Correlens

Use case · Compliance achievement

Run the work, and the audit evidence writes itself.

UNECE R155 type approval, its paired R156 software-update regulation and an ISO/SAE 21434 assessment all ask for the same thing underneath: proof that you monitor, analyse, decide and record, continuously. Correlens is where that work already happens, so the records assessors ask for are a byproduct of doing it, not a separate compliance chore.

UNECE R155 · CSMSA CSMS certificate is audited against ISO/PAS 5112 and stays valid for at most three years, with monitoring, vulnerability handling and incident response evidence expected throughout. Continuous triage records are exactly that evidence.
UNECE R156 · SUMSR155’s paired regulation covers software updates and is equally required for type approval. Release-to-release SBOM diffs give an update review its component-level record: what changed, what it added, what it fixed.
ISO/SAE 21434The engineering framework behind both regulations. Supplier interface work (clause 7), continual monitoring and vulnerability analysis (clause 8) and TARA inputs (clause 15) map onto the supply-chain, intelligence and vulnerability modules.
One audit trailEvery score, re-score, VEX statement and analyst decision is recorded with its reasoning. When the assessment comes, the trail is already there.

Regulatory horizon

The deadlines are not the story. The evidence is.

The regulations are in force and their dates are public. What decides an assessment is whether your day-to-day work leaves the records behind.

Jan 2021 R155 and R156 enter into force Cybersecurity management and software-update management become type-approval requirements.
Jul 2022 Mandatory for new vehicle types New M, N and O vehicle types need both approvals in participating markets.
Jul 2024 Mandatory for all new vehicles Every newly registered vehicle in scope, not just new types.
Sep 2026 EU CRA reporting obligations Actively exploited vulnerabilities and severe incidents become reportable for products with digital elements.
Dec 2027 EU CRA main obligations Essential requirements, conformity assessment and support-period duties apply in full.
Jul 2029 R155 reaches Category L Two- and three-wheelers with an ECU come into scope.

Beyond the EU

The same discipline, on every homologation desk.

Cybersecurity management has gone global: the frameworks differ by market, but they all ask for a managed inventory, vulnerability handling and records. Evidence produced once serves all of them.

China GB 44495 and GB 44496, mandatory national standards for vehicle cybersecurity and software updates, apply to new vehicle types from January 2026 and to existing approved types from January 2028.
Japan The first market to apply UN R155 and R156, phased in from 2021 under the Road Transport Vehicle Act; the final phase reaches OTA-less production vehicles in 2026.
South Korea A national regime modeled on UN R155: cybersecurity management certification applies to new vehicle types from August 2025 and to all vehicles from August 2027.
India Draft CMVR rules referencing AIS-189 and AIS-190, aligned with UN R155 and R156, are in public consultation; timelines are not final yet.
Gulf states GCC type approval through GSO draws on UNECE-derived technical regulations; a dedicated vehicle-cybersecurity requirement has not been adopted yet, and regional regulators are watching UN R155.

What maps to what

From clause to module, without a spreadsheet.

What each framework asks for, and where in the platform that work already happens.

R155 · CSMS Monitoring, vulnerability handling, incident response, post-production surveillance Threat IntelligenceVulnerability Management
R155 · Annex 5 Awareness of the catalogued threats and mitigations for the vehicle type Threat IntelligenceWatchlists
R156 · SUMS A reliable record of what each software update changes SBOM · release diff
21434 · Clause 7 Distributed activities: supplier capability and interface agreements Supply Chain Risk
21434 · Clause 8 Continual monitoring, event evaluation, vulnerability analysis Vulnerability ManagementThreat Intelligence
EU CRA SBOM quality, coordinated disclosure readiness, support-period records SBOM · quality gateSupply Chain Risk

The mapping is a navigation aid, not a certification claim: assessments are performed by authorities and audit bodies, and expert consultancy can support you through them.

This is not machine-only compliance. Analysts stay in the loop on every decision, and expert consultancy is available for CSMS build-up, TARA work and assessment preparation.

Talk to us about your assessment.

Book a demo