Five frameworks. One evidence system.
Automotive companies don't get to choose which regulations apply to their vehicles, their software, or their supply chains.
Type Approval
A failed CSMS audit doesn't delay the vehicle launch. It stops it — until conformity is re-established.
UN R155 type approval cannot be granted without CSMS certification. A finding during the Technical Service audit means the vehicle cannot be sold in the affected markets until the finding is resolved and the audit re-passes. For OEMs with active production lines, that is a manufacturing halt event.
Supply Chain Cascade
The OEM's type approval obligation cascades to every Tier in the supply chain — including Tier 2s and 3s who've never heard of R155.
49.5% of automotive attacks exploit software system vulnerabilities — most from ECU components supplied by Tier 1s and Tier 2s. OEMs are requiring ISO 21434 process evidence and SBOM data from their entire supplier base. Suppliers who cannot provide it are excluded before the RFP commercial round.
100M+ lines of code. 54+ countries requiring type approval. 49.5% of attacks in the software stack. And the TARA obligation lasts for the lifetime of the vehicle.
Lines of code in a modern EV across 100+ ECUs from dozens of suppliers. Every line is in scope for the OEM's R155 CSMS obligation.
Countries requiring UN R155/R156 type approval compliance — including all EU, Japan, South Korea, Australia.
Of automotive cyberattacks exploit software system vulnerabilities — the majority in ECU open-source components. Source: Upstream 2024.
Duration of ISO 21434 and UN R155 post-development monitoring obligation — new CVEs in production vehicles must be assessed and governed continuously.
Black Duck BDSA advisories surface critical vulnerabilities on average 100 days ahead of NVD — for automotive RTOS, AUTOSAR, and embedded cryptographic CVEs that general databases miss.
Automotive answers to six frameworks — as an OEM, a software manufacturer, and a supply chain orchestrator simultaneously.
| Regulation | Who it affects | Timing | What you must answer | How X-DLM™ helps |
|---|---|---|---|---|
| UNECE R155 (WP.29) | Vehicle OEMs selling into any of 54+ countries including all EU member states, Japan, South Korea, Australia, and others that have adopted the UNECE 1958 Agreement. | Mandatory for all new vehicles in EU since July 2024. Active in Japan, South Korea, Australia. Required for all new vehicle type approvals globally in adopting countries. | Cybersecurity Management System (CSMS) certification by accredited Technical Service, vehicle-level cybersecurity evidence, Tier 1/2 supplier cybersecurity interface agreements, post-development incident monitoring and reporting. | Polarion manages the ISO 21434 lifecycle and CSMS documentation. Black Duck provides ECU SBOM and vulnerability intelligence. X-DLM™ links TARA assets to live vulnerability data and routes incidents through governed response workflows. |
| ISO/SAE 21434 | Automotive OEMs, Tier 1 and Tier 2 suppliers, and vehicle software development teams — required by OEMs as contractual supplier qualification condition. | Active — the engineering standard that R155 type approval auditors evaluate. OEM supplier qualification increasingly requires ISO 21434 process maturity demonstration. | TARA (Threat Analysis and Risk Assessment), cybersecurity goals, cybersecurity requirements, design, verification, validation, post-development monitoring, incident response, cybersecurity interface agreements with suppliers. | Polarion provides the full ISO 21434 lifecycle workflow — from TARA through cybersecurity requirements through verification through post-development monitoring. Black Duck links live vulnerability intelligence to TARA assets automatically. |
| UNECE R156 (Software Update) | Vehicle OEMs and OTA update system providers — required alongside R155 for type approval in all adopting markets. | Mandatory alongside R155 — required for all new vehicle type approvals in adopting countries. | Software Update Management System (SUMS) certification, secure OTA update processes, software version management, update integrity verification, rollback capability, update audit trail. | Polarion version-controls software releases and OTA update records. X-DLM™ maintains SBOM version history linked to each update release. Black Duck verifies update component integrity and identifies newly disclosed vulnerabilities in update packages. |
| EU CRA (Vehicle Software) | Automotive OEMs and suppliers placing vehicle software, telematics units, connected navigation systems, and V2X communication software on the EU market as Products with Digital Elements. | Vulnerability reporting: September 11, 2026. Full enforcement: December 11, 2027. Parallel obligation to R155/R156 for vehicle software products. | Machine-readable SBOM covering all software components, 24h/72h/14-day vulnerability reporting to ENISA/CSIRTs, secure-by-design evidence, CE marking, coordinated vulnerability disclosure, 10-year documentation retention. | Black Duck generates SPDX/CycloneDX SBOMs from ECU firmware and vehicle software. X-DLM™ routes vulnerability findings into Polarion with CRA reporting cascade automation alongside the R155 incident workflow. |
| ISO 26262 (Functional Safety) | Automotive OEMs and Tier 1 suppliers developing safety-relevant electrical and electronic systems — ASIL A through D. | Active — required for type approval of safety-relevant vehicle systems. Safety-security co-engineering increasingly required. | Item definition, HARA, safety goals, functional safety requirements, design, hardware/software verification, safety validation, production, operation. | Polarion maintains both cybersecurity requirements (ISO 21434) and functional safety requirements (ISO 26262 ASIL) in the same traceability matrix — enabling combined safety-security change control evidence. |
From ECU firmware binary scan to type-approval-ready TARA and CSMS evidence.
- 01
Detect
Black Duck performs binary analysis of ECU firmware, AUTOSAR components, embedded Linux, and Android Automotive OS — generating SBOM data and vulnerability intelligence for every component across the vehicle software supply chain, including supplier deliveries without source code.
- 02
Link
X-DLM™ synchronizes Black Duck vulnerability findings directly to TARA assets in Polarion — recalculating threat ratings, generating governed response work items with ISO 21434 cybersecurity goal mapping, and routing to responsible engineering owners automatically.
- 03
Trace
Findings are linked through the full ISO 21434 lifecycle in Polarion — TARA → cybersecurity goals → requirements → design → verification → validation → release → post-development monitoring. Every link is traceable and exportable for R155 CSMS audit.
- 04
Certify
LiveDocs and Polarion workflow history produce the UN R155 CSMS evidence package, ISO 21434 lifecycle documentation, EU CRA SBOM and vulnerability records, and supplier SBOM exchange history — on demand, for type approval audit, OEM qualification review, or post-market authority inspection.
One evidence system for every automotive obligation.
Book a walkthrough of how X-DLM™ operationalizes UN R155 CSMS evidence, ISO/SAE 21434 TARA traceability, ECU SBOM generation, EU CRA compliance, ISO 26262 safety-security co-engineering, and supplier cybersecurity interface agreements — on Siemens Polarion and Black Duck.