It’s now been a year since General Safety Regulation 2 (GSR2) became law across the EU on July 1st 2024, bringing with it a new era of digital safety standards for vehicles. UN R155 and R156 – the cybersecurity and software update standards created through the UNECE WP.29 framework – were central to this landmark regulation, and today they are compulsory on all new vehicles sold in Europe and mirrored by many other global markets.
GSR2 wasn’t introduced in isolation. It was part of a broader push to modernize road safety by recognising that digital vulnerabilities are, in fact, safety risks. In the same way we expect physical crash protection, we now expect vehicles to be protected from hacking, remote hijacking and software failures.
The question is: one year on, how well is the automotive industry adapting to this new reality?
From vulnerability to visibility
Until recently, vehicle cybersecurity was an issue many consumers [and even some manufacturers] struggled to take seriously, but that soon changed as real-world examples began hitting the headlines. For example, we saw white-hat hackers remotely disabling Jeep Cherokees, security researchers unlocking Teslas via Bluetooth exploits and even entire fleets being left vulnerable to attack through unsecured APIs.
Although these stories were alarming to consumers, they accelerated regulatory urgency. Under GSR2, all manufacturers must now show how they manage cybersecurity risks throughout the entire vehicle lifecycle, from concept and design to post-sale updates. This means having a certified Cybersecurity Management System [CSMS] in place, as per UN R155, and a compliant Software Update Management System [SUMS] as required by UN R156.
Instead of treating cybersecurity as a patch-it-later technical issue, manufacturers have had to begin embedding it as a fundamental pillar of product safety and organisational governance.
How have OEMs responded?
Over the past 12 months, most OEMs have been quick to adapt. Many big players, including Volkswagen, Ford, and GM, have hired Chief Product Security Officers, and more are putting formal cybersecurity functions in place, building internal teams dedicated to threat modeling, incident response and software assurance.
This has come with its own challenges. Some manufacturers underestimated the complexity of documenting and auditing their cyber risk management processes to the level demanded by regulators. Others faced issues retrofitting legacy platforms or restructuring supplier agreements to ensure compliance throughout the software and hardware chain.
The supply chain remains one of the biggest pain points. Under WP.29, OEMs are responsible for ensuring their suppliers meet cybersecurity standards, and this has led to stricter procurement practices, new contract clauses and increased demand for transparency. Some Tier 1s have risen to the challenge, while others are still catching up.
What’s actually changed on the road?
From a driver’s perspective, many of these changes are invisible – and that’s the point. Cars now undergo security testing as part of type approval, software updates are subject to structured review, and remote access vulnerabilities are more likely to be caught before reaching production.
There are also other signs of progress beyond compliance. Some manufacturers are going further than the minimum requirements by investing in secure over-the-air [OTA] platforms, real-time intrusion detection systems and vehicle-level monitoring that can detect and respond to threats while the car is on the road.
However, the pace at which cyber threats are evolving remains a concern. Hackers are becoming more sophisticated and, while regulation sets a baseline, it doesn’t future-proof systems against emerging techniques such as AI-driven exploits or large-scale supply chain attacks.
A global standard with expanding scope
Although GSR2 applied initially in the EU, WP.29-based cybersecurity rules are now influencing markets around the world, with over 60 countries adopting the UNECE framework. The UK remains aligned post-Brexit, and countries like Japan and South Korea have implemented their own versions.
In late 2024, UNECE confirmed that powered two-wheelers [e.g., motorbikes and scooters exceeding 25 km/h] would also fall under R155 – an early signal that the scope of cybersecurity compliance is growing. Similar requirements for trucks, buses and potentially even micromobility solutions are expected to follow.
This broadening horizon means the conversation around automotive cybersecurity is shifting from “if” to how far and how fast, the industry can keep up.
What comes next?
A year on from GSR2 and WP.29 implementation, the automotive industry has made significant progress. Most manufacturers have developed compliant systems, and awareness of digital risks is growing – not just among engineers, but also executives, insurers and even drivers.
But there are still obstacles to overcome. Talent shortages persist, supply chains need more support, and the regulatory bar will only continue to rise from here.
Looking ahead, the most successful OEMs will be those that see cybersecurity not just as a compliance checkbox, but as a competitive advantage – a way to unlock safer, smarter and more trusted vehicles.
In the age of the software-defined car, the ability to detect, respond to and recover from cyber threats will be just as important as horsepower or handling. WP.29 laid the groundwork, and now the real test begins.
How Trustonic can help
As OEMs and Tier 1s continue to adapt to the demands of WP.29 and GSR2, Trustonic provides the trusted foundations needed to protect critical systems and support compliance, both now and in the future.
At the core of our offering is our Trusted Execution Environment [TEE] – an industry-leading solution that delivers hardware-isolated protection for the most sensitive automotive operations.
By creating a secure area within the processor, our TEE technology ensures vital functions such as cryptographic key management, secure boot processes and data integrity checks are protected from external interference and cyberattacks.
This additional layer of security not only strengthens the overall system architecture but also enhances vehicle resilience against real-world threats – from remote hacking attempts to supply chain vulnerabilities. It offers OEMs and suppliers a robust foundation to build additional security mechanisms higher up the software stack.
Trustonic also supports manufacturers in meeting cybersecurity requirements beyond just hardware. We help organisations design and implement a secure software development lifecycle [SDLC] and offer support across:
- Key management
- Secure OTA updates
- User and device data storage
- Device attestation and in-field threat monitoring
Whether you’re building out your Cybersecurity Management System [CSMS] or deploying a secure Software Update Management System [SUMS], Trustonic offers technical solutions, consultancy and operational support tailored to your security architecture and regulatory obligations.
In a landscape where vehicle software is constantly evolving, Trustonic enables OEMs to build cybersecurity frameworks that are future-ready, resilient and regulator-approved.
Get in touch to find out more about how we can assist you.
