SUWON, South Korea, Jan. 28, 2026 /PRNewswire/ — This is an article published in The Korea Herald:

Korea’s automotive cybersecurity legislation has now come into force. Compliance has been required for newly registered vehicle types since August 2025 and will apply to existing mass-production registered vehicle types (production vehicles) from August 2027 as a prerequisite for vehicle sales. The industry, however, now faces a key question: “How should we understand this Korean legislation, and how should we respond?”

Korea’s automotive cybersecurity regulatory framework

As the vehicle industry shifts from hardware-centric to software-centric architectures and the era of connected vehicles accelerates, mandatory automotive cybersecurity requirements are expanding globally. In June 2020, UNECE WP.29 adopted UN R155. Based on this, Korea established a cybersecurity framework under the Motor Vehicle Management Act in February 2024.

Cybersecurity Management System (CSMS) certification assesses automaker’s cybersecurity organization and processes, while Vehicle Type Approval (VTA) verifies implementation on actual vehicles. UN R155 requires both to follow a preapproval system. Korea’s Motor Vehicle Management Act adopts a different structure.

Under Korea’s system, CSMS is subject to preapproval, while VTA follows self-certification with postmarket oversight. This reflects the nature of what is being assessed. Existing automotive safety requirements — such as collision or braking tests — are defined by clear quantitative criteria. CSMS, however, includes many qualitative elements related to an automaker’s organization, processes and policies. As a result, applying a single quantitative or uniform standard is challenging due to differences in organizational structures across automakers. Preapproving CSMS is therefore intended to verify in advance whether the required processes are properly established.

Turning regulatory compliance into operating strategy

Many companies already hold UN R155 certification, but Korea’s requirements often demand additional preparation. Under UN R155, CSMS certification is assessed across 12 major categories.

The Motor Vehicle Management Act further refines these categories into multiple subitems and requires automakers to clearly articulate their positions and provide supporting evidence for each subitem. Effective compliance requires more than translation or formal submission — it demands a clear understanding of regulatory intent and well-prepared evidence. Thorough preparation is essential to obtain certification in a single assessment cycle.

For companies without prior certification experience, the starting point should be CSMS.

CSMS is a management framework, not a technical checklist. Companies should begin by clearly defining internal roles and responsibilities and establishing cybersecurity policies and operational procedures across the full lifecycle, from development and production to postproduction phases. They must also formalize the Threat Analysis and Risk Assessment process by systematically identifying threats and vulnerabilities and documenting response strategies, while establishing continuous monitoring, incident response capabilities and supply chain cybersecurity management.

Focusing on CSMS alone, however, is not enough. While CSMS assesses organizational readiness, VTA verifies whether cybersecurity measures are effective on actual vehicles. VTA requires security testing at both ECU and vehicle levels. Documentation alone is insufficient — an effective automotive cybersecurity system is achieved only when policy, processes and real-vehicle implementation are addressed through an integrated approach.

Ultimately, Korea’s automotive cybersecurity regulation sends a clear message: Cybersecurity does not end with certification; it must be embedded across business operations, with continuous improvement throughout the vehicle life cycle.

Building cyber resilience — the ability to respond to and recover from incidents — further strengthens long-term competitiveness.

Kim Sung-bum

Kim Sung-bum is a technical adviser at Fescaro(https://www.fescaro.com/en/) and a former head of the autonomous driving division at the Korea Automobile Testing & Research Institute (KATRI). He participated in the enactment of Korea’s automotive cybersecurity legislation. The views in this column are his own.