beyond WP.29 in both scope and depth. They push manufacturers towards continuous monitoring, fully auditable firmware pipelines and resilient machine identity frameworks that work across diverse supply chains — including the large number of Chinese Tier 1 and Tier 2 suppliers involved in global vehicle manufacturing.

A Common Global Pressure: Proving Identity Across the Entire Vehicle Lifecycle

Across Europe, India and China, one theme now dominates: vehicle components must have secure, verifiable machine identities throughout their entire lifecycle.

And not just ECUs. Today’s vehicles include:

• Telematics units
• Sensors
• Cameras
• Infotainment systems
• ADAS modules
• Battery management systems
• Connectivity gateways
• Third-party service integrations

These are all examples of connected devices, highlighting the diversity and interconnected nature of modern vehicle components.

Every component is a potential attack surface. Every component requires trust. Every component must be onboarded, authenticated, updated and monitored. Effective access control is essential to manage user and device permissions, ensuring only authorized entities can interact with critical vehicle systems.

This is where regulators increasingly expect modern, automated PKI and machine identity management platforms such as KeyScaler — not fragmented certificate systems or manual provisioning.

The New Regulatory Expectations: Continuous, Not Static

One of the biggest misconceptions about WP.29 is the idea that compliance is achieved through a one-time audit. In reality, regulators — particularly in India and China — now expect continuous assurance, not static documentation.

Manufacturers must demonstrate:

• Ongoing threat monitoring across the fleet
• Cryptographic control of OTA updates
• Supply chain transparency
• Continuous vulnerability management
• Identity lifecycle control (issuance, rotation, revocation)
• Ability to isolate compromised components
• Secure decommissioning for end-of-life vehicles
• Incident response protocols for detecting, mitigating, and recovering from cyber incidents

Automotive cybersecurity has become a 24/7 operational function, not a certification exercise. Implementing robust cybersecurity measures is now essential to meet regulatory requirements and ensure the safety and trust of connected vehicles.

The Supply Chain Challenge — and Why OEM-Owned Key Management Is Becoming Essential

The automotive supply chain spans thousands of components and dozens of suppliers. Historically, suppliers managed their own PKI or shared certificates with OEMs in loosely coordinated workflows.

That model is no longer viable.

Regulators increasingly expect OEMs to own the trust, not delegate it. This explains the rapid rise of interest in OEM-owned key management systems, a topic Device Authority has explored extensively in its connected vehicle white paper. A key management system (KMS) is essential for managing cryptographic keys throughout the vehicle lifecycle, ensuring secure key provisioning, storage, and rotation for automotive applications.

OEMs are increasingly responsible for:

• Issuing identities to components
• Validating supplier firmware
• Enforcing trust policies
• Managing OTA update certificates
• Managing vehicle key lifecycles for immobilizers, ECUs, and other automotive components
• Revoking compromised keys
• Maintaining full audit trails

Identity ownership is becoming a competitive advantage — and in some markets, a regulatory requirement.

FIDO Alliance and Industry Collaboration: Building a United Front for Automotive Security

As the automotive industry faces increasingly complex cybersecurity challenges, collaboration across the ecosystem has never been more critical. Industry alliances like the FIDO Alliance are playing a pivotal role in uniting automotive manufacturers, technology providers, and standards bodies to establish robust security frameworks for connected vehicles.

The FIDO Alliance, renowned for its work in developing secure, passwordless authentication standards, is now extending its expertise to the automotive sector. By promoting interoperable identity verification and secure communication protocols, FIDO and similar organizations are helping to ensure that only authorized users and devices can access safety critical functions and sensitive data within modern vehicles. This is especially vital as vehicles become more connected, integrating advanced driver assistance systems, infotainment platforms, and over-the-air software update capabilities.

Industry collaboration goes beyond standard-setting. It enables the sharing of threat intelligence, best practices, and technical innovations that help automotive companies stay ahead of emerging cyber threats. Joint initiatives are driving the adoption of secure boot mechanisms, cryptographic keys, and hardware security modules, all of which are essential for maintaining system integrity and protecting against data theft or unauthorized access.

By working together, stakeholders across the automotive ecosystem can develop and implement security measures that are scalable, interoperable, and aligned with global regulatory requirements such as WP.29, ISO/SAE 21434, and the evolving mandates in India and China. This united front is crucial for mitigating security risks, ensuring compliance, and safeguarding the entire vehicle lifecycle—from manufacturing and supply chain integration to software updates and end-of-life decommissioning.

Ultimately, industry-wide collaboration, supported by organizations like the FIDO Alliance, is key to building a resilient, future-proof foundation for automotive cybersecurity. As connected cars and electric vehicles continue to proliferate, a coordinated approach will be essential to protect against cyber threats, maintain security, and uphold trust in the next generation of automotive systems.

How KeyScaler Helps Manufacturers Meet WP.29, India and China Requirements

KeyScaler aligns closely with the demands emerging from India and China’s cybersecurity frameworks, complementing the foundations set by WP.29. It supports OEMs and Tier 1 suppliers by delivering robust security for automotive applications across a wide range of use cases, including in-vehicle authentication, device onboarding, and secure communications. As modern vehicles increasingly rely on connected systems, KeyScaler ensures comprehensive protection for these interconnected environments.

Automated lifecycle identity management

Certificates and keys issued, rotated and revoked automatically, eliminating manual processes.

Secure onboarding for every vehicle component

From ECUs to sensors and telematics modules.

End-to-end OTA trust

Ensuring updates are cryptographically verified before installation.

Audit-ready compliance

Tamper-resistant logs aligned with WP.29, India and China’s regulatory expectations.

Supply chain trust orchestration

Allowing OEMs to enforce unified identity policies on all suppliers.

Scalability across millions of devices

Essential for large automotive markets such as India and China.

As global requirements converge on lifecycle identity, KeyScaler acts as the trust backbone for modern connected vehicles.

What Automotive Cybersecurity Teams Must Prioritise in 2025

Manufacturers and suppliers looking to stay ahead of regulation should focus on systematic cybersecurity engineering processes to manage cyber risks throughout the vehicle lifecycle. Key priorities include:

1. Implementing automated machine identity for all ECUs and components
2. Centralising PKI ownership at the OEM level
3. Ensuring OTA pipelines are fully cryptographically verified
4. Embedding continuous monitoring and anomaly detection
5. Validating supply chain components with strong identity requirements
6. Shifting from periodic audits to continuous assurance models

These measures are essential not only for compliance but also for protecting against data breaches, which can result from unauthorized access to interconnected vehicle systems and lead to data theft or compromise of driver privacy.

Those who act early will be able to deploy globally consistent architectures that satisfy all regions — EU, India, China, and beyond.

Conclusion: WP.29 Was the Start — India and China Are Setting the Pace

WP.29 forced the industry to take cybersecurity seriously.
India and China are now forcing the industry to take it further.

Their regulatory acceleration reflects the sheer scale, connectivity and national importance of their automotive markets. As these jurisdictions push for stronger identity assurance, tighter lifecycle control and deeper supply chain validation, global OEMs must evolve their security posture to match. Security must be maintained throughout the entire automotive lifecycle, from design and manufacturing to operation and end-of-life.

The future of automotive cybersecurity is:

• continuous,
• identity-first,
• automated,
• and globally harmonised.

Manufacturers that adopt automated machine identity and secure update frameworks — such as those delivered by KeyScaler — will be positioned to comply not only with WP.29, but with the next generation of global regulations led by India and China. By following key principles established by regulatory bodies, organizations can ensure robust compliance and resilience. These key principles serve as the foundational standards guiding the industry’s approach to cybersecurity.