Yes, Automotive is free to use.

How do I install Automotive?

Automotive is a local plugin. Install it using npm package: @ansvar/automotive-cybersecurity-mcp and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What AI apps work with Automotive?

Automotive uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Automotive MCP Server

by Mortalus

SecurityLow Risk8.3Local

Free

Automotive cybersecurity: R155/R156 regulations, ISO 21434, TISAX, AUTOSAR, Chinese GB/T

About

Automotive cybersecurity: R155/R156 regulations, ISO 21434, TISAX, AUTOSAR, Chinese GB/T

Security Report

8.3

Low Risk8.3Low Risk

Valid MCP server (2 strong, 2 medium validity signals). 2 known CVEs in dependencies (0 critical, 2 high severity) Package registry verified. Imported from the Official MCP Registry. Trust signals: trusted author (203/206 approved).

5 files analyzed · 3 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

file_system

Check that this permission is expected for this type of plugin.

Shell Command Execution

Runs commands on your machine. Be cautious — only use if you trust this plugin.

env_vars

Check that this permission is expected for this type of plugin.

database

Check that this permission is expected for this type of plugin.

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-ansvar-systems-automotive-cybersecurity": {
      "args": [
        "-y",
        "@ansvar/automotive-cybersecurity-mcp"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

Automotive Cybersecurity MCP Server

Complete R155/R156 Content - Production-ready with full regulation text from official UNECE sources.

Stop wasting hours searching through PDF regulations. Ask Claude about automotive cybersecurity requirements in natural language and get instant, accurate answers with source references.

A Model Context Protocol (MCP) server that gives Claude direct access to UNECE R155/R156 regulations and ISO 21434 guidance, enabling AI-powered compliance workflows.

Why This Matters

The Problem:

📄 Automotive cybersecurity regulations span hundreds of pages across multiple PDFs
🔍 Finding specific requirements requires manual searching through dense technical text
🔗 Cross-referencing between R155, R156, and ISO 21434 is time-consuming
💰 Hiring consultants for compliance questions is expensive ($200-400/hour)

The Solution:

💬 Ask Claude questions in natural language: "What does R155 require for vulnerability management?"
⚡ Get instant answers with exact article references and full text
🔗 See how requirements map across frameworks (R155 ↔ ISO 21434)
📊 Generate compliance matrices, gap analyses, and documentation on-demand

Who This Is For:

🚗 Automotive OEMs - Preparing for UNECE type approval
🔧 Tier 1/2 Suppliers - Understanding customer cybersecurity requirements
🛡️ Cybersecurity Engineers - Implementing ISO 21434 compliant systems
📋 Compliance Officers - Generating audit documentation
🎓 Consultants - Quickly accessing regulatory content for client projects

Quick Start

Use Remotely (No Install Needed)

Connect directly to the hosted version — zero dependencies, nothing to install.

Endpoint: https://mcp.ansvar.eu/automotive/mcp

Client	How to Connect
Claude.ai	Settings > Connectors > Add Integration > paste URL
Claude Code	`claude mcp add automotive-cybersecurity --transport http https://mcp.ansvar.eu/automotive/mcp`
Claude Desktop	Add to config (see below)
GitHub Copilot	Add to VS Code settings (see below)

Claude Desktop — add to claude_desktop_config.json:

{
  "mcpServers": {
    "automotive-cybersecurity": {
      "type": "url",
      "url": "https://mcp.ansvar.eu/automotive/mcp"
    }
  }
}

GitHub Copilot — add to VS Code settings.json:

{
  "github.copilot.chat.mcp.servers": {
    "automotive-cybersecurity": {
      "type": "http",
      "url": "https://mcp.ansvar.eu/automotive/mcp"
    }
  }
}

Use Locally (npm)

npx @ansvar/automotive-cybersecurity-mcp

Claude Desktop — add to claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "automotive-cybersecurity": {
      "command": "npx",
      "args": ["-y", "@ansvar/automotive-cybersecurity-mcp"]
    }
  }
}

Cursor / VS Code:

{
  "mcp.servers": {
    "automotive-cybersecurity": {
      "command": "npx",
      "args": ["-y", "@ansvar/automotive-cybersecurity-mcp"]
    }
  }
}

Usage Examples

Preparing for Type Approval:

"What documentation does R155 require for CSMS approval?"
"Show me the R155 Annex 4 certificate template"
"List all R155 requirements for vulnerability management"

Compliance Analysis:

"Search R155 for requirements about incident response"
"What does R156 Article 7 require for software update assessment?"
"Compare R155 and R156 approval processes"

Documentation Generation:

"Generate a compliance checklist from R155 Article 7"
"Create a gap analysis template for R155"
"What evidence does R155 require for type approval?"

Training & Education:

"Explain R155 Article 7.2.2.2 in simple terms"
"What are the key differences between R155 Revision 1 and 2?"
"Create quiz questions from R155 CSMS requirements"

Why This Works

Direct Source Access: Content comes directly from official UNECE regulation documents, not LLM training data or paraphrased summaries.

Instant Retrieval: Sub-millisecond full-text search across 294KB of regulation content eliminates PDF scrolling.

Accurate Citations: Every answer includes exact article references (e.g., "R155 Article 7.2.2.2") for audit trails.

Always Current: Database includes complete R155/R156 Revision 2 (effective 2024-07-07) from official sources.

Traditional Approach vs. MCP

Task	Traditional Approach	With Automotive MCP
Find specific requirement	Download PDF → Ctrl+F → Read context → Verify article	Ask Claude → Get answer with citation
Time	15-30 minutes	10 seconds
Prepare for audit	Read 200 pages → Highlight → Create checklist → Cross-reference	Ask for requirements → Generate checklist → Done
Time	2-3 days	30 minutes
Answer RFQ question	Search PDF → Read articles → Draft response → Verify	Ask Claude → Get exact requirement → Copy citation
Time	1-2 hours	2 minutes
Train engineers	Create slides → Extract requirements → Format → Present	Ask for explanations → Generate quiz → Export
Time	1 week	2 hours
Cost	$200-400/hour consultant	$0 (open source)

ROI: First question answered = immediate payback. 10 questions/month = $36,000/year saved.

Overview

This MCP server enables AI assistants to access and reason about automotive cybersecurity requirements, helping with:

Type approval preparation - Access UNECE R155/R156 requirements for cybersecurity type approval
Compliance verification - Map requirements across different frameworks (UNECE regulations, ISO standards)
Security analysis - Search for relevant requirements by topic or keyword
Documentation - Generate compliance evidence and traceability matrices

The server uses a read-only SQLite database with full-text search (FTS5) to provide fast, accurate access to regulatory content.

Features

Current Release (v1.0.0) ✅

Production Infrastructure:

✅ 5 core tools - list_sources, get_requirement, search_requirements, list_work_products, export_compliance_matrix
✅ SQLite database - FTS5 full-text search with BM25 ranking (~360KB)
✅ MCP protocol - Full stdio transport support
✅ Type-safe API - TypeScript with strict mode
✅ Comprehensive tests - 105 tests, 100% pass rate
✅ Performance - Sub-millisecond queries (<1ms avg)

Complete Content:

UNECE R155: 17 items (12 articles + 5 annexes) - Full regulation text including:
- Article 7: Complete CSMS specifications (22KB)
- Annex 5: Comprehensive threat catalog (148KB)
- All official annexes (communication forms, approval marks, certificates)
UNECE R156: 16 items (12 articles + 4 annexes) - Full regulation text including:
- Article 7: SUMS requirements
- All official annexes
ISO 21434: 25 clauses with expert guidance, R155 mappings, and work products
VDA TISAX: 14 control areas for supplier qualification
SAE J3061: 7 lifecycle clauses (legacy reference)
AUTOSAR: 8 security modules for ECU implementation
Total: 99 items (33 regulation + 68 standard clauses) with ~360KB of content

Future Enhancements 🚀

📋 TARA methodology tools and threat scenario library
📋 Type approval checklist generation
📋 ReqIF export format for PLM integration

Installation

Prerequisites

Node.js 18 or higher
Claude Desktop or compatible MCP client

Option 1: Use with npx (Recommended)

No installation needed! Use directly in Claude Desktop:

macOS: Edit ~/Library/Application Support/Claude/claude_desktop_config.json Windows: Edit %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "automotive-cybersecurity": {
      "command": "npx",
      "args": ["-y", "@ansvar/automotive-cybersecurity-mcp"]
    }
  }
}

Restart Claude Desktop after editing the config.

Option 2: Install globally from npm

npm install -g @ansvar/automotive-cybersecurity-mcp

Then in Claude Desktop config:

{
  "mcpServers": {
    "automotive-cybersecurity": {
      "command": "automotive-cybersecurity-mcp"
    }
  }
}

Option 3: Install from source (for development)

# Clone the repository
git clone https://github.com/ansvar-ai/automotive-mcp.git
cd automotive-mcp

# Install dependencies and build
npm install
npm run build:db  # Build SQLite database
npm run build     # Compile TypeScript

Then in Claude Desktop config:

{
  "mcpServers": {
    "automotive-cybersecurity": {
      "command": "node",
      "args": ["/absolute/path/to/automotive-mcp/dist/index.js"]
    }
  }
}

Replace /absolute/path/to/automotive-mcp with your installation path.

Verify Installation

After restarting Claude Desktop, ask:

What automotive cybersecurity sources are available?

Claude should use the list_sources tool and show R155, R156, and ISO 21434.

What's Included

Complete UNECE Regulations:

✅ UNECE R155 - All 17 items (12 articles + 5 annexes) including full Annex 5 threat catalog
✅ UNECE R156 - All 16 items (12 articles + 4 annexes) for software update management
✅ Full-text search - Sub-millisecond queries across 294KB of authoritative regulation text

ISO 21434 Guidance:

✅ 25 clauses - Comprehensive expert guidance for all major clauses (5-15) plus key annexes
✅ R155 mappings - Each clause linked to corresponding R155 requirements
✅ Work products - 40+ work product references with descriptions

Additional Frameworks:

✅ VDA TISAX - 14 control areas with assessment level guidance (AL1-AL3)
✅ SAE J3061 - 7 lifecycle phases plus TARA methods annex
✅ AUTOSAR Security - 8 modules (SecOC, CSM, KeyM, IdsM, Secure Boot, etc.)
✅ Chinese GB/T - 12 clauses covering GB/T 40857, 40856, 40855, GB 44495, CCC certification

Content Inventory

Source	Items	Content	Size
UNECE R155	17	Articles 1-12, Annexes 1-5	223KB
UNECE R156	16	Articles 1-12, Annexes 1-4	64KB
ISO 21434	25	Clauses 5-15, TARA sub-clauses, Annexes A/D-H	~25KB
VDA TISAX	14	Control areas 1-13 + Prototype protection	~15KB
SAE J3061	7	Lifecycle clauses 5-10 + Annex A	~8KB
AUTOSAR	8	SecOC, CSM, KeyM, IdsM, Secure Boot, etc.	~10KB
Chinese GB/T	12	GB/T 40857, 40856, 40855, GB 44495, CCC, V2X	~15KB
Total	99	5 standards + 2 regulations	~360KB

Key R155 Content:

Article 7: Complete CSMS specifications (largest article, ~22KB)
Annex 5: Full threat catalog with 70+ threat scenarios (~148KB)
Annexes 1-4: Communication forms, approval marks, certificates

Key R156 Content:

Article 7: Complete SUMS requirements
Annexes 1-4: All approval documentation templates

Available Tools

The server provides 5 MCP tools for accessing automotive cybersecurity requirements:

1. list_sources

List available automotive cybersecurity regulations and standards.

Input:

source_type (optional): Filter by type - "regulation", "standard", or "all" (default: "all")

Example:

{
  "source_type": "regulation"
}

Returns:

{
  "sources": [
    {
      "id": "r155",
      "name": "UN Regulation No. 155",
      "version": "Revision 2",
      "type": "regulation",
      "description": "Cyber Security and Cyber Security Management System",
      "item_count": 1,
      "full_text_available": true
    },
    {
      "id": "r156",
      "name": "UN Regulation No. 156",
      "version": "Revision 2",
      "type": "regulation",
      "description": "Software Update and Software Updates Management System",
      "item_count": 0,
      "full_text_available": true
    },
    {
      "id": "iso_21434",
      "name": "ISO/SAE 21434:2021",
      "version": "2021",
      "type": "standard",
      "description": "Road vehicles — Cybersecurity engineering",
      "item_count": 1,
      "full_text_available": false
    }
  ]
}

2. get_requirement

Retrieve a specific regulation article or standard clause with optional cross-framework mappings.

Input:

source (required): Source ID (e.g., "r155", "r156", "iso_21434")
reference (required): Article/clause reference (e.g., "7.2.2.2", "9.3")
include_mappings (optional): Include related requirements (default: false)

Example:

{
  "source": "r155",
  "reference": "7.2.2.2",
  "include_mappings": true
}

Returns:

{
  "requirement": {
    "source": "r155",
    "reference": "7.2.2.2",
    "title": "Cybersecurity processes",
    "text": "The manufacturer shall demonstrate that the vehicle type...",
    "section": "7.2.2.2"
  },
  "mappings": [
    {
      "target_source": "iso_21434",
      "target_reference": "9.3",
      "relationship": "implements"
    }
  ]
}

3. search_requirements

Full-text search across all regulations and standards using FTS5 with BM25 ranking.

Input:

query (required): Search query text
sources (optional): Filter to specific sources (e.g., ["r155", "iso_21434"])
limit (optional): Maximum results (default: 10)

Example:

{
  "query": "vulnerability management",
  "sources": ["r155"],
  "limit": 5
}

Returns:

{
  "results": [
    {
      "source": "r155",
      "reference": "7.2.2.2",
      "title": "Cybersecurity processes",
      "snippet": "...processes for vulnerability management and...",
      "rank": 1.245
    }
  ],
  "total": 5
}

4. list_work_products

List ISO 21434 work products (deliverables) required for cybersecurity engineering.

Input:

clause_id (optional): Filter to specific clause (e.g., "15" for TARA, "6" for cybersecurity case)
phase (optional): Filter by lifecycle phase - organizational, project, continual, concept, development, validation, production, operations, decommissioning, tara

Example:

{
  "phase": "tara"
}

Returns:

{
  "work_products": [
    {
      "id": "WP-15-01",
      "name": "TARA report",
      "clause_id": "15",
      "clause_title": "Threat analysis and risk assessment (TARA)",
      "cal_relevant": true,
      "r155_refs": ["5.1.1(b)", "7.2.2.2(b)", "7.3.3"]
    }
  ],
  "summary": {
    "total_work_products": 44,
    "clauses_covered": 19,
    "cal_relevant_count": 31
  }
}

5. export_compliance_matrix

Generate a compliance traceability matrix for audit documentation.

Input:

regulation (optional): "r155" or "r156" (default: "r155")
format (optional): "markdown" or "csv" (default: "markdown")
include_guidance (optional): Include ISO 21434 guidance summaries

Example:

{
  "regulation": "r155",
  "format": "csv"
}

Returns:

{
  "format": "csv",
  "content": "Requirement,Title,ISO 21434 Clauses,Work Products,Status\n\"R155 7\",\"Specifications\",\"15, 8, 6...\",\"WP-15-01...\",Mapped",
  "statistics": {
    "total_requirements": 12,
    "mapped_requirements": 2,
    "coverage_percent": 17,
    "unique_work_products": 36
  }
}

Quality & Testing

This MCP server is built to production standards:

✅ 105 automated tests - 100% pass rate across all test suites
✅ Type-safe - Strict TypeScript with comprehensive type definitions
✅ Fast queries - <2ms average per query
✅ Secure - Read-only database, SQL injection protection
✅ MCP compliant - Verified with MCP protocol testing
✅ Well-tested - Unit, integration, and manual testing complete

See QUALITY_ASSESSMENT_REPORT.md for detailed test results.

Real-World Use Cases

1. 🎯 Type Approval Prep - "What do I need to pass audit?"

Scenario: Your OEM is 6 weeks from UNECE R155 type approval audit. You need to know every requirement.

Before (Manual Process):

Download R155 PDF (80+ pages)
Search for keywords, read dense legal text
Miss requirements due to synonym variations
Time: 4-6 hours

With This MCP:

You: "List all R155 requirements related to vulnerability management"

Claude: "R155 has several vulnerability management requirements:

📍 Article 7.2.2.2(g) - Vulnerability Management
The CSMS shall include processes for managing vulnerabilities...
[Full text with exact reference]

📍 Article 7.2.2.2(h) - Security Updates
Procedures for providing security updates...
[Full text with exact reference]

I found these by searching R155 for 'vulnerability' and related terms."

Time: 30 seconds

2. 🔗 Cross-Framework Mapping - "Does our ISO 21434 work satisfy R155?"

Scenario: You've implemented ISO 21434 clause 9.3. Customer asks: "Does this satisfy R155 requirements?"

Before:

Read ISO 21434 clause 9.3
Read entire R155 regulation
Manually compare requirements
Hope you didn't miss anything
Time: 2-3 hours

With This MCP:

You: "Show me ISO 21434 clause 9.3 and which R155 requirements it satisfies"

Claude: "ISO 21434 Clause 9.3 - Vulnerability Analysis
[Guidance text]

This clause directly satisfies these R155 requirements:
✅ R155 Article 7.2.2.2(g) - Vulnerability management processes
✅ R155 Article 7.2.2.2(h) - Security update procedures

The mapping shows your ISO 21434 implementation addresses the R155 type approval requirements."

Time: 15 seconds

3. 📄 Instant Documentation - "Generate our compliance matrix"

Scenario: Auditor asks: "Show me your CSMS compliance matrix for R155 Article 7."

Before:

Manually copy requirements from PDF
Create Excel/Word table
Add internal process references
Format for presentation
Time: 3-4 hours

With This MCP:

You: "Create a compliance traceability matrix for R155 Article 7 requirements"

Claude: [Generates formatted markdown table]

| R155 Requirement | Description | Our Implementation | Status |
|-----------------|-------------|-------------------|--------|
| 7.2.2.2(a) | Risk assessment | TARA Process Doc v2.1 | ✅ |
| 7.2.2.2(b) | Risk treatment | Security Architecture v3.0 | ✅ |
| 7.2.2.2(g) | Vulnerability mgmt | VMP-001 Procedure | ✅ |
...

You can now add your implementation details to the template.

Time: 2 minutes + your data entry

4. 🔍 Quick Answers - "What's this regulation requirement about?"

Scenario: Email from customer: "Please confirm compliance with R155 Article 7.2.2.2 paragraph (e)."

Before:

Find R155 PDF in downloads folder
Search for "7.2.2.2"
Scroll through subsections to find (e)
Read surrounding context
Time: 5-10 minutes

With This MCP:

You: "What is R155 Article 7.2.2.2 paragraph (e)?"

Claude: "R155 Article 7.2.2.2(e) requires:

'Management of security events including tools, procedures and forensic data'

This means your CSMS must have:
- Security event monitoring tools (SIEM, IDS, etc.)
- Incident response procedures
- Forensic data collection and retention
- Event analysis and reporting processes

This is part of the CSMS operational requirements."

Time: 10 seconds

5. 🎓 Learning & Training - "Explain this standard to our team"

Scenario: New engineer asks: "What's the difference between R155 and ISO 21434?"

Before:

Schedule meeting with compliance expert
Wait for their availability
Get 30-minute overview
Time: Days + meeting time

With This MCP:

You: "Explain the difference between R155 and ISO 21434"

Claude: "Based on the sources:

📋 UNECE R155 (Regulation):
- Legal requirement for vehicle type approval in EU/Asia
- Focus: What you MUST have (CSMS, processes, documentation)
- Enforced by: Government regulators during type approval
- Consequence: Can't sell vehicles without it

📘 ISO 21434 (Standard):
- Industry best practice (not legally required)
- Focus: How to implement automotive cybersecurity engineering
- Provides: Detailed processes, methods, work products
- Used to: Demonstrate compliance with R155

Relationship: R155 says 'you must have a CSMS', ISO 21434 tells you how to build one."

Time: Immediate

Why Not Just Use Google/PDFs?

Task	Manual Search	This MCP
Find specific requirement	Download PDF, Ctrl+F, read context	Ask Claude, get answer + context
Cross-reference frameworks	Open multiple PDFs, compare manually	Ask for mappings, instant results
Generate compliance matrix	Copy/paste from PDFs into Excel	Ask Claude to generate table
Answer "does X satisfy Y?"	Read both docs, hope you understand	Ask, get yes/no + explanation
Learn a regulation	Read 80+ page PDF	Ask questions, get summaries
Time for typical task	30 min - 4 hours	10 seconds - 2 minutes
Cost of consultant	$100-400/hour	Free (after setup)

Key Advantage: Natural language + AI reasoning. Claude doesn't just search keywords - it understands context, relationships, and can synthesize information across multiple requirements.

Integration with Other MCPs

This server works well with other MCP servers:

With GitHub MCP

"Export R155 requirements as GitHub issues for our compliance tracking"

Use search_requirements to find relevant requirements
GitHub MCP creates issues with requirement text and references

With Filesystem MCP

"Save all ISO 21434 work products to a structured directory"

Use list_sources and get_requirement to retrieve content
Filesystem MCP writes to organized folder structure

With Brave Search MCP

"Find industry best practices for implementing R155 vulnerability management"

Use get_requirement to understand R155 requirements
Brave Search finds implementation guidance and tools

Development

Project Structure

automotive-mcp/
├── src/
│   ├── index.ts              # MCP server entry point
│   ├── types/                # TypeScript type definitions
│   │   └── index.ts
│   └── tools/                # Tool implementations
│       ├── registry.ts       # Shared tool registry
│       ├── list.ts          # list_sources tool
│       ├── get.ts           # get_requirement tool
│       └── search.ts        # search_requirements tool
├── data/
│   ├── seed/                # JSON seed data
│   │   ├── regulations.json
│   │   └── standards.json
│   └── automotive.db        # Generated SQLite database (not in git)
├── scripts/
│   └── build-db.ts          # Database build script
├── tests/                   # Vitest tests
└── dist/                    # Compiled TypeScript (not in git)

Building

# Compile TypeScript
npm run build

# Build database from seed data
npm run build:db

# Both
npm run build && npm run build:db

Testing

# Run all tests once
npm test

# Run tests in watch mode
npm run test:watch

Development Mode

# Run with auto-reload on file changes
npm run dev

Testing with MCP Inspector

The MCP Inspector provides a visual interface for testing tools:

npm run build
npx @modelcontextprotocol/inspector node dist/index.js

This opens a web interface where you can:

View all available tools
Test tool calls with different inputs
Inspect responses

Database Schema

The database uses SQLite with FTS5 for full-text search:

Tables:

sources - Regulation/standard metadata
requirements - Individual articles/clauses
requirements_fts - FTS5 virtual table for search
mappings - Cross-framework relationships (future)

Key Features:

BM25 ranking for search relevance
Foreign key constraints for data integrity
Indexes for fast lookups by source and reference

Adding Content

To add new regulations or standards:

Add JSON file to data/seed/:

{
  "id": "new_regulation",
  "name": "New Regulation",
  "full_name": "Full title...",
  "version": "2024",
  "type": "regulation",
  "issuing_body": "Authority",
  "items": [
    {
      "reference": "1.1",
      "title": "Scope",
      "text": "Full text...",
      "section": "1"
    }
  ]
}

Rebuild database:

npm run build:db

Run tests to verify:

npm test

Environment Variables

AUTOMOTIVE_CYBERSEC_DB_PATH - Override database location (default: data/automotive.db)

Data Sources and Licensing

UNECE Regulations (R155/R156)

License: Public domain (UN documents)
Source: UNECE WP.29
Status: Complete R155/R156 Revision 2 (all articles and annexes)

ISO 21434

License: Paid standard (copyright ISO)
What we include: Guidance, work products, clause structure (no full text)
What we don't include: Full standard text (requires license)
How to get full text: Purchase from ISO

More Open Source from Ansvar

We maintain a family of MCP servers for compliance and security professionals:

Server	Description	Install
EU Regulations	47 EU regulations (GDPR, AI Act, DORA, NIS2, MiFID II, eIDAS, MDR...)	`npx @ansvar/eu-regulations-mcp`
US Regulations	HIPAA, CCPA, SOX, GLBA, FERPA, COPPA, FDA 21 CFR Part 11, state privacy laws	`npx @ansvar/us-regulations-mcp`
Security Controls	1,451 controls across 28 frameworks (ISO 27001, NIST CSF, PCI DSS, CMMC...)	`pipx install security-controls-mcp`
OT Security	IEC 62443, NIST 800-82, MITRE ATT&CK for ICS	`npx @ansvar/ot-security-mcp`
Sanctions	Offline sanctions screening with OpenSanctions (30+ lists)	`pip install ansvar-sanctions-mcp`

Browse all projects: ansvar.eu/open-source

License

This MCP server is licensed under the Apache License 2.0. See LICENSE file for details.

Important: This license covers the software only. Regulatory content and standards have their own licensing terms as described above.

Contributing

Contributions welcome! Please:

Fork the repository
Create a feature branch
Add tests for new functionality
Ensure npm test passes
Submit a pull request

FAQ

Is this legally valid for compliance?

Yes, for reference. The regulations (R155/R156) are public domain. However, always verify critical compliance decisions with the official source documents. This tool helps you work faster, not replace your judgment.

How much ISO 21434 content is included?

25 clauses with expert guidance. ISO 21434 is copyrighted—we include clause titles, expert guidance summaries, work products, and R155 mappings (not full text). This covers all major clauses (5-15) plus key annexes. R155/R156 regulations are public domain and fully included.

Can I use this for paid client work?

Yes. Apache 2.0 license allows commercial use. Many consultants use this to speed up their R155/ISO 21434 advisory work.

What about ISO 21434 full text?

Not included (copyright). We provide clause IDs, titles, and expert guidance for ISO 21434. The full standard text requires a license from ISO. This approach respects copyright while still being useful.

Will this work with Claude Pro / Claude API?

Claude Desktop only for now. MCP is currently supported in Claude Desktop. Once Anthropic adds MCP support to web/API, this will work there too (no changes needed).

How do I get updates?

Automatic. If you install via npm/npx, running npm update -g @ansvar/automotive-cybersecurity-mcp (or just restarting Claude Desktop with npx) will get the latest version. v1.0.0 includes all Phase 1 & 2 features.

Can I add my own company's interpretations?

Yes. Fork the repo and modify data/seed/*.json files to add internal notes, then rebuild the database with npm run build:db.

Is my data sent anywhere?

No. Everything runs locally on your machine. The database is read-only SQLite. No network calls, no telemetry, no data collection.

Support

For issues, questions, or contributions:

GitHub Issues: https://github.com/ansvar-ai/automotive-mcp/issues
Email: jeffrey@ansvar.ai
Discussions: Share your use cases and workflow ideas

Performance & Statistics

Current Implementation:

Code: ~2,000 lines TypeScript (10 source files)
Tests: 105 test cases (100% passing)
Database: ~360KB SQLite with FTS5 indexes
Content: 99 items (33 regulation + 68 standard clauses)
Mappings: 87 bidirectional R155 ↔ ISO 21434 mappings
Query Speed: <2ms average
Build Time: <500ms for full database rebuild
Dependencies: MCP SDK + better-sqlite3 only

Important Disclaimers

⚖️ Legal & Compliance

Not Legal Advice: This tool provides access to regulatory text for informational purposes only. It does not constitute legal advice, compliance certification, or professional consultation. For official compliance decisions, consult qualified legal counsel or type approval authorities.

Official Sources: Always verify critical requirements against official UNECE publications and your jurisdiction's implementation of regulations.

Type Approval: Type approval decisions are made by recognized technical services and approval authorities, not by AI tools.

📊 Token Usage

Claude Desktop: This MCP can return large regulation articles (e.g., R155 Article 7 is 22KB). Be mindful of token usage if on limited plans.

Best Practice: Use specific queries rather than requesting entire regulations at once.

📜 ISO Standards

ISO 21434 Content: Full ISO 21434 text is copyright-protected and not included. We provide expert guidance summaries only. Purchase the official standard from ISO for complete requirements.

Official Standard: https://www.iso.org/standard/70918.html

Roadmap

✅ Phase 1 & 2 (Complete - v1.0.0)

✅ TypeScript MCP server with stdio transport
✅ SQLite database with FTS5 full-text search
✅ 5 core tools: list_sources, get_requirement, search_requirements, list_work_products, export_compliance_matrix
✅ Complete R155/R156 regulations - All 33 items (articles + annexes)
✅ ISO 21434 guidance - 25 clauses with expert guidance
✅ Cross-framework mappings - 87 bidirectional R155 ↔ ISO 21434 mappings
✅ Work products tool - ISO 21434 work product requirements by clause/phase
✅ Global standards - VDA TISAX, SAE J3061, AUTOSAR, Chinese GB/T
✅ Enterprise CI/CD with security scanning
✅ Comprehensive testing (105 tests, 100% pass rate)

📋 Phase 3 (Next - Q2 2026) - TARA Methodology

TARA guidance tool - Threat analysis and risk assessment methodology
Threat scenario library - 20+ automotive threat scenarios
Attack feasibility ratings - ISO 21434 Annex G methodology
Cybersecurity goals - CAL rating guidance

🎯 Phase 4 (Q3 2026) - Type Approval

Type approval checklist - R155/R156 audit preparation
Evidence generation - Compliance documentation
Gap analysis - Compare implementation vs requirements
ReqIF export - PLM system integration

Acknowledgments

Built on the Model Context Protocol by Anthropic
Follows patterns from the EU Compliance MCP reference implementation
Regulatory content from UNECE and ISO (with appropriate licensing)

Version History

1.0.0 (2026-01-31) - Production-Ready with Global Market Coverage

🎉 Major Release - Complete Automotive Compliance Platform

Features:

✅ 5 MCP tools fully implemented and tested
✅ SQLite database with FTS5 full-text search (~360KB)
✅ 87 bidirectional cross-framework mappings (ISO 21434 ↔ R155)
✅ Work products tool with lifecycle phase filtering
✅ Compliance matrix export (CSV/Markdown)
✅ 105 tests, 100% pass rate

Content (99 items across 5 standards + 2 regulations):

UNECE R155: 17 items - Complete with Annex 5 threat catalog
UNECE R156: 16 items - Complete SUMS requirements
ISO 21434: 25 clauses - Expert guidance, work products, R155 mappings
VDA TISAX: 12 clauses - AL1-AL3 assessment levels
SAE J3061: 7 clauses - Legacy guidebook compatibility
AUTOSAR: 12 modules - SecOC, CSM, KeyM, IdsM, etc.
Chinese GB/T: 12 clauses - GB/T 40857, 40856, 40855, GB 44495, CCC

Global Market Support:

🇪🇺 EU: R155/R156, ISO 21434, TISAX
🇺🇸 US: SAE J3061, ISO 21434
🇨🇳 China: GB/T standards, SM2/SM3/SM4 crypto, CCC certification

0.1.0 (2026-01-29) - Initial Release

Features:

✅ 3 core MCP tools (list_sources, get_requirement, search_requirements)
✅ Complete UNECE R155 and R156 regulation text
✅ ISO 21434 basic clause structure
✅ Enterprise CI/CD with security scanning

Acknowledgments

This project includes UNECE R155 and R156 regulation content sourced from the EU Compliance MCP project by Ansvar Systems. The EU Compliance MCP provides comprehensive access to 37 EU regulations including automotive cybersecurity standards.

Data Attribution:

R155/R156 regulation text: Sourced from official UNECE documents via EU Compliance MCP
License: Apache 2.0 (compatible with this project)
Original source: https://github.com/Ansvar-Systems/EU_compliance_MCP

We thank the EU Compliance MCP team for their excellent work in making EU and UNECE regulations accessible via MCP protocol.

Directory Review Notes

Testing Account and Sample Data

This server is read-only and does not require a login account for functional review. For directory review, use the bundled dataset and these sample prompts:

"What does R155 Article 7 require for CSMS?"
"Search R156 requirements for software update assessment."
"List ISO 21434 work products for TARA."

Remote Authentication (OAuth 2.0)

The default server runtime is read-only and can be deployed without authentication. If you deploy a remote authenticated endpoint, use OAuth 2.0 over TLS with certificates from recognized authorities.

Privacy

See PRIVACY.md for data handling and retention notes.

Troubleshooting

If the server is not discovered in a client, verify the command path and that npm run build completed successfully.
If tool calls fail, confirm data/automotive.db exists and the process can read it.
If no results are returned, try broader search terms first (for example, R155, R156, or ISO 21434) and narrow from there.