Cybersecurity Regulations and the Right-to-Repair: A Conflicted Future
As automakers navigate the implementation of new European Union cybersecurity requirements, concerns are emerging about potential conflicts with the right-to-repair movement. This movement aims to empower consumers by ensuring they have the freedom to repair their vehicles, either independently or through third-party mechanics. However, the very regulations intended to secure vehicles from hacking might inadvertently create obstacles for repairers.
The new cybersecurity measures are part of the Euro 7 emissions standard, the first significant update since the infamous Dieselgate scandal, where Volkswagen was caught employing software to manipulate emissions testing. This scandal highlighted the need for greater accountability in emissions control, prompting the EU to include stringent cybersecurity protocols alongside its environmental goals.
Under Euro 7, all gas-powered vehicles must come equipped with on-board systems that monitor nitrogen oxides and particulate matter emissions. The data from these systems must be accessible via a diagnostic port and transmitted over the air, albeit in an anonymized form. The introduction of cybersecurity elements aims to ensure the integrity of emissions data and prevent unauthorized alterations to software that controls emissions performance.
The principal risks addressed by these cybersecurity regulations stem from external threats, particularly those posed by hackers, according to Jan-Peter von Hunnius, an automotive cybersecurity expert at CYEQT Knowledge Base. He asserts that while Dieselgate represented a significant compliance failure, the core concern of the new regulations is defending against malicious actors who seek unauthorized access to vehicle systems.
Most automakers are reportedly well-prepared for these regulatory changes, having to comply with the guidelines since at least mid-2024 due to the widely recognized United Nations Regulation 155 on automotive cybersecurity. This regulation mandates that manufacturers implement specific security measures, many of which have already influenced automotive regulations in countries like India and South Korea.
A key element of these new requirements is the establishment of a security gateway between a vehicle’s external diagnostic port and its internal control area network (CAN). This gateway necessitates authentication through digital certificates to ensure that only authorized diagnostic tools can access critical functions. Moreover, these manufacturers are extending these security measures to their software update management systems to guarantee that any over-the-air updates are cryptographically signed and verified.
According to the timeline set by Euro 7, the initial implementation deadlines are slated to commence this coming November. During this phase, new models of passenger cars and delivery vehicles that fail to meet these requirements will not be granted EU or national emissions approval. A year later, it will become impossible to register new cars that do not conform to these standards. Heavy-duty vehicles face similar deadlines, with important milestones coming in May 2028 and May 2029.
While passenger vehicle manufacturers are expected to meet these deadlines without significant trouble, commercial vehicle makers are believed to be lagging behind. The new regulations will pose substantial challenges for them, as well as for compliance with U.N. Regulation 155.
However, a significant concern is arising around the intersection of these cybersecurity requirements and the right-to-repair movement. The gateway authorization necessary to secure vehicle systems can unintentionally deny independent repair shops access to vital diagnostic data they require to perform repairs effectively. As von Hunnius points out, the same mechanisms intended to thwart unauthorized tuning or modifications may also restrict legitimate mechanics from accessing the necessary systems.
Since 2007, European regulations have mandated that manufacturers provide independent repairers access to diagnostic tools and essential maintenance information. This creates a paradox where the push for cybersecurity inadvertently contravenes the right-to-repair principles, potentially sidelining independent mechanics unless automotive manufacturers offer them proper authentication credentials and secure pathways to the data they need.
The challenges facing the automotive sector are multifaceted, as both cybersecurity and consumer rights objectives are legitimate but can conflict with one another. Von Hunnius emphasizes that the challenge lies in devising a secure and equitable digital ecosystem for vehicle repairs. Achieving this balance is essential not only for consumer rights but also for enhancing overall vehicle security.
As the European Commission outlines in its implementing act regarding Euro 7’s cybersecurity aspects, manufacturers retain the freedom to employ their own cybersecurity measures, provided they remain compliant with U.N. Regulation 155. The guidance specifies that onboard monitoring systems must transmit data promptly to their servers, although delays may occur when vehicles are operated outside the EU.
The repercussions of these regulations span beyond Europe, as the United Kingdom and South Korea also adopt similar measures based on U.N. standards. The UK’s compliance timeline commences in June, while manufacturers in South Korea began implementing these new rules last year. Even China has initiated comparable requirements for its automotive sector, signifying a global trend toward stricter cybersecurity protocols in the industry.
However, the broader implications of connected cars warrant scrutiny. The EU’s Network and Information Systems Cooperation Group recently released a risk assessment indicating that while current regulations can mitigate many significant risks, the interconnectedness of vehicles presents new vulnerabilities that could facilitate major breaches. Hackers could exploit these vulnerabilities to gain full remote control of vehicles or expose sensitive data.
Experts warn that the current type-approval regime primarily focuses on traffic safety, failing to adequately consider evolving cybersecurity threats, some of which may involve organized efforts possibly backed by governmental entities. Thus, it is crucial for both public and private sectors involved in implementing these regulations to fully understand the scope of potential new threats while striving to balance consumer rights and cybersecurity measures.
Overall, the ongoing evolution of automotive cybersecurity measures and the right-to-repair movement reflects the intricate challenge of modern governance in a highly digitized world. As the industry continues to adjust to new standards, addressing these conflicts will be essential for protecting both technological integrity and consumer autonomy.