Ensuring automotive cybersecurity throughout the entire supply chain: ISO/SAE 21434


    Backed up by vehicle electrification, car connectivity, and autonomous driving, cybersecurity is taking a newfound importance for automotive software and hardware development.  In fact, today’s premium cars have between 70 to 100 electric code units (EUCs), which amount to 100 million lines of code and this trend will only keep growing. By 2030, the average car model is expected to have 300 million lines of software code.   

    The ISO/SAE 21434 regulatory framework under the UN R155 ensures cybersecurity management throughout the entire automotive supply chain. Here’s how it involves Tier 1-3 automotive suppliers. 

    What is the ISO/SAE 21434 standard and who does it apply to?  

    The ISO/SAE 21434 standard is closely linked to the UNECE Regulation No 155, a set of regulatory requirements for cybersecurity and software updates in vehicles. Developed as a response to the increasing threat of cyber-attacks on vehicles and their systems, this regulation ensures that all new vehicles sold in the EU meet minimum cybersecurity standards. 

    Specifically, the ISO/SAE 21434 standard guides the implementation of Cyber Security Management Systems (CSMS) throughout the entire automotive supply chain. Relevant for vehicle manufacturers, suppliers and service providers; its implementation can aid organizations in improving operational efficiency, reducing costs and boosting their reputation in the industry.  

    Compliance with ISO/SAE 21434 can also help organizations comply with other relevant standards and regulations such as:   

    • ISO 26262: functional safety for automotive systems   
    • GDPR General Data Protection Regulation.   

    New cybersecurity implications for Tier 1, 2 and 3 manufacturers

    The ISO/SAE 21434 standard involves all automotive suppliers throughout the automotive supply chain, from Tier 1 to 3 levels. Here’s how each tier is involved in the automotive supply chain:  

    • Tier 1 Suppliers: take care of parts and components directly in contact with OEMs. They manufacture complex automotive systems that can go from steering wheel modules, driver-assistance systems (ADAS), airbag control modules and information entertainment for overall control systems.   
    • Tier 2 Suppliers: produce parts and subcomponents used by Tier 1 providers, such as smaller metal stampings and weldments. As contract manufacturers, they work on a build-to-print basis with little or no design responsibility.   
    • Tier 3 Suppliers: provide raw materials or close-to-raw material stock, such as chips, that are then used by Tier 2 and Tier 1 manufacturers.   

    Each component in the automotive supply chain has its architecture, hardware and software and therefore, different risks that their manufacturers and clients must be aware of.  

    Why OEMs should ensure cybersecurity risk management throughout the entire supply chain 

    The Threat Analysis and Risk Assessment (TARA) works as a consolidated method to ensure that all OEMs implement appropriate and efficient cyberattack risk mitigations. One of the main TARA requirements is ensuring that these manufacturers have a CSMS to assess risk management throughout the entire vehicle model.   

    That’s why even if the recent UNECE Regulation No 155 updates only mandate that vehicle manufacturers have their own CSMS, the pressure to manage and mitigate cybersecurity will also fall onto their suppliers. This means that Tier 1-3 vendors will also have to implement their own CSMS, thankfully this can be ensured through ISO/SAE 21434 certification.   

    Ensuring Cybersecurity: ISO/SAE 21434 Certification for Tier 1-3 suppliers   

    The Certificate for ISO/SAE 21434 Conformity guarantees that suppliers can manage their product cyber risks during the entire life cycle of the product, from concept until decommissioning stages. This includes detecting and answering security incidents in a reasonable period.  
    To successfully implement a CSMS under ISO/SAE 21434 requirements specifications, it’s vital to understand the specifications vocabulary, the purpose of each requirement and how to implement them throughout the organizational structure.   

    Organizations must ensure that employees take an active role. We recommend training, assigning roles and responsibilities, and instilling essential cybersecurity know-how.   

    Defining the scope of their CSMS before executing is also key. This includes conducting a gap analysis of its current implementation state and focusing on critical points that need to be improved. Once this is done, each objective should be backed up by a specific activity to execute them.  

    The last step is checking if the requirements are met and making the needed adjustments if any deviations arise. This process can be iterated as many times as needed until final objectives are met.   

    Applus+ Laboratories, a one-stop shop for smooth ISO/SAE 21434 compliance   

    In the automotive industry, independent laboratories can help suppliers reassure trust with vehicle manufacturers by issuing conformity certificates that prove specific requirements, such as ISO 21434, have been met.   

    At Applus+ Laboratories, we offer a complete one-stop-shop service to ensure vital cybersecurity requisites are met throughout the entire automotive supply chain, including ISO/SAE 21434:2021 standard implementations. This includes:  

    • Gap analysis  
    • Threat analysis & risk assessment (TARA) 
    • Vulnerability analysis  
    • Product pen-testing  
    • Technical advice & documentation review  
    • CSMS audit  
    • Certification of conformity  
    • Training 

    Additionally, our cybersecurity experts can perform penetration testing campaigns for automotive components and whole vehicles and deliver accurate reports to measure ISO 21434 compliance.   

    We are backed up by objectivity, expertise, transparency and regulatory compliance expertise. Our capabilities make us a trusted partner for businesses, consumers and regulatory agencies looking to meet specific product, service and organizational requirements. 


    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). Click HERE for more information. You can accept all cookies by pressing the "Accept" button or configure or reject their use by clicking here.

    Cookie settings panel