Cybersecurity is no longer just a technical requirement. It has rapidly become a core pillar of safety, trust and regulatory compliance in the evolving world of two-and three-wheelers and light electric vehicles (LEVs).
As connectivity and digital services become standard—and as critical vehicle functions like motor control, battery management and charging are increasingly software-defined—manufacturers must ensure both the integrity of vehicle components and the security of data and communications. NXP’s secure products help meet global standards and deliver dependability with every ride.
Cybersecurity is Safety Critical
While connected cars have been the standard for over a decade, connected two-wheelers have only gained traction in the past five years, driven largely by the rise of electric mobility. These vehicles now feature wireless connectivity for secure access, diagnostics, mobile app integration and over-the-air (OTA) updates—all of which can increase exposure to cyber threats. Beyond data and connectivity, many of these systems also control safety-critical functions, such as traction motor control and battery management.
The potential consequences of a cyberattack for drivers are frightening. It is not just a matter of having personal data hacked. You could lose access to your vehicle or even your ability to control it. As a result, authorities around the world are enforcing regulations that require cybersecurity measures to be embedded into two-wheelers along with the processes used to design and build them.
Connected. Protected. Compliant. NXP’s broad product portfolio helps ensure that two-wheelers meet evolving global cybersecurity standards.
Demanded in the Market While Required by Regulation
In particular, the United Nations Regulation no. 155 (UN-R155)—which mandates cybersecurity management systems (CSMS) and a risk-based approach to automotive development—now explicitly includes category L motorcycles. Starting December 11, 2027, this rule will apply to new vehicle types and by June 11, 2029, it will cover all the types, including existing ones. Category L also includes scooters, mopeds, electric bicycles and microcars with speed exceeding 25 km/h. National-level regulations—like India’s upcoming AIS-189—are expected to align with this global regulation.
While these regulations primarily target vehicles and vehicle manufacturers, they are still highly relevant to the companies that supply components, modules and subsystems. Put simply, suppliers who offer products that simplify UN-R155 compliance for vehicle manufacturers will be a much more attractive option in the market. The way to gain that edge is to develop products that comply with the ISO/SAE 21434:2021 standard.
Secure every ride. Discover how NXP’s S32K3 MCU and i.MX 952 processors empower manufacturers to build cybersecure, regulation-ready two-wheelers.
Assessing Cyberthreats in Two-Wheelers
The variety of regulations and standards covering automotive cybersecurity can seem complex. Due to a rapidly evolving global landscape, engineers are having to consider meeting the requirements of both process-oriented (UN R155, ISO/SAE 21434 and AIS-189) regulations and standards in addition to those that specify technical (test) requirements. In general, those who focus on cybersecurity engineering practices with an emphasis on how products are developed will require a state-of-the-art approach based on Threat Analysis and Risk Assessment (TARA). This is to ensure that cybersecurity risks are identified and mitigated to avoid unreasonable residual risks.
For example, modern two-wheelers and LEVs use controller area network (CAN) and CAN with flexible data-rate (CAN-FD) architectures to connect the motor control unit, battery management system (BMS), charger, vehicle control unit (VCU) and cluster / telematics. Each of these nodes is a potential cyberattack surface, so full TARA must cover all of them. In support of this effort, suppliers can develop products in compliance with ISO/SAE 21434, perform a TARA on components and implement appropriate countermeasures (such as enabling secure provisioning and authentication).
Defining Threat Scenarios
Potential threat scenarios as part of an indicative TARA for motorcycle E/E architecture. The following table illustrates those potential threat scenarios.
| Threat ID |
Threat Description |
Impact |
Likelihood |
Risk Level |
| T1 |
Counterfeit electronic control unit (ECU) installed during aftermarket service |
Safety compromise, warranty fraud |
High |
High |
| T2 |
Unauthorized firmware flashing (including OTA compromise) to override Original Equipment Manufacturer (OEM) limits |
Performance manipulation, legal liability |
Medium |
High |
| T3 |
Sniffing CAN traffic to reverse engineer ECU behavior |
IP theft, future attack planning |
Medium |
Medium |
| T4 |
Replay attacks on CAN messages |
Erratic behavior, safety risk |
Low |
High |
| T5 |
ECU impersonation during diagnostics |
Unauthorized access, data leakage |
Medium |
Medium |
*Likelihood and risk levels are illustrative; OEMs should assess based on their own architecture and environment.
Simplifying Compliance and Security
OEMs and Tier 1 suppliers can ease their own cybersecurity compliance journey—and that of their customers—by working with components and partners that embed security at the core. To support this, NXP has established a secure development process that is fully aligned with ISO/SAE 21434.
Several of our products also undergo Security Evaluation Standard for IoT Platforms (SESIP) certification. The security of these devices is independently evaluated by renowned security labs. This means that OEMs and Tier 1 suppliers can have high confidence in the security features of these components.
Built-in Cybersecurity
Key members of our portfolio offer robust, built-in security features. For example, our S32K3 general-purpose automotive microcontrollers are well suited for a wide range of applications in the powertrain, motor controller unit (MCU), BMS and vehicle control unit (VCU). They include a hardware security engine (HSE) that acts as a dedicated and tamper-resistant security subsystem, providing:
- Platform security
- Secure boot
- Secure debug
- Runtime integrity checks
- Security services for applications
- Encryption
- Authentication
- Random number generation
- Key management
The S32K3 family also supports public key cryptography including Elliptic Curve Digital Signature Algorithm (ECDSA) for secure boot and firmware validation, certificate-based ECU authentication and secure key provisioning and life cycle management. Not only delivering frictionless security but simplifying the process and reducing costs for creating trustworthy and compliant systems.
A Whole-Vehicle Platform
Cybersecurity must be considered for the design of all modules, not just those tied to core functionality. Any connection can be a point of attack, so every module needs to be cybersecure. That includes those that manage telematics, digital services and infotainment. NXP’s portfolio offers a wide range of two-and three-wheeler relevant devices that are ISO 21434-compliant including i.MX 95 processor family, S32K3 MCU and AW611 Wi-Fi® + Bluetooth® solution, among others.
More specifically, our i.MX 952 application processor offers the ideal basis for building cybersecure modules. With secure connectivity and support from trusted execution environments, the i.MX 952 processor is an ideal complement to the S32K3 family. Together these platforms provide a solid foundation for building secure, regulation-ready vehicle architectures.
