ISO/SAE 21434 is an international standard that defines cybersecurity requirements for road vehicles throughout their entire lifecycle, from initial design through decommissioning. Published jointly by the International Organization for Standardization (ISO) and SAE International, it gives automakers and their suppliers a structured framework for identifying, assessing, and managing cyber threats in connected cars, trucks, and other road vehicles. As vehicles have become rolling networks of software and sensors, this standard has become the baseline reference for keeping those systems secure.
What the Standard Covers
ISO/SAE 21434 is not a checklist of specific technical controls like “use this encryption algorithm.” Instead, it lays out processes and organizational requirements that ensure cybersecurity is built into every phase of a vehicle’s life. That scope includes concept development, product design, engineering, production, operation, maintenance, and eventual decommissioning. The goal is to help manufacturers prevent cyberattacks, detect them when they happen, and respond appropriately.
The standard applies not just to automakers but to the entire supply chain. Tier-1 and tier-2 suppliers providing electronic control units, software platforms, or communication modules are expected to follow the same cybersecurity engineering processes. This matters because a vulnerability in a single supplier’s component can compromise the whole vehicle.
How Threat Analysis Works Under ISO 21434
At the heart of the standard is a process called TARA, which stands for Threat Analysis and Risk Assessment. TARA is a systematic way to figure out what could go wrong, how bad it would be, and what to do about it. It follows a series of steps:
- Item definition: The team identifies the specific system, network, or component being analyzed. This means setting clear boundaries, identifying entry and exit points, mapping dependencies, and engaging the right stakeholders early.
- Asset identification: Everything within the defined scope gets cataloged, including hardware, software, data flows, and even personnel with access. Assets are classified by how critical they are and what impact their compromise would have.
- Impact assessment: Each asset is evaluated for the consequences of a breach across three dimensions: confidentiality (could sensitive data leak?), integrity (could data or commands be altered?), and availability (could the system be taken offline?). Impact ratings help prioritize where to focus resources.
- Threat analysis: The team identifies potential threats that could exploit vulnerabilities. These include intentional attacks, like a hacker remotely accessing a vehicle’s communication bus, and unintentional failures, like a software bug that opens a security gap.
The output of TARA is a prioritized list of risks, each tied to specific components and paired with recommended treatments. Engineers then use these results to define cybersecurity goals and design appropriate countermeasures before a single line of production code is written.
Post-Production Requirements
One of the most significant aspects of ISO/SAE 21434 is that cybersecurity obligations do not end when a vehicle rolls off the assembly line. The standard requires two ongoing post-production activities: vulnerability management and incident response.
Vulnerability management is a continuous monitoring process. Manufacturers must track vulnerability databases and public disclosures, then analyze whether newly discovered vulnerabilities affect vehicles already on the road. This product-level cybersecurity assurance is required for the full lifetime of the vehicle, not just the warranty period. If a new exploit surfaces that affects a five-year-old model still in active use, the manufacturer is expected to assess it and act.
Incident response kicks in when someone, whether an internal team or an external researcher, reports a vulnerability in a production vehicle. The standard requires a secure reporting mechanism so that details about the vulnerability do not leak to malicious actors. Information about reported vulnerabilities must be restricted to necessary personnel on a need-to-know basis. The incident response team then works to triage, contain, and remediate the issue.
How ISO 21434 Relates to UN Regulation 155
ISO/SAE 21434 is a voluntary standard, but it sits directly alongside a binding legal requirement: UN Regulation No. 155 (UN R155). UN R155 is a regulatory framework that requires vehicle manufacturers to implement a certified Cybersecurity Management System before they can obtain type approval for new vehicles in markets that adopt the regulation, which includes the European Union, Japan, South Korea, and others.
The two documents work in tandem. UN R155 defines what regulators require at a high level: demonstrate that your organization manages cyber risks and that your vehicles are protected against a defined list of threats. ISO/SAE 21434 provides the detailed engineering processes and technical methodology that manufacturers use to meet those requirements and generate the evidence regulators want to see. Following ISO 21434 does not automatically guarantee UN R155 compliance, but it is widely regarded as the most direct path to satisfying the regulation’s technical expectations.
ISO 21434 vs. ISO 26262
If you work in or around the automotive industry, you may already know ISO 26262, the standard for functional safety. The two standards are complementary but address fundamentally different risks. ISO 26262 focuses on preventing and mitigating malfunctions in safety-related electronic systems, such as a braking system that fails due to a hardware fault or a software defect. It uses a hazard and risk assessment process to assign safety integrity levels and prescribe engineering rigor accordingly.
ISO 21434 focuses on deliberate or emergent cybersecurity threats rather than random failures. A braking system that malfunctions because of a faulty sensor is a safety problem under ISO 26262. A braking system that gets remotely disabled by an attacker exploiting a wireless vulnerability is a cybersecurity problem under ISO 21434. In practice, many vehicle systems require analysis under both standards because a successful cyberattack can create a functional safety hazard. Engineering teams increasingly coordinate their safety and security analyses to catch risks that sit at the intersection.
Who Needs to Follow It
The standard is relevant to anyone involved in developing, manufacturing, or maintaining electronic systems for road vehicles. That includes OEMs (the automakers themselves), tier-1 suppliers that build major subsystems like infotainment units or advanced driver-assistance systems, tier-2 suppliers providing chips or embedded software, and aftermarket companies that develop connected accessories or software updates.
Organizations that adopt ISO 21434 typically need to establish a cybersecurity governance structure, assign clear roles and responsibilities, and ensure cybersecurity considerations are embedded in project planning from the start. The standard also requires that organizations manage cybersecurity-related information sharing with suppliers and partners, since a vehicle’s attack surface spans many companies’ contributions.
For engineers and product managers new to the standard, the practical starting point is usually understanding the TARA process, building it into existing development workflows, and establishing the monitoring and response capabilities needed for post-production obligations. The scope is broad, but the standard is designed to scale: a small supplier developing a single sensor module applies the same framework as a global automaker, just at a level of depth appropriate to the component’s role in the vehicle.