Your Car May Outlive Its Encryption: Why Automakers Must Prepare for the Quantum Era

How UNECE R155/R156, secure software updates, and post-quantum cryptography are reshaping automotive cybersecurity.

Type: Technical Briefing
Published: April 2026
Keywords: Automotive cybersecurity, quantum-safe vehicles, UNECE R155, UNECE R156, Post-quantum cryptography, OTA updates, V2X, ECU secure boot, ISO/SAE 21434, Crypto-agility, ML-DSA, ML-KEM

Abstract

Modern vehicles contain over 100 electronic control units (ECUs), run millions of lines of code, and remain on the road for 15 years or more. UNECE Regulations No. 155 (Cyber Security Management System) and No. 156 (Software Update Management System) are now mandatory for new vehicles in the European Union and other markets applying these regulations, requiring manufacturers to manage cybersecurity and software-update risks across the vehicle lifecycle [1][2]. This article examines why long vehicle lifetimes make post-quantum cryptography and crypto-agility an emerging compliance issue under R155/R156, maps the automotive attack surface — OTA updates, V2X communications, ECU secure boot, and diagnostic interfaces — and provides a practical migration roadmap for OEMs and suppliers. See also our publication series.

In Plain English

Modern cars are computers on wheels. They receive software updates, talk to cloud servers, and check that only trusted code can run. Today, many of these protections rely on cryptography that future quantum computers may be able to break. UNECE R155 and R156 do not explicitly require post-quantum cryptography, but they do require car manufacturers to manage cybersecurity risks over the full vehicle lifetime. That is why quantum-safe cryptography is becoming relevant for the automotive industry now.

Key Terms

  • Electronic Control Unit (ECU): a small computer inside a vehicle that controls functions such as braking, steering, battery management, or infotainment.
  • Over-the-Air (OTA) update: a software update delivered remotely to the vehicle, similar to a phone update.
  • Secure boot: a mechanism that checks whether vehicle software is authentic before allowing it to run.
  • Vehicle-to-Everything (V2X): communication between a vehicle and other vehicles, road infrastructure, or cloud systems.
  • Hardware Security Module (HSM): a protected chip or hardware function used to store cryptographic keys and perform security operations.
  • Crypto-agility: the ability to replace old cryptographic algorithms with newer ones without redesigning the whole system.

Key Points at a Glance

  • R155/R156 are now mandatory in key markets: since July 2024, new vehicles in the European Union and other markets applying these UNECE regulations require Cyber Security Management System (CSMS) and Software Update Management System (SUMS) approval evidence — without it, type approval and market access are at risk [1][2].
  • Quantum threats belong in lifecycle risk assessment: R155 does not name post-quantum cryptography, but its lifecycle risk-management model makes quantum-vulnerable cryptography a foreseeable risk for systems with 10–15+ year lifespans [3].
  • "Harvest now, decrypt later" is a credible threat model: encrypted vehicle telemetry intercepted today may retain privacy or operational value long enough to become exposed when large-scale quantum attacks become practical.
  • Four critical attack surfaces need PQC: OTA firmware signing, V2X/C-V2X PKI certificates, ECU secure boot chains, and backend TLS connections each require different PQC strategies.
  • Crypto-agility is the engineering prerequisite: vehicles that cannot swap cryptographic algorithms via software update will face costly recalls or forced model discontinuation.
  • Security hardware may become the bottleneck: many deployed automotive security architectures were designed around classical algorithms, while automotive silicon qualification cycles can span several years.
  • ISO/SAE 21434 + ISO 24089 provide the framework: these engineering standards map directly to R155/R156 compliance and provide the process framework into which quantum-threat analysis should be inserted [3][4].

1. Your Car Is a Rolling Cryptographic System

Consider a vehicle rolling off the production line in 2026. It may remain on the road until 2041 — a period that overlaps with many planning horizons for quantum-risk migration. Unlike a web server that can be patched overnight, this vehicle's cryptographic infrastructure must remain secure for its entire operational life, across environments the manufacturer cannot fully control.

Automotive cryptography is far more pervasive than most engineers realise. It is not limited to the infotainment system's TLS connection. Every modern vehicle relies on cryptographic primitives across a wide range of subsystems. Public-key components based on RSA, Diffie-Hellman, or elliptic-curve cryptography are directly vulnerable to future large-scale quantum attacks, while symmetric primitives such as AES mainly require larger security margins.

A simple analogy is useful: vehicle cryptography is the lock-and-key system for the car's software. If the lock may become breakable in ten years but the car stays on the road for fifteen years, the manufacturer needs a way to replace the lock before it fails.

Subsystem Protocol / Function Typical Algorithm Quantum Risk
ECU Secure Boot Code signing verification ECDSA P-256 High
OTA Updates Firmware signature RSA-2048 / ECDSA High
V2X / C-V2X Certificate-based signing ECDSA P-256 (SCMS) High
TLS to Backend Key exchange + auth ECDHE + RSA/ECDSA High
In-Vehicle Ethernet MACsec link encryption AES-GCM-128/256 Medium
Diagnostics (UDS) SecureAccess / Auth RSA / Certificate-based High

Symmetric Cryptography Is a Different Case

Post-quantum migration does not mean replacing every primitive in the vehicle. Shor's algorithm threatens RSA, finite-field Diffie-Hellman, elliptic-curve key exchange, and elliptic-curve signatures. Symmetric encryption and hash functions are affected differently: Grover's algorithm reduces the effective security margin, so the usual mitigation is to use larger symmetric parameters, such as AES-256 where appropriate.

The scope of exposure is substantial. As we explored in our analysis of PQC on constrained IoT devices, embedded systems face unique challenges when transitioning to post-quantum algorithms — but automotive ECUs are generally better resourced than typical IoT sensors, making the transition technically feasible if planned early.

2. R155 & R156: The Compliance Reason This Matters

UNECE Regulation No. 155 requires every vehicle manufacturer to establish, implement, and maintain a Cyber Security Management System (CSMS) covering the entire vehicle lifecycle — from concept and development through production and post-production [1]. Regulation No. 156 complements this by mandating a Software Update Management System (SUMS) that ensures all updates — especially over-the-air (OTA) — are secure, authentic, and traceable [2].

Critically, R155 is risk-based, not prescriptive. It does not name specific algorithms like "RSA" or "ECDSA." Instead, it requires manufacturers to assess evolving threats and implement proportionate mitigations. The regulation's Annex 5 lists threat categories including "manipulation of server communications," "data extraction from vehicle systems," and "use of compromised code" — all of which are directly relevant to quantum-capable adversaries.

What R155/R156 Do Not Say

R155/R156 are management-system regulations, not cryptographic algorithm standards. They do not explicitly require post-quantum cryptography, nor do they mandate specific algorithms such as ML-KEM or ML-DSA. Their relevance to PQC is indirect: long vehicle lifetimes, secure software updates, and lifecycle cybersecurity risk management make quantum-vulnerable cryptography a foreseeable risk that OEMs should assess and document.

⚠️ The Implicit Quantum Obligation

A type-approval auditor evaluating a 2027 model-year vehicle could reasonably ask: "How will these cryptographic protections hold in 2040?" If the answer is "we use ECDSA and cannot update it," the risk assessment has a gap. R155 does not need to name every future threat explicitly: its lifecycle perspective makes quantum risk a legitimate risk-management consideration.

Since July 2024, the European Union has applied these requirements broadly to new vehicles, not only to newly approved vehicle types [1][2]. The consequence of non-compliance is straightforward: without acceptable cybersecurity and software-update management evidence, type approval and market access are at risk.

While R155/R156 set the legal framework, the engineering implementation is guided by ISO/SAE 21434 (cybersecurity engineering) [3] and ISO 24089 (software update engineering) [4]. These standards provide the process framework into which quantum-threat analysis should be inserted, especially during threat analysis and risk assessment (TARA) and software-update planning.

3. Where Quantum Risk Enters the Vehicle

The quantum threat to automotive systems is not a single, monolithic risk. It manifests differently across subsystems, each with distinct timing requirements, impact profiles, and mitigation strategies. We identify four primary attack scenarios:

🔧

Forged OTA Update

A future quantum-capable attacker could undermine an OEM's elliptic-curve or RSA-based firmware-signing trust chain and push malicious firmware through what appears to be a legitimate OTA channel. R156 requires integrity verification — but verification depends on the long-term strength of the signing scheme.

📡

V2X Certificate Forgery

A future quantum-capable attacker could forge V2X pseudonym certificates or safety-message signatures, enabling false safety messages such as phantom braking alerts or spoofed emergency vehicles. Current V2X public key infrastructure profiles commonly rely on elliptic-curve signatures such as ECDSA P-256.

🗄️

Harvest-Now, Decrypt-Later

Encrypted telemetry — location traces, driving patterns, and diagnostic data — captured today may still have privacy or operational value years later. If the key exchange or public-key protection is quantum-vulnerable, this creates a plausible GDPR and safety-risk concern.

Secure Boot Chain Collapse

If a long-lived ECU code-signing trust anchor becomes forgeable, safety-critical software could be accepted as legitimate by secure-boot logic. The risk is especially severe when the affected trust anchor cannot be rotated in the field.

🚨 Why Automotive Is Uniquely Exposed

Unlike a server that can often be patched quickly, a compromised vehicle ECU may require coordinated field updates or, in the worst case, a physical recall. Unlike an ephemeral TLS session key, a secure-boot signing key may protect every unit produced under that trust chain. The blast radius of a single signing-system failure in automotive can be much larger than in ordinary enterprise IT. As we detailed in our code signing analysis, a forged firmware signature can turn the update channel itself into a fleet-wide attack path.

The harvest-now, decrypt-later scenario is especially relevant for connected vehicles. Modern cars transmit telemetry to cloud backends: GPS traces, driving behaviour, voice commands, and diagnostic data. If this traffic is protected using quantum-vulnerable key establishment and retains long-term sensitivity, an adversary recording it today may be able to exploit it later — creating privacy and lifecycle-security concerns under GDPR and R155.

4. Which Post-Quantum Algorithms Fit Which Automotive Use Case?

NIST finalised its first post-quantum standards in August 2024: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for lattice-based digital signatures, and SLH-DSA (FIPS 205) for stateless hash-based signatures [5][6][11]. The question for automotive engineers is where these algorithms fit, which use cases require hybrid transition strategies, and which parts of the vehicle stack must remain algorithm-agile. Different automotive subsystems have different constraints:

Use Case Candidate PQC Approach Key Trade-off Migration Difficulty
OTA Firmware Signing Hybrid ECDSA/RSA + ML-DSA; SLH-DSA for conservative root signatures where size is acceptable Larger signatures and metadata; re-signing and verification-path changes 🟡 Medium
V2X Message Signing Not settled; ML-DSA-style signatures require careful profile and bandwidth analysis Latency, certificate size, and 5.9 GHz channel congestion 🔴 High
Backend TLS Hybrid elliptic-curve Diffie-Hellman + ML-KEM for key establishment Handshake size increase; certificate migration can be staged separately 🟢 Low
ECU Secure Boot Hybrid signatures where boot time, flash size, and secure hardware allow Hardware support, boot-time budget, and trust-anchor rotation 🔴 High
Diagnostic Auth Hybrid public-key authentication or ML-KEM-based key establishment, depending on protocol design Workshop tools, backend identity, and supplier ecosystem updates 🟡 Medium

💡 Why Hybrid Signatures Are the Likely Automotive Transition Path

A hybrid approach — for example, verifying both a classical signature and an ML-DSA signature during a transition period — can help vehicles maintain backward compatibility while adding post-quantum assurance. This is especially relevant for mixed fleets where older vehicles and newer vehicles share the same OTA infrastructure. For a detailed look at hybrid key exchange mechanics, see our X25519 + ML-KEM-768 technical briefing.

V2X is one of the hardest migration targets. Vehicle-to-everything communication has strict latency and bandwidth constraints for safety-critical messages. ML-DSA-44 signatures are 2,420 bytes, compared with 64 bytes for a raw ECDSA P-256 signature, before protocol and certificate overheads are counted [6]. On congested 5.9 GHz channels, this overhead matters. Production-scale PQC V2X profiles are therefore not mature enough to treat as a drop-in replacement today; they require dedicated certificate, message-format, and congestion-control work.

5. Crypto-Agility: The Ability to Replace the Lock

Crypto-agility — the ability to swap cryptographic algorithms without hardware replacement or full reflash — is the single most important architectural prerequisite for quantum readiness. Under R155's lifecycle risk management model, a manufacturer must be able to respond to evolving threats. If the cryptographic layer is hardcoded into silicon, that response capability does not exist.

In practice, crypto-agility requires algorithm-agnostic key stores, modular cryptographic libraries, certificate format flexibility, and OTA infrastructure capable of deploying algorithm updates. AUTOSAR's Crypto Service Manager provides a useful abstraction point for standardized access to cryptographic functions, but abstraction alone is not enough: the underlying crypto drivers, key storage, certificate formats, and hardware accelerators must also support the migration path [12]. Many deployed automotive security architectures were designed around fixed classical algorithms, which can limit PQC migration options.

⚠️ The Hardware Lead-Time Problem

Automotive silicon qualification and platform integration can take years. Security hardware selected today may remain embedded in vehicle platforms well into the 2030s. If that hardware cannot support PQC algorithms or a software-assisted migration path, the vehicle may become difficult to keep within an acceptable lifecycle risk posture. OEMs selecting next-generation security hardware in 2026–2027 should treat PQC capability and crypto-agility as concrete requirements, not vague roadmap aspirations.

Semiconductor vendors are beginning to publish PQC roadmaps and software or hardware enablement plans, but public information on production-qualified automotive PQC support remains uneven. This creates a transition gap: vehicles produced before PQC-capable security hardware is widely deployed will depend heavily on software-based crypto-agility, updateable middleware, and backend-side migration planning.

6. The Regulatory Timeline: When You Need to Act

The convergence of regulatory deadlines and quantum-threat timelines creates a narrow window for action. Here is how the key milestones align:

Regulatory & Threat Timeline for Automotive PQC
July 2024 — R155/R156 broadly apply in the EU
New vehicles in the European Union and other adopting markets require cybersecurity and software-update management approval evidence [1][2]
!
2025 — CNSA 2.0 signing milestone for NSS
United States National Security Systems begin moving new software and firmware signing toward quantum-resistant algorithms [7]
!
2024–2026 — European PQC migration guidance hardens
European cybersecurity agencies recommend beginning protection of sensitive long-lived data against harvest-now, decrypt-later risk [8]
!
2030 — Major migration milestone
CNSA 2.0 targets full transition for relevant NSS software and firmware signatures; European guidance points to earlier protection for the most sensitive long-lived data [7][8]
!
2030s — Quantum-risk planning window
Resource estimates for attacking elliptic-curve cryptography continue to improve. 2026 model-year vehicles may still be on the road [10]

The message is clear: a vehicle entering production in 2027 may need to remain cryptographically maintainable until around 2040. That means the cryptographic decisions being made right now — in platform architecture, security-hardware selection, and supplier requirements — will determine whether a manufacturer can keep lifecycle risk within an acceptable R155 posture through the quantum transition. For more on BSI-aligned migration, see our BSI-compliant PQC analysis and SMB migration roadmap.

7. A Practical Migration Roadmap

Based on the regulatory timeline and technical constraints outlined above, we recommend a four-phase approach for OEMs and Tier 1 suppliers:

📋 Four-Phase Automotive PQC Migration

  1. Phase 1: Inventory & Assess (Now – Q4 2026). Conduct a cryptographic asset inventory across all ECUs and backend systems. Update the R155 risk assessment to include quantum-threat scenarios. Identify crypto-agility gaps in your current architecture and supply chain.
  2. Phase 2: Architect & Pilot (2027–2028). Specify crypto-agile and PQC-capable security hardware for next-generation platforms where available. Implement a crypto abstraction layer in your AUTOSAR or middleware stack. Pilot hybrid OTA signing on a development fleet. Begin requiring PQC readiness and migration evidence from Tier 1/2 suppliers.
  3. Phase 3: Deploy & Certify (2029–2030). Roll out PQC-capable OTA infrastructure where the vehicle platform supports it. Prepare V2X certificate migration paths once standardized profiles mature. Update CSMS/SUMS evidence with documented quantum-threat mitigations and residual-risk arguments.
  4. Phase 4: Lifecycle Management (2030+). Monitor quantum computing progress and adjust algorithm choices. Leverage crypto-agility to rotate algorithms as threats evolve. Maintain compliance evidence for ongoing R155 lifecycle audits.

The cost of acting late is high. Certificate rotation, algorithm migration, and re-signing across a large vehicle fleet is a multi-month, multi-team operation — exactly the kind of exercise that R155 is designed to prevent from becoming an incident response scramble.

Further Reading

The convergence of UNECE R155/R156 lifecycle requirements and quantum-threat timelines means automotive PQC migration is moving from theoretical cryptography into practical risk management. It is not yet a direct legal mandate, but for long-lived connected vehicle platforms it is increasingly difficult to ignore. The window for proactive architecture decisions is 2026–2028; after that, hardware and platform lead times may narrow the available migration options.

For deeper dives into the technologies discussed here, explore our related articles:

Read: Code Signing Crisis →

How to Cite This Article

APA: PQCryptography.de. (2026, April 25). Your Car May Outlive Its Encryption: Why Automakers Must Prepare for the Quantum Era. https://www.postquantumcryptography.de/publications/pqc_unece.html

IEEE: PQCryptography.de, “Your Car May Outlive Its Encryption: Why Automakers Must Prepare for the Quantum Era,” Apr. 25, 2026. [Online]. Available: https://www.postquantumcryptography.de/publications/pqc_unece.html

LaTeX/BibTeX:

@misc{pqcryptography_pqc_unece,
  author       = {{PQCryptography.de}},
  title        = {Your Car May Outlive Its Encryption: Why Automakers Must Prepare for the Quantum Era},
  year         = {2026},
  month        = apr,
  day          = {25},
  url          = {https://www.postquantumcryptography.de/publications/pqc_unece.html} 
}

References

  1. UNECE: UN Regulation No. 155 — Cyber security and cyber security management system. https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155
  2. UNECE: UN Regulation No. 156 — Software update and software update management system. https://unece.org/transport/documents/2021/03/standards/un-regulation-no-156
  3. ISO/SAE 21434:2021: Road vehicles — Cybersecurity engineering. https://www.iso.org/standard/70918.html
  4. ISO 24089:2023: Road vehicles — Software update engineering. https://www.iso.org/standard/77796.html
  5. NIST FIPS 203 (Final): Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM). https://csrc.nist.gov/pubs/fips/203/final
  6. NIST FIPS 204 (Final): Module-Lattice-Based Digital Signature Standard (ML-DSA). https://csrc.nist.gov/pubs/fips/204/final
  7. NSA: Commercial National Security Algorithm Suite 2.0 and Quantum-Resistant Algorithms FAQ (software & firmware signing milestones for National Security Systems). https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF
  8. BSI (and 17 EU member states): Joint statement on transitioning to post-quantum cryptography (Nov 2024). https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Crypto/PQC-joint-statement.pdf
  9. ETSI: Quantum-Safe Cryptography and Security guidance, including migration and hybrid deployment considerations. https://www.etsi.org/technologies/quantum-safe-cryptography
  10. Google Quantum AI. (2026). Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities. See our independent analysis.
  11. NIST FIPS 205 (Final): Stateless Hash-Based Digital Signature Standard (SLH-DSA). https://csrc.nist.gov/pubs/fips/205/final
  12. AUTOSAR: Specification of Crypto Service Manager. https://www.autosar.org/fileadmin/standards/R22-11/CP/AUTOSAR_SWS_CryptoServiceManager.pdf