What is WP.29, the standard that all cars will have to comply with from 2024

A few days ago this news caused a lot of noise, which Porsche will stop Makan with an internal combustion engine in Europe from 2024. The reason for this decision goes beyond the work that the brand is doing to release an electrified version of this model. In reality this corresponds to the impossibility of compliance cybersecurity rules WP.29 which will come into full force next year.

But what is the WP.29 regulation and how does it affect manufacturers? It’s worth noting that WP.29 is actually what the United Nations Economic Commission for Europe (UNECE) Global Forum for the Harmonization of Vehicle Regulations is known for. Regulation UNECE/TRANS/WP.29/2020/79, approved in 2020, is now coming into force. In particular, the rules UN P155 And UN P156.

They require manufacturers to include a cybersecurity management system, or CSMS, in their vehicles. In addition, all vehicles covered by WP.29 are equipped with a software update system.

As you can imagine, the point that really makes noise is integration cybersecurity management system. In this sense, all vehicles must receive certification to ensure they are protected from the possibility of attackers attempting to exploit vulnerabilities in their software, sensors or connected services.

WP.29 requires that vehicles be protected against numerous cybersecurity threats.

Although in the European Union the WP.29 regulation already applies to vehicles whose homologation has been carried out since July 1, 2022, will finally take effect on July 1, 2024.. This means that from this date, vehicles that do not comply with cybersecurity regulations will no longer be able to be offered on the market.

This is why Porsche has decided to withdraw the Macan from European markets. Since the car has been on the market for almost 10 years, the automaker has no plans to update it to comply with the regulations. Of course, it will continue to be produced until the end of 2025 and will continue to be offered in the United Kingdom and other international markets where WP.29 rules do not apply, they confirmed. Trainer.

The new WP.29 rules state that cybersecurity management systems built by manufacturers will be required to protect their vehicles from at least 70 threats. Otherwise, the vehicles will not receive the necessary certification for sale in the European Union.

Among the vulnerabilities that need to be covered are those that can affect the cars themselves, as well as the service and server infrastructure used by car companies.

The quest for more (cyber)safe cars

This Some examples of cybersecurity threats that should be preventedas stated in WP.29:

• Unintentional theft or leakage of data from manufacturer servers or internal networks.
• Injection of malware through the channels that the car uses to communicate with the outside world.
• Unintentional installation of viruses by the owner of the vehicle or people with access to it (for example, mechanics), through the mediation of a hacker.
• In case of sale of a car, transfer of personal data from the first owner to the second.
• Downloading vehicle software updates is not at risk from any computer threats.
• Remote manipulation of sensors and functions such as door locking systems and others.
• Tampering with systems to display altered information, such as vehicle speed, incorrect navigation readings, or mileage that is greater or less than actual.

How WP.29 rules are certified

In order for vehicles to be certified as cyber-safe as set out in WP.29, manufacturers must request an assessment from a notified body. Vehicles must comply with 70 established cybersecurity requirements and, in turn, provide all documentation required by those responsible for checking them. If any of these points are not met, a certificate of conformity will not be issued.

If manufacturers obtain approval for the models being evaluated, It will be valid for three years.. After this period, they will have to recertify or request an extension of their current eligibility. If changes are made to the vehicle’s cybersecurity management system before the end of three years, recertification will be mandatory.

Vehicles that must undergo cyber insurance certification according to WP.29 regulation in the European Union:

• Category M: buses, motorhomes and cars.
• Category H: trucks and vans.
• Category O: cottages and trailers with an electronic control unit.

It is worth noting that the new rules also include categories L6 and L7. That is, quadricycles or quadruples with and without cabin. The big caveat here is that WP.29 regulations will only apply to those models that have Level 3 or higher automated driving systems.

Penalties for non-compliance in the European Union

As you can imagine, failure to comply with WP.29 cybersecurity regulations will result in severe penalties for automobile companies. In the European Union, manufacturers who do not strictly comply with the provisions of the regulations will be subject to fine up to 30,000 euros for each unit of the offending model.

However, the story does not end there. European authorities will also have the right revoke approval cars that do not meet computer security requirements. This way you can stop their marketing and remove them from the market.

The Porsche Macan is the first confirmed case where a car will no longer be sold in Europe due to WP.29. Although he probably won’t be the only one. Any current model that is not updated to adapt to the rules will no longer be able to register in the EU from 1 July.

This is certainly already causing controversy among car companies, as it does every time a new regulation comes into force. But it will also force them accelerate your catalog modernization plans.