At Koniag Cyber, we're seeing a seismic shift in the automotive industry where cybersecurity is no longer just a best practice; it's a gatekeeper for market access. For many global markets, Original Equipment Manufacturers (OEMs) can't ship new vehicle types without demonstrating robust cybersecurity management and secure software update practices aligned with United Nations Economic Commission for Europe (UNECE) regulations and local type-approval authorities' interpretations. While the U.S. market for domestic suppliers has its own cyber guidelines, many U.S. automakers sell into Europe and are impacted by this evolving global landscape. The translation for suppliers? OEMs are demanding concrete evidence from you because your components and software directly contribute to the vehicle's overall compliance story. This flow-down of requirements is catching many off guard, especially smaller suppliers further down the chain, leading to delayed contracts, increased costs, and potential exclusion from lucrative deals. The purpose of this article is to break down the key drivers, what flow-down really entails across tiers, and the real-world implications if your organization isn't prepared. Ignoring these could mean missing out on billions in automotive revenue as regulations tighten in 2026 and beyond.

Three major drivers are pulling automotive suppliers into the cybersecurity orbit

First, the UNECE regulations focus squarely on vehicle compliance. UN R155 mandates cybersecurity measures alongside a Cybersecurity Management System (CSMS), which has been integrated into the EU type-approval framework and referenced by national authorities worldwide. Its companion, UN R156, emphasizes Software Updates and a Software Update Management System (SUMS) to ensure secure governance over updates. These rules aren't optional; they require OEMs to prove end-to-end protection against cyber threats, from design to post-production, pushing suppliers to align their practices accordingly.

Second, engineering standards provide the blueprint for operationalizing this "proof." ISO/SAE 21434 stands as the de facto standard for vehicle cybersecurity across the entire lifecycle, offering guidance on risk assessment, mitigation, and validation. Complementing it is ISO 24089, which zeroes in on software update engineering, helping organizations meet R156 expectations by detailing secure update processes, integrity checks, and deployment controls.

Third, broader EU-wide obligations extend beyond vehicles to encompass product cybersecurity. The EU Cyber Resilience Act (CRA) imposes lifecycle security requirements for "products with digital elements," including vulnerability handling, secure-by-design principles, and ongoing support. This can ripple into automotive components and software sold in the EU, forcing suppliers to embed security from the ground up or face market barriers.

Understanding Flow-Down and How it Matters for Each Tier

Flow-Down, it’s not just a buzzword but a cascade of obligations from OEMs to suppliers, ensuring the entire supply chain upholds cybersecurity standards. OEMs aren't simply saying "be compliant"; they're requiring evidence like documents, attestations, and test results, backed by contract language that includes audit rights, incident reporting, and minimum controls. Importantly, this rolls down: you must impose similar requirements on your own suppliers to avoid weak links. The tier you occupy dictates the intensity, creating a layered model of accountability.

For Tier 1 suppliers, those directly interfacing with OEMs, this is the "prove it" tier. Expectations are rigorous, demanding product cyber engineering deliverables aligned with ISO/SAE 21434, such as Threat Analysis and Risk Assessment (TARA)-style outputs and validation evidence. OEMs rely on these auditable artifacts to bolster their R155 compliance. Secure software update controls, including SUMS alignment, update logging, integrity validation, and controlled deployment, tie directly to R156. Increasingly, Software Bill of Materials (SBOM)-like traceability is expected to quickly identify vulnerabilities. 

What does good look like? Suppliers should provide a cybersecurity plan with lifecycle processes, threat/risk analysis outputs and mitigations, security test reports (including penetration testing summaries), and incident response playbooks with coordinated disclosure processes.

Tier 2 suppliers, often providing Electronic Control Units (ECUs), chips, firmware, sensors, or connectivity components, fall into the "demonstrate controlled risk" tier. These elements carry outsized cyber risks, so requirements focus on supplying security requirements and assurance evidence to Tier 1s, such as secure boot, code signing, hardening, vulnerability disclosure, and patch Service Level Agreements (SLAs). Component traceability and ongoing vulnerability monitoring for software and third-party libraries are key to enabling rapid response. Good practices include secure development processes, a vulnerability management program, clear update/patch pathways (even if routed through higher tiers), and documented security properties outlining protections and failure modes.

Tier 3 encompasses raw materials, indirect services, tooling, and IT/OT providers and the emphasis is on "protecting the ecosystem." OEMs here fret over IP leakage, credential compromises, and disruptions like ransomware that could halt production. This tier leans more on information-security assessments rather than product-specific engineering, with demands for controls to safeguard broader operations.

Real-world examples illustrate how manufacturers are enforcing these flow-downs. Take Daimler Truck North America (DTNA): Their supplier cybersecurity requirements mandate incident reporting to their Cybersecurity Operations Center (CSOC), evidence of information security via a TISAX label (Assessment Level 3 for production material suppliers), and rights to audit premises and systems. This exemplifies classic flow-down: prove controls, report fast, and accept oversight.

Stellantis takes a similar tack with its supplier information security requirements, requiring annual compliance attestations and baseline controls like data encryption, access management, network isolation, and vulnerability assessments. Contracts enforce these as non-negotiable.

Volkswagen Group, through its collaboration portal, references TISAX label expectations, determining minimum requirements for apps and tools based on verified labels, ensuring that even indirect suppliers meet info-sec standards.

To spotlight the regulations and frameworks hitting suppliers hardest: UNECE R155 and R156 drive OEM pressure for CSMS/SUMS-aligned evidence, with authorities demanding dedicated systems for type approval. ISO/SAE 21434 maps directly to these, providing the engineering deliverables suppliers must furnish. ISO 24089 supports update governance, while the CRA enforces secure-by-design and vulnerability handling for digital products, potentially affecting any EU-bound automotive software or components. TISAX, though not a regulation, acts as a de facto gatekeeper in EU auto chains, building on ISO/IEC 27001 with industry-specific tweaks for standardized assessments.

What’s Next Specifically for U.S. Auto Suppliers?

The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has been progressing a rulemaking focused on connected vehicle cybersecurity and supply chain security. Here’s what we understand so far:

• BIS issued an Advanced Notice of Proposed Rulemaking (ANPRM) to solicit comments on risks posed by Information and Communications Technology & Services (ICTS) integral to connected vehicles, especially from foreign adversary sources.
• This ANPRM aims to identify how certain on-board software, telematics, ADAS/ADS systems, and supply chain dependencies might be regulated, a potential first step toward future cybersecurity requirements.
• A final rule was published that prohibits imports and sales of connected-vehicle components sourced from entities in certain foreign adversary jurisdictions (e.g., China, Russia),  reflecting national security-driven cybersecurity controls for vehicle technology.
  

An NPRM (Notice of Proposed Rulemaking) is the likely next stage where we’ll learn a lot more about the forthcoming regulations on both cybersecurity and supply chain risk in the U.S. auto industry.

Whether change is already here, in the case of Europe, or there are expected changes to come for the U.S. market, ignoring current flow-down risk and not preparing for future regulations can quickly lead to losses, avoidable fines, and reputational hits. At Koniag Cyber, we urge a proactive stance: conduct gap analyses, build CSMS/SUMS frameworks, and secure evidence now because your automotive ecosystem demands it, or soon will.