UN R155 CSMS: What Auditors Expect vs What Engineering Teams Actually Do

An analysis of why UN R155 CSMS expectations often diverge from real engineering practices—and how that gap impacts compliance and security outcomes.

Why the Gap Matters More Than the Regulation Itself

In practice, however, a recurring gap emerges—not between the regulation and technology, but between what auditors expect to see and how engineering organizations actually operate under real delivery constraints.

This article examines that gap from a system and organizational perspective, focusing on why it persists and how it quietly undermines both compliance and security outcomes.

At the center of this requirement is CSMS.
Not as a security control or toolchain, but as a management framework that governs how cybersecurity decisions are made, recorded, reviewed, and improved over time. This distinction is subtle but critical, because many of the difficulties surrounding UN R155 originate from misunderstanding what CSMS is meant to demonstrate.

From a market perspective, this shift carries direct consequences.
Today, the European Union has made UN R155/156 compliance a formal part of EU type approval, with phased applicability that moved from new vehicle types to all new vehicles. As a result, CSMS is no longer an internal policy choice—it has become a prerequisite for accessing regulated markets.

What Auditors Expect from a CSMS

From an audit perspective, CSMS is evaluated primarily as a governance system. Auditors are not reviewing source code or cryptographic algorithms; instead, they look for evidence that cybersecurity is institutionalized across the organization.

Typical audit expectations include:

  • Clear ownership and accountability
    Defined responsibility for cybersecurity decision-making, escalation paths, and risk acceptance.
  • Lifecycle-wide risk management
    Evidence that cybersecurity risks are identified early and revisited as systems, suppliers, and architectures evolve.
  • Traceability of decisions
    Clear links between identified risks, mitigation strategies, and the rationale behind acceptance or rejection.
  • Consistency across vehicle programs
    A CSMS that applies at the organizational level, rather than being recreated for each individual project.

In essence, auditors are evaluating whether cybersecurity behaves like a managed system, not an ad-hoc collection of activities.

What Engineering Teams Actually Do

Engineering organizations rarely resist CSMS intentionally. The gap usually emerges from how product development actually works.

Most teams operate in a project-centric model, optimized for delivering vehicles under fixed schedules and cost constraints. Cybersecurity tasks are distributed across architecture, software, IT, and supplier teams, often without a single operational owner responsible for maintaining cross-project coherence.

Security activities also tend to start late.
By the time cybersecurity reviews or assessments begin, key architectural decisions may already be locked, leaving limited room for structural change. Documentation, meanwhile, is frequently treated as a byproduct—assembled retrospectively to satisfy audit requests rather than generated naturally during development.

As a result, organizations may deliver technically robust products while still struggling to demonstrate CSMS integrity during audits.

Where the Gap Becomes Visible

The mismatch between audit expectations and engineering reality becomes most visible during formal assessments. Certain questions surface repeatedly:

  • Who formally accepts cybersecurity risk, and at what organizational level?
  • How are risks re-evaluated after architectural or supplier changes?
  • How do project-level security decisions influence future vehicle programs?
  • Where is the evidence of continuous improvement?

Engineering teams usually have practical answers to these questions.
What they often lack is structural alignment—a way to present those answers within a coherent, organization-wide CSMS narrative.

The issue is not absence of effort, but absence of a shared frame of reference.

Why the Gap Persists

Several structural factors make this gap difficult to close:

  1. CSMS is organizational, not technical
    Engineering cultures excel at solving technical problems, not at modeling governance structures.
  2. Audits reward clarity, not activity
    What matters is not how much work was done, but how clearly decisions are justified and documented.
  3. Cybersecurity maturity evolves unevenly
    Advanced technical controls often coexist with immature process integration.
  4. Delivery pressure reshapes priorities
    Under schedule constraints, cybersecurity activities tend to become reactive and localized.

These conditions are not exceptional. They are common across complex automotive development environments.

Bridging the Gap Without Overengineering

Effective alignment does not require heavier processes or more documents. In practice, it often involves a small number of focused adjustments:

  • Explicit decision points
    Clearly defining where cybersecurity decisions are made and recorded.
  • Minimal, standardized CSMS artifacts
    A limited set of outputs reused consistently across projects.
  • System-level ownership
    Responsibility assigned above individual programs, but close to engineering reality.
  • Audit-aware workflows
    Development processes that naturally generate evidence as part of normal work.

When CSMS supports engineering instead of constraining it, compliance and real security outcomes improve together.

Conclusion

UN R155 does not fail because its requirements are unrealistic.
It fails when organizations assume that strong technical security automatically satisfies regulatory expectations.

Auditors evaluate systems.
Engineering teams build products.

A CSMS succeeds only when it connects those two worlds—without forcing either to abandon how they actually work.