These Regulations may be cited as the Road Vehicles (Type-Approval) (Amendment) (No. 3) Regulations 2025.
The Road Vehicles (Type-Approval) (Amendment) (No. 3) Regulations 2025
Published: Wed 22nd Oct 25
These Regulations, made by the Secretary of State for Transport under powers derived from Regulation (EU) 2018/858, introduce mandatory compliance with UNECE Regulations No. 155 (concerning cyber security and cyber security management systems) and No. 156 (concerning software updates and software update management systems) for vehicles seeking Great Britain (GB) type-approval.
The amendments update Annexes II, IV, and XII of Regulation (EU) 2018/858 to incorporate these UN requirements and specify implementation deadlines, and also amend Implementing Regulation (EU) 2020/683 to update the associated information documentation and certificates of conformity templates.
The Regulations come into force on 13th November 2025 and extend across England, Wales, Scotland, and Northern Ireland.
Arguments For
Ensures UK vehicle standards align with modern international best practices for vehicle safety regarding cyber threats.
Mandates the inclusion of robust Cyber Security Management Systems (CSMS) and Software Update Management Systems (SUMS) before vehicles are approved for Great Britain type-approval.
Establishes clear, legally binding implementation dates for manufacturers across different vehicle categories (M, N, O) to transition to compliance.
Strengthens the regulatory framework governing vehicle type-approval procedures by incorporating specific requirements into existing schedules related to information documentation and certificates of conformity.
Arguments Against
Imposes immediate compliance obligations and changes on vehicle manufacturers before the specified dates, particularly concerning the necessary revisions to documentation and processes.
Introduces complexity by amending multiple existing legislative instruments [(EU) 2018/858 and (EU) 2020/683] simultaneously, potentially creating administrative burden.
The introduction of new mandatory UN regulations might necessitate significant research, development, and capital investment by manufacturers to meet cybersecurity and software update standards.
While beneficial, mandating software update capabilities for certain low-volume or special purpose vehicles (like some O category trailers or exceptional load vehicles) might present disproportionate challenges relative to the marginal safety benefit.
The Secretary of State makes these Regulations in exercise of the powers conferred by Articles 5(3), 31(8), 36(4), 38(3) and 57(2) of Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (“Regulation (EU) 2018/858”)1.
The Secretary of State has consulted with representative organisations in accordance with Article 82(3) of Regulation (EU) 2018/858.
The Secretary of State is establishing these Regulations using powers granted under specific articles of Regulation (EU) 2018/858, which governs the type-approval and market surveillance of vehicles and their components.
This EU regulation itself modified earlier regulations concerning vehicles and repealed Directive 2007/46/EC.
Before issuing these rules, the Secretary of State consulted with relevant representative organizations as required by Article 82(3) of Regulation (EU) 2018/858.
Citation, commencement and extent1.
(1)
(2)
These Regulations come into force on 13th November 2025.
(3)
These Regulations extend to England and Wales, Scotland and Northern Ireland.
These regulations are formally titled the Road Vehicles (Type-Approval) (Amendment) (No. 3) Regulations 2025.
They take legal effect starting on 13th November 2025.
The regulations apply across the entirety of the United Kingdom, covering England, Wales, Scotland, and Northern Ireland.
Amendment of Regulation (EU) 2018/8582.
(1)
Regulation (EU) 2018/858 is amended as follows.
(2)
In Article 57 (UN Regulations required for GB type-approval), after paragraph (2), insert—
(3)
UN Regulations and amendments made thereto which are compulsory and the dates from which they are compulsory are specified in Annex XII.”.
(3)
In Annex II (requirements for the purpose of GB type-approval of vehicles, systems, components or separate technical units)—
(a)
in Part I (regulatory acts for GB type-approval of vehicles produced in unlimited series)—
(i)
in the first table, after the row for item 74, insert—
“75
Cyber security and cyber security management system
UN Regulation No 155
X
X
X
X
X
X
76
Software update and software update management system
UN Regulation No 156
X
X
X
X
X
X
X
X
X
X”;
(ii)
in Appendix 1 (regulatory acts for GB type-approval of vehicles produced in medium series pursuant to Article 41)—
(aa)
in Table 1 (M1 vehicles), after the row for item 73, insert—
“75
Cyber security and cyber security management system
UN Regulation No 155
X
76
Software update and software update management system
UN Regulation No 156
X”;
(bb)
in Table 2 (N1 Vehicles), after the row for item 73, insert—
“75
Cyber security and cyber security management system
UN Regulation No 155
X
76
Software update and software update management system
UN Regulation No 156
X”;
(b)
in Part III (list of regulatory acts setting out the requirements for the purposes of GB type approval of special purpose vehicles)—
(i)
in Appendix 1 (motor-caravans, ambulances and hearses), in the table, after the row for item 73, insert—
“75
Cyber security and cyber security management system
UN Regulation No 155
X
X
X
X
76
Software update and software update management system
UN Regulation No 156
X
X
X
X”;
(ii)
in Appendix 2 (armoured vehicles), in the table, after the row for item 73, insert—
“75
Cyber security and cyber security management system
UN Regulation No 155
X
X
X
X
X
X
76
Software update and software update management system
UN Regulation No 156
X
X
X
X
X
X
X
X
X
X”;
(iii)
in Appendix 3 (wheelchair accessible vehicles), in the table, after the row for item 73, insert—
“75
Cyber security and cyber security management system
UN Regulation No 155
X
76
Software update and software update management system
UN Regulation No 156
X”;
(iv)
in Appendix 4 (other special purpose vehicles), in the table, after the row for item 73, insert—
“75
Cyber security and cyber security management system
UN Regulation No 155
X
X
X
X
X
76
Software update and software update management system
UN Regulation No 156
X
X
X
X
X
X
X
X
X”;
(v)
in Appendix 5 (mobile cranes), in the table, after the row for item 73, insert—
“75
Cyber security and cyber security management system
UN Regulation No 155
X N/A in case of complete vehicle
76
Software update and software update management system
UN Regulation No 156
X”;
(vi)
in Appendix 6 (exceptional load transport vehicles), after the row for item 73, insert—
“75
Cyber security and cyber security management system
UN Regulation No 155
X
76
Software update and software update management system
UN Regulation No 156
X
X”.
(4)
In Annex IV (conformity of production procedures), after point 4.6, insert—
“5.
Arrangements concerning software update
The software update management system of the manufacturer as well as the whole vehicle type must comply with the requirements of UN Regulation No 156.”.
(5)
In Annex XII (UN regulations required for GB type-approval)—
(a)
in Table 1 (list of UN regulations referred to in Article 57 which apply on a compulsory basis), before the row for Regulation Number 157, insert—
“155
Cyber security and cyber security management system
Original version of UN Regulation No 155
M, N
156
Software update and software update management system
Original version of UN Regulation No 156
M, N, O”;
(b)
in Table 2 (Scope of application of the requirements referred to in Article 57 - applicable categories per subject)—
(i)
before the row for systems replacing the driver’s input to controls, insert—
“Cyber security
X
X
X
X
X
X
Software update
X
X
X
X
X
X
X
X
X
X”;
(ii)
in the explanatory notes, before note IF, insert—
“X: Vehicles must meet the requirements.”;
(c)
after the explanatory notes to Table 2, insert—
“Table 3 - Implementation dates for the requirements for cyber security and cyber security management system for vehicles of categories M1, M2, M3, N1, N2 and N3
Vehicle Category
Date of refusal to grant GB type-approval to new types of complete and base vehicles
Date for the prohibition of registration of new complete vehicles and completed vehicles incorporating a noncompliant base vehicle
Date for the prohibition of registration of new completed vehicles
Date for the prohibition of registration of new special purpose vehicles
M1, M2, M3, N1, N2, N3
1 June 2026
1 June 2027
1 June 2028
7 July 2029
Table 4 - Implementation dates for the requirements for software update and software update management system for vehicles of categories M1, M2, M3, N1, N2, N3, O1, O2, O3 and O4
Vehicle Category
Date of refusal to grant GB type-approval to new types of complete and base vehicles
Date for the prohibition of registration of new complete vehicles and completed vehicles incorporating a noncompliant base vehicle
Date for the prohibition of registration of new completed vehicles
Date for the prohibition of registration of new special purpose vehicles
M1, M2, M3, N1, N2, N3, O1, O2, O3, O4
1 June 2026
1 June 2027
7 July 2029
7 July 2029”;
This regulation amends Regulation (EU) 2018/858, which establishes GB type-approval requirements for vehicles.
Specifically, it introduces provisions related to UN Regulations 155 (Cyber Security) and 156 (Software Updates).
Article 57 is updated to state that compulsory UN Regulations and their effective dates are listed in a new paragraph (3) within Annex XII. Annexes are heavily modified:
Annex II is updated to list UN R155 and UN R156 as mandatory requirements for unlimited series vehicles, medium series vehicles (M1 and N1), and specified special purpose vehicles (including motor-caravans, ambulances, armoured vehicles, etc.).
Annex IV is updated to require that a vehicle's software update management system must comply with UN R156 requirements.
Annex XII is updated by adding UN R155 and UN R156 to Table 1 (compulsory regulations for M and N categories), updating Table 2 to apply cyber security and software update requirements across M, N, and O categories, and introducing Tables 3 and 4 which detail the specific phase-in dates for these new cybersecurity and software update requirements, generally starting from mid-2026 for granting type-approval for new types.
Amendment of Regulation (EU) 2020/6833.
(1)
Commission Implementing Regulation (EU) 2020/6832 is amended as follows.
(2)
In Article 8—
(a)
the existing text becomes sub-paragraph
;“1.”
(b)
after that sub-paragraph, insert—
“2.
A certificate of conformity which is issued using the template provided for in Annex VIII as it has effect immediately before the coming into force of these Regulations, is to be treated as a GB certificate of conformity issued in accordance with Article 36(1) of Regulation (EU) 2018/858, if—
(a)
the vehicle to which it applies was manufactured before 1 June 2027; and
(b)
a valid GB type-approval granted in accordance with Regulation (EU) 2018/858 applies to the vehicle.”.
(3)
In Annex I, in the template for an information document for the GB type-approval of vehicles, systems, components or separate technical units, after point 12.10.3.2, insert——
“12.11. [Intentionally blank]
12.12. [Intentionally blank]
12.13. [Intentionally blank]
12.14. Cyber security
12.14.1. General construction characteristics of the vehicle type, including:
(a) the vehicle systems which are relevant to the cyber security of the vehicle type;
(b) the components of those systems that are relevant to cyber security;
(c) the interactions of those systems with other systems within the vehicle type and external interfaces ...
12.14.2. Schematic representation of the vehicle type: ...
12.14.3. The number of the Certificate of Compliance for cyber security management system: ...
12.14.4. Documents for the vehicle type to be approved describing the outcome of its risk assessment and the identified risks: ...
12.14.5. Documents for the vehicle type to be approved describing the mitigations that have been implemented on the systems listed, or to the vehicle type, and how they address the stated risks: ...
12.14.6. Documents for the vehicle type to be approved describing the protection of dedicated environments for aftermarket software, services, applications or data: ...
12.14.7. Documents for the vehicle type to be approved describing what tests have been used to verify the cyber security of the vehicle type and its systems and the outcome of those tests: ...
12.14.8. Description of the consideration of the supply chain with respect to cyber security: ...
12.15. Software update
12.15.1. General construction characteristics of the vehicle type: ...
12.15.2. The number of the Certificate of Compliance for software update management: ...
12.15.3. Security measures
12.15.3.1. Documents for the vehicle type to be approved describing that the update process will be performed securely: ...
12.15.3.2. Documents for the vehicle type to be approved describing that the update process will be performed securely: ...
12.15.4. Software updates over the air
12.15.4.1. Documents for the vehicle type to be approved describing that the update process will be performed safely: ...
12.15.4.2. Description of the means of informing vehicle users about an update before and after its execution: ...
12.15.5. Manufacturer’s declaration of compliance with the requirements for Software Update Management Systems”.
(4)
In Annex VIII (certificate of conformity in paper format), in the Appendix (templates for the certificate of conformity in paper format)—
(a)
in Part I (complete and completed vehicles)—
(i)
in vehicle categories M1, M2, M3, N1, N2, and N3, in each case, after point 52, insert—
“55. Vehicle certified in accordance with UN Regulation No 155: yes/no (4)
56. Vehicle certified in accordance with UN Regulation No 156: yes/no (4)”;
(ii)
in vehicle categories O1 and O2, and O3 and O4, in each case, after point 52, insert—
“55. In the case of a vehicle approved to UN Regulation No 155, vehicle certified in accordance with UN Regulation No 155: yes/no (4)
56. In the case of a vehicle approved to UN Regulation No 156, vehicle certified in accordance with UN Regulation No 156: yes/no (4)”;
(b)
in Part 2 (incomplete vehicles)—
(i)
in vehicle categories M1, M2, M3, N1, N2, N3, in each case, after point 52, insert—
“55. Vehicle certified in accordance with UN Regulation No 155: yes/no (4)
56. Vehicle certified in accordance with UN Regulation No 156: yes/no (4)”;
(ii)
in vehicle categories O1 and O2, and O3 and O4, in each case, after point 52, insert—
“55. In the case of a vehicle approved to UN Regulation No 155, vehicle certified in accordance with UN Regulation No 155: yes/no (4)
56. In the case of a vehicle approved to UN Regulation No 156, vehicle certified in accordance with UN Regulation No 156: yes/no (4)”.
This regulation amends Commission Implementing Regulation (EU) 2020/683, which deals with the administrative procedures for GB type-approval.
Article 8 is updated to create a transitional provision (new paragraph 2): Certificates of conformity issued using the pre-amendment template in Annex VIII are automatically treated as valid GB certificates under Regulation (EU) 2018/858, provided the vehicle was manufactured before 1 June 2027 and already has a valid GB type-approval.
Annex I (the information document template for type-approval) is significantly updated to insert detailed new sections (12.14 and 12.15) requiring manufacturers to provide extensive documentation on Cyber Security (risk assessment, mitigations, testing) and Software Updates (management systems, security measures, over-the-air updates).
Annex VIII (certificate of conformity templates) is updated across all vehicle categories (M, N, and O) for both complete/completed vehicles and incomplete vehicles, adding specific fields asking explicitly if the vehicle is certified in accordance with UN Regulation No. 155 and UN Regulation No. 156.
Signed by authority of the Secretary of State for Transport
Simon Lightwood
Parliamentary Under Secretary of State
Department for Transport
These regulations were officially signed by Simon Lightwood, acting under the authority of the Secretary of State for Transport on 20th October 2025.
The signatory held the position of Parliamentary Under Secretary of State for the Department for Transport.
Explanatory Note
(This note is not part of the Regulations)
These Regulations amend Regulation (EU) 2018/858 and Commission Implementing Regulation (EU) 2020/683 to make compliance with two UNECE Regulations (UNECE Regulation No 155 on cyber security and cyber security management systems and UNECE Regulation No 156 on software updates and software update management systems) compulsory for vehicles applying for GB type approval.
Regulation 2 updates the list of technical requirements in Annex II of Regulation (EU) 2018/858 that must be met at type approval in the GB scheme to include UNECE Regulations No 155 and No 156, and procedures relating to conformity of production in Annex IV of that Regulation to reference arrangements concerning software updates. It also updates Annex XII of that Regulation to outline the dates on which the requirements apply.
Regulation 3 updates the information document used to make an application for type approval set out in Annex I of Commission Implementing Regulation (EU) 2020/683 to include provision on cyber security and software updates. It also updates Annex VIII of that Regulation to ensure that certificates of conformity contain references to UNECE Regulations No 155 and No 156 where appropriate.
The net costs imposed on business, the voluntary sector and the public sector by these Regulations have been assessed as being less than £10m in any year and therefore a full impact assessment has not been prepared.
The UN Regulations are issued by the United Nations Economic Commission for Europe. Copies of the UN Regulations referred to in these Regulations can be obtained from the UNECE website: http://www.unece.org/trans/main/wp29/wp29regs.html.
An Explanatory Memorandum and a de minimis assessment have been prepared and are available alongside this instrument at www.legislation.gov.uk. Hard copies may be obtained from the Department for Transport, Great Minster House, 33 Horseferry Road, London, SW1P 4DR.
The Explanatory Note confirms the purpose: to make compliance with UNECE Regulations No. 155 (Cyber Security) and No. 156 (Software Updates) compulsory for GB type-approval, by amending Regulation (EU) 2018/858 and Implementing Regulation (EU) 2020/683.
Regulation 2 integrates these UN standards into the GB type-approval technical requirements and sets out the application dates in Annex XII. Regulation 3 updates documentation requirements in the information document (Annex I) and clarifies the certificate of conformity format (Annex VIII) to reflect the new cyber/software requirements.
A full impact assessment was not needed as costs were below the £10m threshold.
Information is provided on where to access the UN Regulations and supporting documentation.
Latest Legislation
The Organic Production (Amendment) Regulations 2025
22nd Oct 25
The Road Vehicles (Type-Approval) (Amendment) (No. 3) Regulations 2025
22nd Oct 25
The Immigration (Electronic Travel Authorisations) (Jersey) Order 2025
22nd Oct 25
The Unmanned Aircraft (Amendment) Regulations 2025
21st Oct 25
The Immigration and Nationality (Fees) (Amendment) (No. 2) Regulations 2025
21st Oct 25