About the Author and Research Context

Harri Juutilainen is a Finnish academic researcher whose thesis was conducted in the context of European industrial technology, with a particular focus on agricultural vehicle manufacturers. This choice of empirical context is deliberate and insightful: agricultural vehicle makers represent the "last mile" of vehicle cybersecurity regulation compliance. They are directly bound by UNECE WP.29 R156 (software update management) yet typically lack the organizational resources available to passenger car OEMs.

The study employs design science methodology—a rigorous academic approach focused on developing practical artifacts and solutions. Rather than proposing new cryptographic protocols or attack-detection algorithms, Juutilainen's contribution is an organizational evaluation questionnaire: a structured tool that allows stakeholders across different organizational levels to systematically assess their readiness for comprehensive vehicle cybersecurity management. This applied orientation makes the research directly actionable for compliance teams at Taiwanese automotive suppliers.

Core Findings: Three Pillars of Vehicle Cybersecurity Compliance

Juutilainen's research systematically integrates the three most consequential regulatory frameworks that have reshaped vehicle cybersecurity since 2021, and translates their requirements into an organizational assessment lens.

Finding 1: UNECE WP.29 R155 Redefines Manufacturer Liability Across the Vehicle Lifecycle

The United Nations Economic Commission for Europe (UNECE) WP.29 committee published R155 in 2021, mandating that vehicle manufacturers establish and operate a Cybersecurity Management System (CSMS) as a condition for type approval. Juutilainen's analysis emphasizes that R155 is not a one-time documentation exercise—it requires manufacturers to maintain active cybersecurity risk management throughout the entire vehicle lifecycle, including post-production monitoring, incident response, and coordinated vulnerability disclosure. For Taiwanese Tier 1 and Tier 2 suppliers, this means that OEM customers will increasingly pass down CSMS requirements through contractual obligations, making organizational readiness a supply chain access issue rather than a regulatory abstraction.

R155 became mandatory for new vehicle type approvals in July 2022 and extended to all new vehicle production in July 2024. Suppliers exporting components to EU, Japanese, or Korean markets must ensure their development processes align with their customers' CSMS requirements—failure to do so risks disqualification from supplier lists.

Finding 2: ISO/SAE 21434 Establishes the Common Language of Automotive Cybersecurity Risk Management

The paper provides a structured review of ISO/SAE 21434, the international standard co-published by ISO and SAE that defines cybersecurity engineering requirements across the complete vehicle development lifecycle—from concept through design, production, operation, and decommissioning. Juutilainen highlights the standard's central contribution: creating a shared vocabulary and process framework for automotive cybersecurity risk management. The core mechanism—Threat Analysis and Risk Assessment (TARA)—requires cross-functional integration of engineering, IT, legal, and procurement teams. Based on Winners Consulting's TISAX advisory experience, TARA execution capability is consistently one of the most challenging gaps for Taiwanese SME suppliers, precisely because it demands organizational coordination rather than purely technical expertise.

Finding 3: The Organizational Self-Assessment Tool as a Pre-Audit Baseline

Juutilainen's principal deliverable is a structured questionnaire covering organizational structure, risk management processes, supply chain management, and incident handling procedures. This tool enables organizations to objectively identify compliance gaps before formal audits. The assessment dimensions align closely with TISAX evaluation criteria, suggesting that organizations using this type of self-assessment tool can significantly reduce preparation time and cost for formal certification. The paper notes that organizations establishing early baseline assessments demonstrate substantially lower adaptation costs when regulations evolve—a finding with direct strategic relevance for Taiwanese suppliers facing R155's tightening timelines.

Implications for Taiwan's Automotive and Agricultural Machinery Supply Chains

Taiwan's automotive suppliers face vehicle cybersecurity compliance challenges that are structurally similar to—but contextually distinct from—their European counterparts. Most Taiwanese suppliers operate as Tier 1 or Tier 2 component manufacturers, bound by OEM contractual requirements rather than direct regulatory mandates. This creates a paradox: the organizational burden of compliance is comparable to that of an OEM, but the internal resources and regulatory literacy available are typically those of a component supplier.

Juutilainen's research surfaces several insights that are particularly actionable for Taiwan:

Agricultural vehicle manufacturers face overlooked compliance exposure: R156's scope extension to agricultural vehicles means that Taiwanese agricultural machinery suppliers—a sector that rarely appears in domestic automotive cybersecurity discussions—must now address software update management system requirements. This was largely an awareness blind spot in Taiwan's industry before 2023.

TISAX readiness mirrors the organizational dimensions assessed in Juutilainen's questionnaire: TISAX (Trusted Information Security Assessment Exchange), developed by the German Association of the Automotive Industry (VDA) as an extension of ISO/IEC 27001 for automotive information security, is now a standard requirement from many European OEMs toward their Taiwanese suppliers. The questionnaire dimensions Juutilainen developed—organizational structure, process completeness, supply chain control, incident response—map directly to TISAX evaluation criteria, suggesting that organizations can use Juutilainen's framework as a practical preparation tool.

Over 60% of TISAX non-conformities relate to supply chain and incident handling gaps: Winners Consulting's advisory experience shows that the most common audit failures among Taiwanese suppliers involve external contractor monitoring and incident response procedures—precisely the two dimensions that Juutilainen's research identifies as the weakest links in organizational cybersecurity management. This convergence validates the paper's diagnostic framework and suggests a clear prioritization order for gap remediation.

The broader implication is strategic: road vehicle cybersecurity compliance for Taiwanese suppliers is not a one-time certification sprint. It is an organizational capability that must be built, maintained, and continuously updated as regulations evolve. Organizations that invest in structured self-assessment now—before formal audits—will face significantly lower adaptation costs as UNECE R155, ISO/SAE 21434 updates, and EU Cyber Resilience Act (CRA) requirements converge over the next three to five years.

How Winners Consulting Supports Taiwan's Automotive Supply Chain

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）helps Taiwan's automotive and agricultural machinery suppliers build durable vehicle cybersecurity management capabilities aligned with TISAX, ISO/SAE 21434, and UNECE WP.29 requirements. Drawing on the organizational readiness framework validated by Juutilainen's research, we recommend a three-phase approach:

1. Organizational Capability Diagnostic (Months 1–2): Conduct a structured gap analysis against ISO/SAE 21434 process requirements and TISAX assessment criteria. Map existing organizational roles, risk management processes, supplier management mechanisms, and incident response procedures to identify priority remediation areas. This phase mirrors the diagnostic logic of Juutilainen's questionnaire tool and provides the evidence base for a realistic implementation plan.
2. CSMS Core Framework Design and Implementation (Months 3–9): Build the foundational elements of a Cybersecurity Management System aligned with R155 requirements: cybersecurity policy, TARA process, supplier security requirements, and incident response procedures. Ensure the framework simultaneously satisfies TISAX and ISO/SAE 21434 requirements to avoid duplicating effort. Train cross-functional teams on their cybersecurity roles and responsibilities.
3. Continuous Monitoring and Certification Readiness (Months 10–12 and beyond): Establish KPI tracking, internal audit cycles, and management review mechanisms that keep the CSMS operational and current with regulatory evolution. Prepare for formal TISAX assessment or ISO/SAE 21434 conformity evaluation with a simulated audit before the official engagement.

Frequently Asked Questions

Can Taiwan's automotive suppliers directly use the organizational self-assessment questionnaire developed in Juutilainen's research?

The questionnaire developed in Juutilainen's thesis (available at https://core.ac.uk/download/571646038.pdf) provides a solid starting framework, but Taiwanese suppliers should make two adaptations before direct use. First, the questionnaire was designed for European agricultural vehicle manufacturers, which assumes a full-manufacturer organizational scope. Tier 1 or Tier 2 suppliers should recalibrate questions against the supply chain management requirements in ISO/SAE 21434 Chapter 7. Second, the regulatory references in the questionnaire reflect UNECE WP.29 R155 and R156 as they stood at the time of writing; suppliers should cross-reference their specific OEM contractual requirements for any version updates. We recommend using Juutilainen's framework as an internal discussion catalyst, then engaging an ISO/SAE 21434-experienced consultant to translate findings into a formal gap analysis that directly supports TISAX preparation.

What are the most common organizational barriers Taiwanese suppliers face when implementing ISO/SAE 21434?

Based on Winners Consulting's advisory experience, Taiwanese SME suppliers face three recurring organizational barriers when implementing ISO/SAE 21434. First, undefined cybersecurity accountability: ISO/SAE 21434 requires a designated Cybersecurity Officer with organizational authority, but many Taiwanese companies assign this role nominally to existing IT or quality assurance staff without providing the authority or resources needed. Second, insufficient TARA execution capability: Threat Analysis and Risk Assessment requires cross-functional collaboration across engineering, IT, legal, and procurement—a formal cross-team coordination mechanism that most Taiwanese suppliers lack. Third, supply chain security extension: requiring downstream component suppliers to meet security standards often generates resistance within Taiwan's cost-sensitive supply chain culture. Juutilainen's research framework addresses all three dimensions, confirming these as globally recognized challenges rather than Taiwan-specific issues.

How long does TISAX certification typically take for a Taiwanese automotive supplier?

For a Taiwanese SME automotive supplier (50–300 employees) starting from limited cybersecurity baseline maturity, TISAX certification typically requires 7 to 12 months from initiation to completed assessment. Winners Consulting's recommended timeline: Months 1–2 for current-state diagnostic and gap analysis; Months 3–5 for management system design and documentation; Months 6–9 for implementation, staff training, and internal audit; Months 10–12 for simulated assessment and formal TISAX evaluation through an ENX Portal-registered assessor. Organizations that conduct a pre-work self-assessment using a structured framework—like the one Juutilainen developed—consistently achieve shorter formal preparation timelines. Note that TISAX and UNECE R155 CSMS certification address complementary but distinct requirements; both should be planned separately with clear scope boundaries.

What is the realistic cost-benefit assessment for vehicle cybersecurity compliance investment?

For a Taiwanese SME automotive supplier, initial TISAX compliance investment—including consulting fees, internal labor, and tool licensing—typically ranges from NTD 1.5 million to NTD 4 million, depending on existing infrastructure maturity. On the benefit side, industry observation suggests that Taiwanese suppliers obtaining TISAX certification achieve a measurably higher rate of inclusion in European OEM Tier 1 supplier qualification processes. Additionally, organizations with established incident response procedures reduce average cybersecurity incident response costs by approximately 30% compared to ad-hoc responses. Juutilainen's research adds a longer-term perspective: organizations establishing early organizational baselines demonstrate significantly lower regulatory adaptation costs as frameworks like UNECE R155, ISO/SAE 21434, and the EU Cyber Resilience Act (CRA)—whose draft guidance was published by the European Commission in March 2026—continue to converge and tighten.

Why engage Winners Consulting Services Co. Ltd. for automotive cybersecurity advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is one of Taiwan's few consulting firms combining deep ISO/SAE 21434 technical expertise with hands-on TISAX audit preparation experience across multiple automotive and industrial sectors. Our competitive advantages include: active tracking of UNECE WP.29 regulatory evolution, the EU Cyber Resilience Act draft guidelines (published March 2026), and CISA OT Security Connectivity Principles (published January 2026)—ensuring our advisory frameworks remain current with the latest international requirements; proven cross-sector experience spanning passenger vehicle components, commercial vehicle electronics, and agricultural machinery; and full-cycle support from initial diagnostic through certification, focused on building internal organizational capability rather than delivering static documentation deliverables. We believe vehicle cybersecurity compliance is Taiwan's automotive supply chain's passport to global market access—and that sustainable organizational capability, not one-time certification, is the genuine competitive differentiator.

コネクテッドビークルのサイバーセキュリティ：組織的プロセス評価が示す台湾サプライヤーへの実践的示唆

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、フィンランドの研究者 Harri Juutilainen が 2023 年に arXiv で発表した論文『Connected vehicles: organizational cybersecurity processes and their evaluation』が、台湾の自動車・農業機械サプライヤーに対して極めて重要な示唆を提供していることを指摘する。同論文は、UNECE WP.29 R155、ISO/SAE 21434、TISAX への対応が本質的には技術的課題ではなく組織的準備度の問題であることを実証的に示しており、正式な審査前に自社能力を客観的に把握するための構造化された自己評価ツールを提供している点に大きな価値がある。