Sectoral Rules

Sectoral rules are industry-specific legal and regulatory requirements designed to address the unique risks and technical characteristics of a particular economic sector. They exist because general, or 'horizontal,' legislation like the EU's proposed Cyber Resilience Act (CRA) may not adequately cover the complexities of safety-critical industries such as automotive or medical devices. Recital 14 of the CRA proposal explicitly allows exemptions for products if sectoral rules provide an equivalent level of protection. In the automotive industry, the most prominent example is UN Regulation No. 155. This regulation mandates that vehicle manufacturers implement and have certified a Cyber Security Management System (CSMS) as a prerequisite for vehicle type approval. Unlike the ISO/SAE 21434 standard, which provides a framework, UN R155 is a legally binding regulation that establishes a direct market access requirement.

Applying sectoral rules in enterprise risk management involves translating legal obligations into concrete operational processes. For an automotive company complying with UN Regulation No. 155, the application follows these key steps: 1. **Gap Analysis and Scoping:** The company must identify all applicable regulations and conduct a thorough gap analysis of its existing processes against the requirements of UN R155 and ISO/SAE 21434 to identify deficiencies. 2. **CSMS Implementation:** A certified Cyber Security Management System (CSMS) is established, defining policies, assigning roles, and integrating security activities, such as Threat Analysis and Risk Assessment (TARA), throughout the vehicle lifecycle. 3. **Audit and Continuous Monitoring:** The CSMS undergoes third-party audits to achieve certification for type approval. Post-production, the company must maintain continuous monitoring, often via a Vehicle Security Operations Center (VSOC), to manage new threats and ensure ongoing compliance.

Taiwanese enterprises in the automotive supply chain face several key challenges when implementing sectoral rules like UN R155: 1. **Regulatory Interpretation:** Many firms lack experience with the European vehicle type approval process and struggle to interpret the specific evidentiary requirements of technical services, leading to compliance gaps. 2. **Resource Constraints & Organizational Inertia:** Implementing a comprehensive CSMS demands significant investment in specialized talent and tools. Resistance from established engineering departments to adopt new security-gated processes can also slow down implementation. 3. **Supply Chain Complexity:** The obligation to manage cybersecurity risks extends to the entire supply chain. Managing numerous smaller suppliers who may lack cybersecurity maturity is a significant challenge. Mitigation strategies include engaging experienced consultants, securing executive sponsorship, and implementing a robust supplier risk management program.

Winners Consulting specializes in sectoral rules for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact