How to reach CSMS certification and cybersecurity vehicle type approval

Successfully implementing UNECE WP.29 cybersecurity & ISO/SAE 21434

Streamed on
29 Apr 2020
Dr. Moritz Minzlaff, Senior Manager ESCRYPT & Jan Stölting, Senior Manager KPMG

The number and reach of potential attack scenarios for modern vehicles has drastically increased. Consequently, activities are underway worldwide to regulate and standardize automotive cybersecurity. They all share three main trends: a stronger focus on the specifics of the automotive industry; the challenge and requirement to maintain security over the entire lifecycle; and the increasingly compulsory nature of regulations such as the inclusion of cybersecurity at type approval. These trends are particularly visible in the upcoming UN Regulation from the UNECE WP.29 and the ISO/SAE 21434. They define and mandate explicit Cybersecurity Management Systems (CSMS) for the protection of vehicles.

Major automotive markets such as the EU and Japan plan to mandate a certified CSMS for approval of new vehicle types from 2022. Further plans are to extend the application of this UN Regulation to first registrations of existing vehicle types in 2024. Considering typical development times, manufacturers and suppliers need to consider the new requirements today. At the same time, both the UN Regulation and the ISO/SAE 21434 are still in draft status. Managing this uncertainty – ensuring successful type approval while avoiding an overspending – has become a critical business success factor.

Industry trends & developments

In the absence of finalized certification schemes, OEMs and supplier need a clear roadmap that focuses on the key “big picture” issues now while allowing for adaptions to the final, detailed requirements later. Using insights from our engagements in all regions worldwide, we address relevant activities and major questions that arise in the buildup of a CSMS. We discuss in this webinar:

  • The UNECE WP.29 test phase
  • Relevant working groups (e.g. at the ISO or VDA)
  • The relationship of information security and cybersecurity
  • Security for the entire lifecycle
  • Impact on the manufacturer/supplier relationship
  • Cybermaturity in the ecosystem, in particular in the supply chain
Optimizing your cybersecurity approach with PROOF

The “Product Security Organization Framework” (PROOF) enables organizations to optimize their CSMS development. It builds on global insights & benchmarks from decades of experience in auditing and automotive security engineering. Its auditing approach provides transparency into an organization’s maturity relative to the ISO/SAE 21434, the UNECE WP.29, and further standards. The leads to clear and goal-oriented CSMS roadmaps so manufacturers and supplier can focus their resources (time, money, expertise) where they have the greatest impact and so they can track progress and perform validation checks before the final certification.

ESCRYPT and KPMG introduce in this webinar a proven methodology to roll out a CSMS and prepare for vehicle type approval using PROOF. The methodology combines lessons learned from successfully applying regulations in many different industries with the automotive security specific expertise that is necessary to take into account the dependencies of cybersecurity with functional safety, environment protection, and theft protection.

Your hosts

This live webinar will be presented by Dr. Moritz Minzlaff, Senior Manager at ESCRYPT and Jan Stölting, Senior Manager Cyber Security at KPMG AG Wirtschaftsprüfungsgesellschaft.

Dr. Moritz Minzlaff has over ten years experience in the field of cyber security and advises automotive companies worldwide, from specialized suppliers and manufacturers to the top 5 OEMS. At ESCRYPT, he has overall responsibility for consulting services on CSMS.

Jan Stölting has over ten years of experience in consulting in the field of cyber security and in particular in managing large security transformation projects and advises, among others, OEMs and suppliers to the automotive industry.

Data protection:

The cooperation partners KPMG AG and ESCRYPT GmbH / ETAS GmbH use forms to collect personal data collected in the course of surveys, webinars, and the like as jointly responsible parties within the meaning of Art. 26 GDPR. This means in particular that all data collected by ESCRYPT in the context of the above-mentioned forms will also be passed on to KPMG and ETAS. All rights of data subjects under Art. 15 et seq. GDPR may be asserted at any time against all cooperation partners and shall be exercised vis-à-vis the data subjects by the cooperation partner to whom the request is addressed.


CSMS & vehicle type approval: New requirements for automotive cybersecurity
Impact on manufacturers, suppliers, and their relationship
Industry trends & lessons learned for establishing an automotive CSMS
Leveraging existing strengths to optimize resources for vehicle type approval
A look beyond UNECE WP.29 and ISO/SAE 21434
Webinar form

Register now to view the recording.


ISO 9001:2015 Home