ITS Security Regulations, Frameworks, Standards and Guidance Documents¶
Cybersecurity for Intelligent Transport Systems (ITS) is governed by a layered set of regulations, frameworks, standards and policy. These instruments regulate or specify different aspects of ITS cybersecurity, from how organizations must govern their ITS implementations, to how product vendors must design cybersecurity into devices from the outset, to how technical standards define the protocols and controls that enable secure communications and trust management.
This page provides stakeholders with a reference to the major regulatory and standards instruments shaping ITS cybersecurity worldwide. It highlights how global frameworks interact with regional obligations, and how technical standards implement those requirements in practice.
Global Interoperability Frameworks¶
Global interoperability frameworks establish binding or cross-border rules that ensure consistent cybersecurity obligations for ITS devices and services. They provide the legal and regulatory foundation for secure ITS operations and are supported by technical standards that enable practical interoperability.
European Union Cyber Resilience Act (CRA)¶
The European Union (EU) Cyber Resilience Act is a binding regulation that takes effect in the European Union from December 2024. It applies to all digital products, including ITS devices such as On-Board Units (OBUs), Roadside Units (RSUs), and Traffic Management Systems. The CRA requires that products be designed, developed, and maintained with cybersecurity as a core property throughout their lifecycle. Key obligations include:
- security-by-design
- secure default configurations
- release without known exploitable vulnerabilities
- continuous vulnerability remediation
- patching for the full operational lifetime of the product
Products must undergo conformity assessment and display a CE marking before being placed on the EU market. The CRA also mandates vulnerability disclosure processes, incident handling procedures, and supply chain security requirements. This regulation establishes a harmonized baseline of cybersecurity expectations for all ITS products used within the EU.
NIS Directive¶
NIS2 requires operators of essential and digital services, which include transport and mobility operators, to implement cybersecurity risk management measures, report significant incidents, and manage supply chain security. Unlike CRA’s product focus, NIS2 addresses organizational resilience, requiring agencies, service providers, and operators to put governance and operational processes in place. NIS2 does not mandate ISO/IEC 27001 or ISO/SAE 21434 specifically, but both can serve as acceptable evidence of “appropriate and proportionate” cybersecurity measures.
UNECE Regulations R155 and R156¶
The United Nations Economic Commission for Europe (UNECE) has issued two vehicle cybersecurity regulations that apply to manufacturers placing vehicles on regulated markets.
- UNECE R155 requires manufacturers to implement a Cybersecurity Management System (CSMS) across the lifecycle of the vehicle, from design through post-production. It obliges manufacturers to identify threats, implement mitigations, and demonstrate compliance during type approval. ISO/SAE 21434 provides the detailed engineering processes to support this.
- UNECE R156 mandates a Software Update Management System (SUMS) to ensure secure and auditable software and firmware updates, including measures for authentication, integrity protection, and traceability.
Together, R155 and R156 define how OEMs and suppliers address lifecycle security in vehicles and connected ITS systems.
ITS Directive (Directive 2010/40/EU)¶
The ITS Directive provides the EU framework for coordinated ITS deployment. It enables binding delegated acts across domains such as real-time traffic information and cooperative ITS. Service providers under the Directive may be required to provide feedback when distributing ITS data and messages. This has implications for how IOOs, map providers, and OEMs structure feedback and discrepancy handling in ITS deployments
Global Standards¶
Global standards provide a structured methodology for managing cybersecurity risk across organizations and supply chains. They define terminology, governance practices, risk management processes, and assurance methods that are not ITS-specific but support ITS stakeholders with understanding how to apply the standards to the ITS domain. These standards may enable stakeholders to demonstrate compliance with regulations such as the EU CRA, UNECE R155/R156, or U.S. federal guidance.
NIST Cybersecurity Framework (CSF)¶
The NIST Cybersecurity Framework is widely adopted in North America as a risk-based approach to organizing cybersecurity activities. It is structured around six functions: Govern, Identify, Protect, Detect, Respond, and Recover. The CSF guides organizations in setting cybersecurity expectations, performing risk assessments, and aligning operational practices such as patching, monitoring, and incident response. For ITS deployments, state departments of transportation, municipalities, and traffic management centers often use the CSF to structure their security programs and demonstrate alignment with national policy guidance. While the CSF provides a strong governance structure, it does not define technical requirements for ITS protocols or devices, which must be derived from sector-specific standards.
The CSF is often paired with NIST SP 800-53, which provides the detailed catalog of security and privacy controls that can be tailored to ITS devices, systems, and applications. FHWA’s ITS Security Control Sets are directly derived from NIST SP 800-53.
ISO/IEC 27001¶
ISO/IEC 27001 is an international standard for establishing an Information Security Management System (ISMS). It requires organizations to identify risks, implement controls, and continuously improve security posture through audits and reviews. For IOOs, compliance with ISO/IEC 27001 provides assurance to regulators and partners that the organization is managing security in line with global best practices. Like the NIST CSF, it does not address ITS-specific requirements but it provides a foundation for mapping of ITS security standards to specific cybersecurity features and functions. Certification to ISO/IEC 27001 demonstrates that an organization has implemented structured governance over information security, including:
- Access control
- Supplier and third-party management
- Asset and configuration management
- Auditing and continuous improvement
ISO/SAE 21434¶
ISO/SAE 21434 establishes detailed engineering practices for automotive and ITS cybersecurity by defining lifecycle processes that begin with threat analysis and risk assessment and extend through secure design, development, and supplier coordination. The standard also emphasizes the importance of validation, post-production monitoring, and incident response, ensuring that security is treated as an ongoing responsibility rather than a one-time exercise. It is recognized globally as the engineering benchmark for demonstrating compliance with UNECE R155, providing manufacturers with a structured method to show that cybersecurity has been embedded into every stage of the vehicle and ITS product lifecycle.
National and Local Policies¶
National and local governments are responsible for translating global frameworks and standards into enforceable requirements within their jurisdictions. These policies define how international obligations are applied in practice, shaping procurement rules, oversight mechanisms, and operational compliance for agencies, manufacturers, and operators.
In the United States, federal and state agencies frequently use the NIST Cybersecurity Framework and the NIST SP 800-53 control catalog as the foundation for transportation cybersecurity programs. For ITS deployments, the Federal Highway Administration (FHWA) has developed ITS Security Control Sets that tailor NIST controls to devices such as traffic signal controllers, roadside units, and transportation management systems. These control sets provide Infrastructure Owner-Operators (IOOs) with prescriptive guidance on configuring devices, enforcing access control, and ensuring compliance with national cybersecurity objectives. They are also being used as templates for training materials and deployment guidance across state and local agencies.
In the European Union, national authorities use conformity assessments to verify compliance with binding regulations such as the Cyber Resilience Act (CRA) and UNECE Regulations R155 and R156. Products must meet these requirements before they can be marketed or deployed. Manufacturers may adopt ISO/IEC 27001 to structure their organizational security programs and demonstrate that governance practices align with NIS2 obligations, while product-level compliance is verified through the CRA and UNECE mechanisms. The C-Roads Initiative has also developed Protection Profiles for ITS devices (for example, the RSU Gateway PP BSI-CC-PP-0122, 2024), which provide reference security targets for evaluation.
Certificate Policy (CP) and Certificate Practices Statements (CPS)¶
While organizational frameworks such as ISO/IEC 27001, the NIST Cybersecurity Framework, or the EU Cyber Resilience Act provide general requirements for governance and risk management, CP and CPS documents translate those high-level obligations into PKI-specific trust rules. They ensure that certificate authorities, enrolment authorities, and authorization services operate within an auditable and enforceable policy structure.
A Certificate Policy (CP) defines the conditions under which certificates are issued, managed, and revoked within an ITS Public Key Infrastructure (PKI). Certificate Practice Statements (CPS) provide the operator-specific implementation details that must align with the CP. Together, these documents establish the governance, approval criteria, and enforcement mechanisms that ensure certificates are only issued to eligible devices and entities, are used for authorized purposes, and can be revoked when necessary. Together, CPs and CPSs form the bridge between regulatory obligations (such as CRA or NIS2) and the technical enforcement of trust through PKI.
The structure of trust management varies by region. In North America, the Security Credential Management System (SCMS) uses a quorum of Electors to manage the Certificate Trust List (CTL) and to approve or revoke Root Certificate Authorities (RCAs). Each SCMS Provider operates under a CP that defines its responsibilities for certificate issuance, rotation, and misbehavior report handling. SCMS Provider CPs must comply with SCMS Provider Requirements, as specified by the SCMS Manager. In Europe, the Cooperative ITS Credential Management System (CCMS) is managed centrally by a Certificate Policy Authority (CPA), which governs the European Certificate Trust List (ECTL). Root CAs seeking to be included in the ECTL must conform to the harmonized CP, and compliance is enforced through audit and assessment.
Both SCMS and CCMS models rely on CP/CPS documents to ensure that only eligible devices are authorized to participate in ITS communications, that certificates are properly managed across their lifecycle, and that misbehavior can be detected and acted upon. This ensures that trust anchors remain valid and that the overall PKI ecosystem is resilient and interoperable across jurisdictions.
Technical Standards¶
Organizational frameworks and policy documents define the governance structure for cybersecurity in ITS. Technical standards implement these requirements at the protocol, device, and system level, ensuring that the policies described in frameworks, regulations, and certificate policies are realized in practice. These standards provide the specific technical controls needed for secure communications, device hardening, certificate management, and misbehaviour detection.
The following categories group ITS security standards according to their primary function:
- Edge Device Security Standards – define requirements for hardware security, secure boot, tamper detection, and cryptographic modules in OBUs, RSUs, and other ITS equipment.
- Network and Transport Security Standards – specify protocols for protecting confidentiality, integrity, and authentication of ITS data in transit.
- Application Security Standards – govern how ITS messages are formatted, signed, and validated to ensure interoperability and trust across jurisdictions.
- Security Management Standards – establish rules for security management and monitoring, certificate issuance, validation, revocation, misbehaviour reporting, and overall PKI operations.
Edge Device Security Standards¶
Use these standards to select, evaluate, or require hardware that supports key storage, secure boot, tamper detection, and cryptographic processing. This supports trusted execution and resilience at the component level.
| Standard | Document Type | Description | Stakeholder Role(s) |
|---|---|---|---|
| IEEE 802.3 | Standard | Ethernet standard supporting wired communications among traffic infrastructure, including support for secure physical connections. | Infrastructure Owners and Operators |
| IEEE 802.1X | Standard | Network access control protocol often used in Ethernet-based ITS backhaul networks to authenticate RSUs and field devices. | Infrastructure Owners and Operators |
| SAE J3101 | Standard | Defines hardware security requirements for ground vehicles, including secure boot, key storage, and hardware protections against tampering. | Vehicle OEMs |
| ISO/IEC 19790:2025 | Standard | Requirements for cryptographic modules used to protect sensitive data, applicable to both software and hardware modules. | Credential Management Authorities |
| NIST FIPS 140-3 | Standard | Federal standard for certifying cryptographic modules, used to evaluate tamper-resistant secure elements. | Credential Management Authorities |
| Trusted Platform Module (TPM) / ISO/IEC 11889 | Standard | Guidance for secure boot and hardware-based trust anchors in automotive ECUs. | Vehicle Manufacturers and OEMs |
| Protection Profile V2X Hardware Security Module | Guidance | Requirements for HSMs in V2X systems with secure key lifecycle and resistance to physical attacks. | Credential Management Authorities |
| Vehicle C-ITS station profile | Guidance | Technical and operational requirements for C-ITS vehicle stations in Europe. | Vehicle OEMs |
| UNECE R155 | Standard | Regulation that mandates cybersecurity management systems for vehicle manufacturers, including hardware risk mitigation. | Vehicle OEMs |
| ISO 24089 | Standard | Post-production update requirements. | Vehicle OEMs |
| UNECE R156 | Regulation | Mandates secure update systems for vehicles. | Vehicle OEMs |
| SAE J3101 | Standard | Hardware trust anchors and secure boot. | Vehicle OEMs |
| Trusted Platform Module (TPM) | Standard | Hardware-based trust and boot integrity. | Vehicle OEMs |
| ISO/IEC 19790:2025 | Standard | Cryptographic module security requirements. | Application and Service Providers, Cybersecurity Oversight and Policy Bodies |
| ISO/TR 23786 | Standard | Security and risk methods for remote access to vehicle systems. | Infrastructure Owners and Operators Application and Service Providers |
| Vehicle C-ITS station profile | Guidance | Outlines technical and operational requirements for European vehicle ITS stations. | Application and Service Providers |
| Protection Profile V2X Hardware Security Module | Guidance | Requirements for HSMs with secure key lifecycle and physical attack resistance. | Credential Management Authorities, Application and Service Providers |
| SAE J2945/1 On-Board System Requirement for V2V Safety Communications | Standard | Security requirements for V2V including key provisioning and secure storage. | Application and Service Providers |
Network and Transport Security Standards¶
Apply these standards to enforce confidentiality, integrity, and authentication of data in transit. They define secure sessions for V2X, center-to-field, and backend communications using IP and non-IP protocols.
| Standard | Document Type | Description | Primary Role(s) |
|---|---|---|---|
| IEEE 1609.3 | Standard | Defines networking services for WAVE including IPv6 and WSM. | Infrastructure Owners and Operators |
| ISO 15118 | Standard | Secure protocols for EV charging with mutual authentication. | Application and Service Providers |
| TLS 1.3 (RFC 8446) | Standard | Modern cryptographic protocol for secure backend communications. | Infrastructure Owners and Operators |
| DTLS | Standard | Datagram version of TLS for UDP-based secure transport. | Application and Service Providers |
| ISO 21217 | Standard | ITS Station architecture defining network stack. | Application and Service Providers |
| ETSI TS 102 940 | Standard | Specifies high-level C-ITS security architecture. | Credential Management Authorities |
| ISO 21186-3 | Standard | Secure data exchange guidelines in C-ITS. | Application and Service Providers |
| IEEE 802.11p / IEEE 802.11-2016 | Standard | Specifies DSRC/WAVE radio communications at 5.9 GHz for vehicular networking. | Infrastructure Owners and Operators |
| 3GPP LTE-V2X / NR-V2X | Standard | Specifies cellular V2X radio interfaces for sidelink communication. | Infrastructure Owners and Operators |
| IEEE 802.1X | Standard | Network access control protocol used in Ethernet-based ITS backhaul networks. | Infrastructure Owners and Operators |
| IEEE 802.3 | Standard | Ethernet standard supporting wired communications among traffic infrastructure. | Infrastructure Owners and Operators |
| IEEE Std. 1609.3 | Standard | Defines IPv6, WAVE short message protocol and service advertisement. | Infrastructure Owners and Operators Application and Service Providers |
Application Security Standards¶
These standards define how ITS messages are structured, signed, and validated. They enable cross-vendor and cross-jurisdiction interoperability and ensure message trustworthiness during exchange.
| Standard | Document Type | Description | Primary Role(s) |
|---|---|---|---|
| SAE J2735 | Standard | Defines message formats like BSM, SPaT, MAP. | Application and Service Providers |
| SAE J2945/x series | Standard | Profiles for message behaviour and signing for V2X. | Application and Service Providers |
| ETSI EN 302 637-2 / -3 | Standard | Defines CAM and DENM message formats. | Application and Service Providers |
| ISO 16460 | Standard | Harmonized framework for V2X messages. | Standards Development Organizations |
| ETSI TS 102 894-2 | Standard | Common ITS data dictionary. | Application and Service Providers |
| ETSI TS 103 097 | Standard | European message authentication and trust validation. | Credential Management Authorities |
| ISO 19091 | Standard | Harmonized SPaT/MAP message format (internationalized SAE). | Application and Service Providers Infrastructure Owners and Operators |
| ISO/TR 21186-1 | Standard | Use cases and profiles for secure data exchange. | Application and Service Providers |
| ISO/TS 21184 / ISO/TS 21185 | Standard | Data and communication profiles for trusted ITS exchange. | Application and Service Providers, Credential Management Authorities |
| SAE J2945/4 Road Safety Applications | Standard | Security requirements for RSZW, LCW messages and digital signature enforcement. | Application and Service Providers |
| SAE J3161/1 | Standard | Security for LTE-V2X in light-duty and public safety vehicles. | Application and Service Providers, Infrastructure Owners and Operators |
| SAE J3161/1B | Standard | Extends J3161/1 to non-light-duty vehicles and motorcycles. | Application and Service Providers |
| SAE J3161/1C | Standard | Covers school bus-specific V2V security and safety requirements. | Application and Service Providers |
| ISO 19091 | Standard | Harmonized SPaT/MAP message format (internationalized SAE) | Application and Service Providers, Infrastructure Owners and Operators |
Security Management Standards¶
Implement these standards to perform secure management of edge devices, and to issue, validate, and revoke certificates and to manage permissions.
| Standard | Document Type | Description | Primary Role(s) |
|---|---|---|---|
| IEEE 1609.2 | Standard | Defines secure message format and certificates. | Credential Management Authorities |
| IEEE 1609.2.1-2022 | Standard | Certificate lifecycle and permissions enforcement. | Credential Management Authorities |
| ETSI TS 102 941 | Standard | Trust and privacy management for C-ITS. | Credential Management Authorities |
| ETSI EN 319 411-1 | Standard | Trust service provider requirements for certs. | Cybersecurity Oversight and Policy Bodies |
| C-ITS Point of Contact Protocol | Guidance | CA cross-certification protocol in Europe. | Credential Management Authorities |
| ETSI TS 102 941 (Trust List Management) | Standard | CTL/CRL processes for European PKI trust frameworks. | Credential Management Authorities |
| ETSI TS 102 942 | Standard | Access control rules and cert-based enforcement. | Credential Management Authorities, Infrastructure Owners and Operators |
| ETSI TS 102 943 | Standard | Encryption and confidentiality services. | Credential Management Authorities |
| ETSI TS 103 248 | Standard | Pseudonym management and privacy protection in C-ITS. | Credential Management Authorities, Application and Service Providers |
| ISO 22320 | Standard | Incident management processes and protocols. | Infrastructure Owners and Operators |
| SAE J3061 / ISO/SAE 21434 | Standard | Cybersecurity lifecycle and incident response. | Vehicle OEMs |
| NTCIP Secure Profiles (TLS, SSH) | Guidance | Secure management for center-to-field devices. | Infrastructure Owners and Operators |
| SAE J3287 | Standard | Standard for V2X misbehaviour reports. | Credential Management Authorities |
| ETSI TS 102 941-2 | Standard | European misbehaviour reporting procedures. | Credential Management Authorities |
| ETSI TS 103 759 | Standard | Standardized misbehaviour message format. | Credential Management Authorities |
| SCMS ASN.1 Misbehaviour Reports | Standard | Misbehaviour report encoding for SCMS. | Credential Management Authorities |
| SCMS Misbehaviour Application Spec | Standard | SCMS adjudication and report format. | Credential Management Authorities |
| SCMS Manager: ASN.1 Specification for Misbehaviour Reports | Standard | Defines interoperable ASN.1 encoding for MBRs. | Credential Management Authorities, Infrastructure Owners and Operators |
| SCMS Manager: Misbehaviour Report and Application Specification | Standard | MBR data format and adjudication rules. | Credential Management Authorities, Infrastructure Owners and Operators |
| ETSI TR 103 460 | Standard | Survey of misbehaviour detection techniques. | Cybersecurity Oversight and Policy Bodies, Credential Management Authorities |
| NTCIP / SNMPv3 (RFC 3410) | Standard | Management protocols with authentication and encryption for ITS field device communications. | Infrastructure Owners and Operators |