The Department for Transport has made the Road Vehicles (Type-Approval) (Amendment) (No. 3) Regulations 2025 (S.I. 2025/1110). The instrument was made on 20 October 2025, laid before Parliament on 22 October 2025, and comes into force on 13 November 2025. It makes UNECE Regulation No. 155 on vehicle cyber security and UNECE Regulation No. 156 on software updates compulsory requirements within Great Britain’s type-approval framework under Regulation (EU) 2018/858.
Legally, the instrument amends Article 57 of Regulation (EU) 2018/858 to confirm that compulsory UN Regulations and their start dates are specified in Annex XII. Annex XII-created in June 2025 to list UN rules that apply on a mandatory basis-previously referenced UN R157 on Automated Lane Keeping Systems; this amendment adds R155 and R156 to that compulsory list and sets the applicable dates.
Annex II to Regulation (EU) 2018/858 is updated so that cyber security and software update requirements apply across the GB scheme’s approval routes. New entries are added to the unlimited series table, the medium series tables for M1 passenger cars and N1 light goods vehicles, and to the special purpose vehicle appendices covering motor‑caravans, ambulances, hearses, armoured vehicles, wheelchair accessible vehicles, other special purpose vehicles, mobile cranes and exceptional load transport vehicles.
Conformity of production is tightened. Annex IV now states that a manufacturer’s software update management system-alongside the whole vehicle type-must comply with UN R156. This embeds software update governance into routine production conformity checks rather than treating it as a one‑off approval gate.
Annex XII itself is expanded. Table 1 lists R155 and R156 as compulsory UN Regulations for GB type‑approval. Table 2 is clarified to show where the requirements apply by vehicle category, with a new “X” marker indicating categories that must meet the regulation rather than only when systems are fitted. This codifies application across M and N categories where relevant.
Commission Implementing Regulation (EU) 2020/683-used in GB as assimilated law for approval templates-is amended. The GB information document gains dedicated sections: 12.14 (Cyber security) and 12.15 (Software update). Applicants must now set out cyber‑relevant systems and interfaces, CSMS certificate details, risk assessment outputs, mitigations, testing evidence, supply‑chain treatment, and protections for aftermarket software and data. For software updates, applicants must describe the SUMS certificate, secure update processes, over‑the‑air update safety, and how users are informed before and after updates, alongside a manufacturer’s declaration of SUMS compliance.
Certificates of conformity are also updated. The paper CoC templates for complete, incomplete and completed vehicles gain new tick‑boxes stating whether a vehicle is certified to UN R155 and to UN R156. A transitional provision allows CoCs issued on the pre‑amendment template to be treated as GB CoCs if the vehicle was manufactured before 1 June 2027 and a valid GB type‑approval applies-giving manufacturers time to adjust CoC production while the new cyber and software requirements phase in.
Implementation is staged. In its published government response on cyber security and software update requirements for the GB type‑approval scheme, the Department for Transport confirmed the timetable: new vehicle types must comply by 1 June 2026; all complete and incomplete vehicles by 1 June 2027; completed vehicles by 1 June 2028 (R155) and by 7 July 2029 (R156). Annex XII is used to give these dates binding effect in GB law.
For manufacturers, this means CSMS and SUMS certification sit alongside existing safety and environmental approvals. Organisations will need documented threat analysis, vulnerability and incident management, test evidence for cyber controls, clear governance of software versioning, and robust over‑the‑air update processes that preserve functional safety and security throughout the vehicle life cycle.
For special purpose and multi‑stage builds, the changes reach beyond base vehicles. Bodybuilders and converters of ambulances, motor‑caravans, hearses and wheelchair accessible vehicles will need to ensure that added systems and interfaces are included in cyber risk assessments and that software dependencies are controlled, particularly where final completion occurs after the base vehicle’s approval.
Operationally, approval packs must reflect the new information requirements from 13 November 2025. Applicants should check that information documents present CSMS and SUMS certificates, that user‑facing update notices are described, and that supply‑chain arrangements (including software provenance and signing processes) are evidenced. CoC production lines should be updated to populate the new R155/R156 fields, or use the transitional route until 1 June 2027 where eligible.
Contextually, the step brings GB closer to practice already familiar to international manufacturers working under UN rules and EU whole‑vehicle approvals. The Vehicle Certification Agency has signalled the maturing GB scheme and the expectation that M and N category vehicles hold full GB or UKNI type‑approval on defined timelines, which aligns with making R155 and R156 integral to approvals.
The Explanatory Note to S.I. 2025/1110 states that the net cost to business, the voluntary sector and the public sector is assessed at under £10 million in any year, so no full impact assessment has been prepared. An Explanatory Memorandum and de minimis assessment are available alongside the instrument on legislation.gov.uk. The instrument was signed by the Parliamentary Under Secretary of State for Transport, Simon Lightwood, on 20 October 2025.