Does the EU AI Act apply to autonomous vehicles?

Yes. AI systems in vehicles subject to EU type approval qualify as high-risk under EU AI Act Article 6(1). However, the AI Act defers to existing sector-specific conformity assessment procedures, so automotive type approval takes precedence over generic AI Act assessment.

Is UNECE R157 sufficient for fully autonomous vehicles?

No. UNECE R157 covers Automated Lane Keeping Systems operating at SAE Level 3 on motorways up to 130 km/h. Higher automation levels (Level 4 and 5) require additional regulations currently under development at UNECE WP.29 through the GRVA working party.

What cybersecurity requirements apply to automotive AI specifically?

UNECE R155 requires a Cybersecurity Management System covering the entire vehicle lifecycle. For AI components specifically, this includes protection against adversarial attacks, training data integrity, model tampering detection, and authenticated over-the-air updates per ISO/SAE 21434.

How does GDPR apply to autonomous vehicle data?

GDPR applies whenever vehicle data can be linked to an identifiable person, including location data, driving patterns, and in-cabin monitoring. Vehicle manufacturers must provide privacy notices, establish legal bases for processing, implement data minimization, and respond to data subject access requests.

Quick answer

Autonomous vehicle AI must comply with UNECE Regulation No. 157 (ALKS), the EU General Safety Regulation 2019/2144, UNECE WP.29 cybersecurity regulation (R155), and ISO 21448 (SOTIF), with type approval required before any vehicle with automated driving functions can be sold in the EU.

Updated June 2026 · MmowW AI Compliance

AI Compliance in Automotive: Autonomous Vehicles, Safety Standards, and Type Approval

Q: What is the difference between ISO 26262 and ISO 21448 for automotive AI?

ISO 26262 covers functional safety, addressing hazards from hardware and software faults. ISO 21448 (SOTIF) covers hazards from functional insufficiencies in AI perception and decision-making even when the system operates as designed, which is the primary safety concern for AI-driven driving functions.

Regulatory Architecture for Automotive AI

Automotive AI operates under a layered regulatory system. At the international level, UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) sets technical standards. At the EU level, the General Safety Regulation 2019/2144 mandates advanced safety features and establishes the framework for automated driving approval. National regulations implement these frameworks and may add requirements for testing and deployment.

The EU AI Act intersects with automotive regulation. Under Article 6(1), AI systems in vehicles that are subject to EU harmonization legislation (including the type approval framework) qualify as high-risk. However, the AI Act defers to sector-specific conformity assessment procedures where they already exist, meaning automotive type approval procedures take precedence over generic AI Act conformity assessment.

Key Regulations by Function

Vehicle AI Function	Primary Regulation	Standard	Status
Automated Lane Keeping (Level 3)	UNECE R157 (ALKS)	ISO 22737	In force since 2021, updated 2023
Automated Driving System (Level 4+)	UNECE GRVA framework (in development)	ISO 22737, ISO 34502	Framework under development at WP.29
Advanced Driver Assistance (Level 2)	EU GSR 2019/2144	ISO 15622, ISO 19237	Mandatory in EU from July 2024
Cybersecurity	UNECE R155	ISO/SAE 21434	Mandatory for all new vehicle types from July 2024
Software Updates (OTA)	UNECE R156	ISO 24089	Mandatory for new vehicle types from July 2024
Event Data Recorder	EU GSR 2019/2144, UNECE R160	N/A	Mandatory in EU from July 2024

Type Approval for AI-Driven Systems

Before a vehicle with automated driving functions can be sold in the EU, it must obtain type approval under Regulation (EU) 2018/858. For automated driving systems, this involves demonstrating compliance with UNECE R157 (for ALKS) or future UNECE regulations for higher automation levels.

UNECE R157 requires that the Automated Lane Keeping System can handle all reasonably foreseeable traffic scenarios in its operational design domain, can achieve a minimal risk condition if the driver fails to take over, and maintains a collision avoidance capability. The system must be validated through both simulation and real-world testing, with the manufacturer demonstrating functional safety per ISO 26262 and safety of the intended functionality (SOTIF) per ISO 21448.

SOTIF: Safety of the Intended Functionality

ISO 21448 (SOTIF) addresses hazards caused by functional insufficiencies in AI perception and decision-making, even when the system is operating as designed. Unlike ISO 26262 which covers hardware and software faults, SOTIF covers scenarios where the AI correctly follows its programming but produces unsafe outcomes due to limitations in sensor coverage, classification accuracy, or decision logic.

SOTIF requires manufacturers to identify and evaluate triggering conditions (scenarios that may lead to hazardous behavior), reduce the area of unknown unsafe scenarios through testing and validation, and demonstrate that residual risk is acceptably low. For AI-based perception systems, this involves testing against large scenario databases including edge cases and adversarial conditions.

Cybersecurity Requirements

UNECE R155 requires vehicle manufacturers to implement a Cybersecurity Management System (CSMS) covering the entire vehicle lifecycle. For AI systems, this means protecting AI models against adversarial attacks, securing training data integrity, monitoring for model tampering, and ensuring that over-the-air updates to AI components are authenticated and validated.

The regulation requires threat analysis specific to AI components, including model extraction, data poisoning, and evasion attacks. ISO/SAE 21434 provides the methodology for automotive cybersecurity engineering, including AI-specific threat scenarios.

Data Recording and Event Reconstruction

Under EU GSR 2019/2144 and UNECE R160, vehicles with automated driving systems must record event data including the status of the automated system, driver attention state, and environmental conditions. For AI systems, this creates requirements to log AI decision outputs, sensor inputs, and system confidence levels in a tamper-proof format accessible to investigators.

Data protection obligations under GDPR apply to in-vehicle data collection. Vehicle manufacturers must provide privacy notices, establish legal bases for processing, and implement data minimization. The proposed EU Data Act grants vehicle users access to data generated by connected vehicles.

International Regulatory Divergence

While UNECE regulations apply across signatory countries, significant divergence exists. The US follows a self-certification model rather than type approval, with NHTSA issuing voluntary guidance (AV 4.0) and states setting their own testing and deployment rules. China has its own type approval system under GB/T standards and requires data localization for autonomous vehicle data. Japan aligns with UNECE regulations but has additional national testing requirements under the Road Transport Vehicle Act.

Compliance Roadmap for Automotive AI

Map each AI function to applicable UNECE regulations and EU harmonization legislation
Implement functional safety (ISO 26262) and SOTIF (ISO 21448) processes for all safety-relevant AI
Establish a Cybersecurity Management System per UNECE R155 and ISO/SAE 21434
Implement software update management per UNECE R156 and ISO 24089
Design event data recording to meet R160 requirements while complying with GDPR
Prepare type approval documentation including AI validation methodology and results

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.