The UK has confirmed that UNECE Regulations R155 (cyber security) and R156 (software updates) will become compulsory for GB type-approval from 13 November 2025. The Road Vehicles (Type-Approval) (Amendment) (No. 3) Regulations 2025 (SI 2025/1110) were made on 20 October and laid before Parliament on 22 October, signed by Parliamentary Under Secretary of State for Transport Simon Lightwood. For UK manufacturers and importers, the approval gate now formally includes cyber governance and over‑the‑air update controls, as set out on legislation.gov.uk.

R155 sets the baseline for vehicle cyber security and requires a manufacturer-wide Cyber Security Management System (CSMS). R156 governs how software is updated, including over‑the‑air (OTA), and requires a Software Update Management System (SUMS). In practice, this moves what many global platforms already do into the GB rulebook: demonstrate that the company has the processes, evidence and accountability to prevent, detect and respond to cyber threats, and to run safe, secure update campaigns across the fleet.

Regulation (EU) 2018/858, as it has effect in Great Britain, is amended so Annex XII lists R155 and R156 as UN Regulations that apply on a compulsory basis for GB approvals. The message is straightforward for product and homologation teams: vehicles must meet these UN rules to obtain or maintain GB type-approval, with the compulsory list and dates now embedded in the annex.

Conformity of production is tightened to reflect software realities. Annex IV gains a clear requirement that both the manufacturer’s software update management system and the whole vehicle type comply with UN R156. That makes update governance part of ongoing production assurance, not a one‑off exercise at type-approval, and brings factory release, field fixes and audit trails under the same compliance umbrella.

Paperwork expands to match the engineering. The GB information document now includes dedicated cyber and software update sections. Authorities will expect a description of systems relevant to cyber risk, their interfaces inside and outside the vehicle, the CSMS certificate number, the risk assessment and identified risks, evidence of mitigations, protection of aftermarket software environments, test methods and outcomes, and an explanation of how the supply chain has been considered. For software updates, manufacturers must show that update processes are both secure and safe, how users are informed before and after an OTA event, and provide a declaration that their SUMS meets the rule.

Certificates of conformity are refreshed so status is visible at registration. For M and N category vehicles, new fields indicate whether a vehicle is certified in accordance with UN R155 and UN R156. For O category trailers, similar declarations apply where relevant. This creates a simple yes/no signal that dealers, fleets and enforcement can reference without digging into technical files.

There is a narrow transition on paperwork, not on standards. A certificate of conformity issued using the old template will still be treated as a GB CoC if the vehicle was manufactured before 1 June 2027 and a valid GB type‑approval applies. From 13 November 2025, however, approvals themselves hinge on compliance with R155 and R156, so relying on the template grace period will not bypass the technical requirements.

Operationally, OEMs should treat CSMS and SUMS certification as gating items alongside emissions and safety tests. For most multi‑market platforms, the incremental work is likely to be process alignment, audit readiness and record‑keeping: mapping cyber responsibilities across teams, evidencing threat analyses and test artefacts, and ensuring update orchestration is controlled and repeatable from development through aftersales.

For Tier‑1s and software suppliers, expect tighter pass‑down on vulnerability handling, evidence of testing and update readiness. Manufacturers must show that they have considered their supply chain in the cyber security case, which in practice means clearer ownership of software configurations per variant, faster turnround on security patches, and traceability of who changed what, when and why.

OTA execution moves under closer scrutiny. Authorities will look at how code is authenticated and deployed, how functional safety is preserved during updates, and how drivers are informed before and after an event. A poorly run campaign is no longer just a customer‑experience issue; it risks approval consequences for the vehicle type if processes fall short of R156.

The Department for Transport classes the impact as de minimis-less than £10m a year across business, the voluntary sector and the public sector-so no full impact assessment accompanies the instrument. At firm level, finance directors should still plan for audit cycles, training, test toolchains and stronger customer communications around update timing, content and any driveability constraints.

The runway is short. With the law in force on 13 November 2025 and the CoC template flexibility ending on 1 June 2027, model‑year 2026 programmes should lock CSMS and SUMS evidence well ahead of build. For niche and low‑volume producers, engaging technical services early and mapping supplier responsibilities now will reduce the risk of late approval surprises and help contain costs. We see this as alignment rather than divergence: it reduces friction for UK platforms selling into global markets while formalising expectations on cyber maturity.