Cybersecurity evidence through the supply chain
Tier-1 and Tier-2 suppliers must prove a CSMS-compliant development process to their OEM customer. Software suppliers without a documented ISO/SAE 21434 process get filtered out.
Industry · Automotive
B2B Software for the Automotive Value Chain
Software-Defined Vehicle, connected workshop, cybersecurity per UN-R155 and ISO/SAE 21434 — automotive today combines several parallel transformations. Anyone building apps, backends, or diagnostics tools for OEMs or Tier-1 suppliers must consider these standards from the first line of code.
Industry context
Stuttgart and Baden-Württemberg are home to the German automotive industry — Mercedes-Benz, Porsche, Bosch, ZF, Mahle. The region is going through its largest software transformation since electronic engine management: Software-Defined Vehicle, over-the-air updates, connected services, deep integration with cloud and mobile.
Regulatory pressure has risen in parallel: UN-R155 (Cybersecurity Management System) and UN-R156 (Software Update Management System) have been mandatory since July 2024 for all vehicles of categories M, N, and O produced in EU/UNECE states. ISO/SAE 21434:2021 is the international standard for cybersecurity engineering across the lifecycle of electrical/electronic systems. These requirements propagate into the Tier-1 and Tier-2 supply chain — and so to every software supplier.
Typical challenges
Companion apps with real-time constraints
Apps that display live vehicle data must handle BLE/WiFi disconnects, backend latency, and offline scenarios cleanly. A pure online-only architecture doesn't survive real-world operation.
Workshop apps with legacy diagnostics
Diagnostics tools for independent workshops must support older OBD-II standards, manufacturer-specific protocols, and new UDS stacks in parallel — and abstract the transition cleanly.
Regulatory framework
UN-R155 (Cybersecurity)
UN Regulation No. 155 requires a Cybersecurity Management System (CSMS) certificate for type approvals and mitigations against the risks identified in Annex 5. Scope: vehicles in categories M, N, O, and L (level-3+ automation). Supplement 3 of 10 January 2025 extended the scope.
Applicability: In force since 22 Jan 2021 · Mandatory for new vehicle types since 07/2022 · For all new production since 07/2024
UN-R156 (Software Update Management)
Requires a documented Software Update Management System (SUMS) certificate and secure update processes. Accompanies UN-R155 and is the prerequisite for over-the-air updates on approved vehicle types.
Applicability: Same timeline as UN-R155 · Cut-off for special-purpose types 7 July 2026
ISO/SAE 21434:2021
International standard for cybersecurity engineering of electrical/electronic systems in road vehicles — from concept through development, production, operation, to decommissioning. Complementary to ISO 26262 (functional safety). The de facto way to demonstrate UN-R155 conformity.
Applicability: Published 31 Aug 2021 · Edition 1 in force
- ISO/SAE 21434:2021 — ISO
ISO 26262
International standard for functional safety of electrical/electronic vehicle systems. Classifies risks via ASIL (A to D). Software that controls safety-relevant functions falls within scope.
Architecture pattern for B2B apps
Vehicle interface
BLE · WiFi Direct · UDS-on-IP · CAN-FD gateway · OBD-II
Multiple parallel connectivity paths — from the app to the vehicle or diagnostics gateway. Robustness against disconnection is non-negotiable.
Mobile app layer
Flutter · Native iOS/Android (safety-critical paths) · offline-first data model
Cross-platform with Flutter for 80–90% of functionality, native bridges for safety-critical or hardware-near operations.
Backend & telematics
NestJS · MQTT/Kafka · TimescaleDB · CSMS-compliant update workflow
Telemetry ingestion with auditable event log. Software updates structured per UN-R156 with signed manifests and rollback-capable distribution.
Identity & security
OIDC (Authentik) · mutual TLS · HSM for keys · code-signing pipeline
Separation of workshop staff (OIDC) from end customers (separate auth provider). Key management in a Hardware Security Module rather than in code.
Recommended stack
| Technology | Rationale |
|---|---|
| Flutter | Single codebase for iOS and Android, robust BLE and Bluetooth integration, fast iteration in OEM and workshop contexts. |
| NestJS + Fastify | Structured TypeScript architecture with clear module separation for compliance audits. Performant WebSocket layer for live telematics. |
| TimescaleDB / PostgreSQL | Time-series telemetry and lifecycle data in a single database — no multi-DB complexity. |
| Authentik (OIDC) | Self-hosted identity provider under own control, with GDPR-compliant user management. |
| Sentry + Grafana Cloud | Platform-wide error tracking and metrics — prerequisite for traceable incident analysis under UN-R155. |
Sources
- UN Regulation No. 155 — EUR-Lex
- UN-R155 Supplement 3 (in force 10 Jan 2025) — EUR-Lex
- ISO/SAE 21434:2021 — ISO
- SAE & ISO Publish Joint Automotive Cybersecurity Standard (2021) — SAE International
As of: 2026-04-30
Read on
Other industries
Industry 4.0
Platform software for connected production: Asset Administration Shell, RAMI 4.0, and EU compliance.
IoT & Connected Products
B2B apps for connected devices — from BLE sensors to real-time telemetry platforms.
Mechanical Engineering
Service apps, MES integration, and OPC UA connectivity for DACH machinery builders.
Facility Management
Apps and platforms for CAFM, smart building, and EU energy-efficiency compliance.
Construction & Trades
Mobile-first apps for trade businesses and construction sites — from order workflow to BIM integration.
Concrete project in this industry?
We build software that fits the regulatory, technical, and organisational realities of your industry — without excess complexity.