In 2026, automotive cybersecurity is no longer confined to vehicle architecture. Over the past several years, regulations such as UNECE R155, UNECE R156, ISO/SAE 21434, ISO 24089, and the EU Cyber Resilience Act have turned cybersecurity from a technical best practice into a non-negotiable market-access requirement. OEMs are pushing those “prove it” obligations deep into the supply chain.

But a second, quieter shift is underway, one that many suppliers still underestimate. Cyber risk has moved upstream into manufacturing. At Koniag Cyber, we see this transition every day with our clients in highly regulated sectors. The question is no longer just whether a component is secure once installed in the vehicle. The real question is whether that vehicle can be built, programmed, flashed, updated, and delivered without cybersecurity failures undermining safety, integrity, or supply continuity.

In short: trust is now manufactured on the factory floor.

The Factory Is Part of the Cybersecurity Lifecycle

Modern automotive production runs on industrial control systems and operational technology including: PLCs, SCADA, MES-to-line interfaces, ECU flashing benches, calibration tools, and code-signing infrastructure. These systems are not peripheral to vehicle cybersecurity. They are embedded in it.

ISO/SAE 21434 explicitly scopes cybersecurity engineering across the full vehicle lifecycle, including production. ISO 24089 extends that into software update engineering and post-development deployment. UNECE R155 and R156 require auditable cybersecurity and software update management systems to support type approval.

That means firmware signing happens in factories. ECUs are flashed in factories. Configuration baselines are established in factories. And software integrity is either preserved, or compromised, in factories. If manufacturing systems are insecure, the supplier’s entire cybersecurity narrative can collapse under regulatory scrutiny.

Two Types of Cyber Shock That Now Matter

In 2026, manufacturing cybersecurity failures show up in two business-critical forms.

First, availability shock. Ransomware or OT disruption simply halts production. The industry has already felt this pain: Toyota publicly documented how a cyberattack on supplier Kojima Industries forced all 14 of its Japanese plants to stop for a full day. In a just-in-time ecosystem, one compromised supplier can cascade across an OEM’s entire network. Cybersecurity is now a direct delivery risk.

Second, and far more insidious, is integrity shock. Attackers who reach firmware signing keys, build pipelines, ECU flashing stations, or calibration tooling don’t need to shut down the line. They can introduce unauthorized software, alter configurations, or break traceability. Vehicles sail through quality gates carrying unknown configuration risk. This directly threatens compliance with CSMS governance (UNECE R155), SUMS integrity (UNECE R156), secure update practices (ISO 24089), and product integrity requirements under the EU CRA. Integrity failures don’t just create operational headaches, they create regulatory exposure.

Regulatory Convergence Raises the Stakes

The pressure isn’t coming from one direction. It’s the convergence of rules across regions.

In Europe, UNECE R155/R156 are already mandatory for new vehicle types and all vehicles in production. The Cyber Resilience Act entered into force in December 2024, with reporting obligations starting September 2026 and full application by December 2027. NIS2 adds further governance and incident-handling expectations.

In the United States, the Commerce/BIS connected vehicle ICTS rule (effective March 2025) restricts supply-chain hardware and software with PRC or Russia nexus. CIRCIA incident reporting is advancing, DFARS 252.204-7012 demands 72-hour reporting and 90-day forensic preservation for DoW contractors, and CMMC phased implementation (begun November 2025) gates contract awards with annual affirmations.

For dual-use or defense-adjacent suppliers, manufacturing systems handling engineering data or instructions may now fall squarely within contractual cybersecurity scope. Market access can be lost not only through product non-compliance but through contract ineligibility.

What “Good” Proactive Cyber Looks Like in 2026 for Automotive Suppliers

OEMs and primes now expect audit-ready evidence, not promises. A defensible posture rests on three pillars

1. Segmented, Documented OT Architecture
   Following ISA-95 and Purdue model principles: clear IT/OT segmentation, controlled conduits, documented data flows, and governed remote access. The goal is simple—show that a breach in corporate IT cannot migrate into production.
2. Secure Industrial Control Environment
   Aligned with IEC 62443 and NIST SP 800-82: complete OT asset inventory, hardened PLCs and HMIs, role-based access control, logging with time synchronization, vendor access governance, and tested incident response playbooks. Operational resilience without sacrificing safety or uptime.
3. Software Integrity Controls in Production
   This is where factory and vehicle cybersecurity converge. Suppliers must demonstrate controlled firmware signing (often HSM-backed), key management policies, protected CI/CD pipelines, hardened ECU flashing stations, production change control, traceable configuration baselines, and SBOM or component traceability artifacts.

The Emerging “Manufacturing Evidence Pack”

Forward-looking suppliers are assembling a formal manufacturing cybersecurity evidence package that includes OT network diagrams, asset inventories, remote access policies, signing key protection documentation, flashing station hardening evidence, centralized logging records, incident response decision trees, forensic preservation procedures, and supplier flow-down attestations. This turns cybersecurity from a reactive audit exercise into a structured, defensible capability.

In 2026, OEMs are asking a broader question: “Can we trust not just your product, but the environment that built it?” Suppliers who cannot answer with evidence face increased audit scrutiny, RFQ exclusion, contractual penalties, lost defense eligibility, higher insurance costs, and reputational damage.

Those who can answer with confidence and defensibility gain differentiation.