Skip to content

Cybersecurity Oversight and Policy Authorities

Cybersecurity Oversight and Policy Authorities are responsible for establishing the governance structures that ensure ITS cybersecurity is consistent, enforceable, and aligned with societal risk management objectives. These authorities operate at national, regional, or international levels and provide the regulatory, auditing, and coordination functions that give confidence in the trustworthiness of ITS deployments.

Policy Development and Governance

Authorities develop cybersecurity policies and regulations that set binding requirements for manufacturers, operators, and certificate management providers. These policies may incorporate global standards such as ISO/SAE 21434, ISO/IEC 27001, IEEE 1609.2, or ETSI TS 102 941, and translate them into enforceable obligations within a jurisdiction.

Oversight and Audit Functions

Authorities must verify that policies and regulations are implemented effectively. This includes auditing certificate management authorities for compliance with CP and CPS requirements, reviewing OEM Cybersecurity Management Systems (CSMS) for conformance with ISO/SAE 21434 or UNECE requirements, and conducting inspections of Infrastructure Owner-Operators (IOOs) to confirm that device security controls are applied consistently. Audits provide assurance that obligations are properly enforced in practice.

Incident Response Coordination

Policy authorities are also responsible for establishing and coordinating incident response processes. This includes developing national or regional Computer Security Incident Response Teams (CSIRTs) with the capability to handle ITS-specific incidents, defining reporting obligations for manufacturers and operators, and ensuring that incident information is shared across stakeholders.

International and Regional Cooperation

ITS deployments often span national borders, requiring cooperation among oversight bodies. Authorities participate in regional coordinating groups to harmonize trust frameworks, misbehaviour reporting, and certificate policies.