Connected vehicles now generate more data per hour than a smartphone produces in a month - yet until recently, most of that data remained locked inside proprietary OEM ecosystems. That is changing fast. European policymakers are tightening cybersecurity standards for connected and autonomous vehicles while extending the Digital Product Passport (DPP) framework toward automotive software and vehicle data, all ahead of a 2027 deadline now less than two years away. For OEMs, Tier-1 suppliers, aftermarket service providers, and logistics operators, the regulatory pressure is no longer on the horizon - it is here.
A Converging Regulatory Wave
Three distinct but interrelated EU regulatory frameworks are reshaping how vehicle data is secured, shared, and documented:
EU Data Act - Adopted in 2023, the EU Data Act came into full effect on 12 September 2025, establishing new requirements for data sharing, accessibility, and security in the digital economy. The automotive sector faces particular challenges given the industry's rapid shift toward connected and automated driving technologies, which generate vast quantities of data. Recognizing these circumstances, the European Commission published its "Guidance on vehicle data, accompanying Regulation 2023/2854 (Data Act)" on 12 September 2025.
EU Cyber Resilience Act (CRA) - The CRA entered into force on 10 December 2024. Its main obligations apply from 11 December 2027, with reporting obligations taking effect on 11 September 2026.
Digital Product Passport (ESPR/Battery Regulation) - The DPP is a digital data container designed to enhance transparency, traceability, and circularity by providing standardized, product-specific sustainability and lifecycle data. It is already being piloted through the Battery Passport under Regulation (EU) 2023/1542, which mandates digital data requirements for certain battery types from 18 February 2027.
Together, these frameworks represent the most consequential restructuring of automotive data governance in the EU in over a decade.
What the EU Data Act Means for Vehicle Data
The EU Data Act establishes a harmonized framework for accessing and using data generated by connected devices and digital services across the EU. It will reshape how vehicle manufacturers manage access to vehicle-generated data.
The European Commission issued definitive guidance in September 2025 clarifying which vehicle data automotive manufacturers must share. With enforcement beginning September 2026, OEMs must provide access to raw and pre-processed vehicle data while protecting proprietary algorithms. Direct user access is free, but B2B data sharing can be monetized under reasonable compensation rules.
This distinction matters operationally. From 12 September 2026, design obligations apply - connected products must enable direct user access to data. Hardware and software designed today must be capable of routing data to owners and authorized third parties by that date.
"The Act requires automakers to open their data ecosystems to third parties under fair and transparent conditions - fundamentally changing how many automakers manage vehicle-generated data. Ultimately, it empowers vehicle owners with sovereignty over their data, compelling automakers to embrace a more user-centric data landscape," according to Sahas Katta, CEO & Co-Founder at Smartcar.
The regulation covers diagnostics, maintenance histories, software configuration, telematics, and other categories generated by the vehicle's sensors and ECUs. Independent repair shops, insurers, and fleet operators are explicitly named as authorized recipients of third-party data access - a direct response to right-to-repair advocates and competition concerns in the aftermarket services sector.
Automotive Cybersecurity: Multiple Layers of Obligation
UNECE WP.29: The Established Baseline
The UNECE WP.29 regulation establishes binding requirements for automotive cybersecurity and software updates. It came into force in 2021 and now applies to all new vehicle types in participating countries. As of July 2024, these regulations are mandatory for all new vehicles produced in over 60 countries, including the EU, UK, Japan, and South Korea.
WP.29 requires OEMs to establish Cybersecurity Management Systems (CSMS) covering risk assessment, incident response, and continuous monitoring. Its companion regulation, R156, governs Software Update Management Systems (SUMS). OEMs are extending these security principles to their software update management systems to ensure any OTA updates to emissions software are cryptographically signed and verified.
The Cyber Resilience Act: A New Horizontal Layer
The CRA goes further than WP.29 by applying to all products with digital elements placed on the EU market - encompassing vehicle control units, telematics modules, connected diagnostics systems, and OTA update infrastructure.
A core CRA requirement is secure software updates throughout the lifecycle of any product with digital elements (PDE). As products become increasingly digital, they require more frequent software updates. The CRA mandates comprehensive monitoring and proactive vulnerability management across an entire product lifecycle, covering not only proprietary code but also all third-party components and interactions.
A critical new tool under the CRA is the Software Bill of Materials (SBOM), an implicit mandatory requirement by September 2026. An SBOM is essentially a digital ingredients list for software. For automotive suppliers managing hundreds of ECU software components with overlapping third-party dependencies, generating and maintaining SBOMs at scale represents one of the most demanding operational challenges of the compliance cycle.
Obligations for reporting exploited vulnerabilities and severe incidents apply from 11 September 2026 - particularly important for all in-scope products already on the EU market before 11 December 2027. Under the CRA's incident reporting rules, manufacturers must submit an early warning within 24 hours, a full notification within 72 hours, and a final corrective report within 14 days.
The Right-to-Repair Tension
One structural challenge runs through both the Data Act and the CRA: the friction between open data access and robust cybersecurity. "The tension is structurally unavoidable because both objectives are legitimate and use the same security mechanisms," according to one cybersecurity expert. "The challenge is immense, as it requires creating a secure, scalable and equitable digital ecosystem for vehicle repair - this is a central architectural and policy challenge the automotive industry needs to address."
Granting independent repair shops cryptographically authenticated data access without creating exploitable attack surfaces requires identity management and access control infrastructure that most suppliers have not yet deployed at scale.
The Digital Product Passport: What Automotive Stakeholders Need to Know Now
The Digital Product Passport is a new EU requirement that becomes mandatory starting in 2027 for priority product groups, with full rollout expected by 2030. Introduced under the Ecodesign for Sustainable Products Regulation (ESPR), the DPP is a structured digital record providing lifecycle data for each product in a standardized format. It contains essential data such as material composition, carbon footprint, repairability, and end-of-life instructions, accessible via a QR code.
For the automotive industry, the immediate DPP obligation centers on the Battery Passport. The Battery Passport becomes mandatory from 18 February 2027, applying to all industrial batteries exceeding 2 kWh, EV batteries, and light transport batteries placed on the EU market. The Battery Passport must be accessible via a QR code linking to a unique identifier and a secure online database, containing general information, battery composition and materials including critical raw materials, and performance, safety, and compliance data.
The current indicative timeline places vehicles in the 2028-2029 DPP obligations window, alongside electronics and additional product categories. That window is not far off, and enterprises typically require 12-18 months for full DPP implementation. Automotive stakeholders preparing vehicle-level data architecture should treat the EV battery deadline as a proving ground rather than a final destination.
The technical layer rests on three pillars: CIRPASS-2 supplies the EU DPP Core Ontology as the interoperability reference; GS1 Digital Link with GTIN is the recognized product-identifier pattern under ESPR; and ISO/IEC JTC 5, launched in April 2026, will deliver the global standards framework from 2028.1What Are the Key European Regulations in Auto?
Regulatory Timeline: Key Deadlines at a Glance
| Deadline | Regulation | Key Obligation | Who It Affects |
|---|---|---|---|
| Sept 2025 | EU Data Act | Data access & sharing obligations in force | OEMs, suppliers, aftermarket |
| Jun 2026 | Cyber Resilience Act | Conformity assessment bodies begin notifying | All connected product manufacturers |
| Sept 2026 | EU Data Act + CRA | Connected vehicles must enable direct user data access; CRA vulnerability reporting to ENISA begins | OEMs, suppliers, software vendors |
| Feb 2027 | Battery Regulation (DPP) | Battery Passport mandatory for EV batteries >2 kWh | EV battery manufacturers & importers |
| Dec 2027 | Cyber Resilience Act | Full CRA compliance; non-compliant products barred from EU market | All manufacturers of digital products |
| 2028-2030 | ESPR (DPP) | DPP rollout extends to vehicles, electronics, other product categories | OEMs, component suppliers |
What Smaller Suppliers Must Prepare For
Data sovereignty tensions create compliance complexity as different jurisdictions impose conflicting requirements - EU GDPR mandates European data localization while China's Cybersecurity Law requires in-country storage for certain categories, forcing manufacturers navigating both markets into difficult compromises.2Guidance on vehicle data, accompanying the Data Act | Shaping Europe’s digital future
For smaller Tier-2 and Tier-3 suppliers, cost is equally pressing. Populating a DPP requires extracting granular, verified data from deep within the supply chain - including Environmental Product Declarations, mapping chemical substances of concern, and tracking Global Warming Potential across Scope 3 emissions.
Supply chain management under the CRA requires updating supplier contracts to reflect CRA obligations and incorporating CRA compliance into supplier due diligence procedures. Suppliers of critical components that may affect CRA compliance by 11 December 2027 should be prioritized.
Six Steps to Build Compliance Readiness
1. Generate and maintain Software Bills of Materials (SBOMs) Produce machine-readable SBOMs in SPDX or CycloneDX format for all vehicle software components, including third-party libraries. This is the foundational requirement for CRA vulnerability reporting and DPP data population.
2. Establish a Cybersecurity Management System (CSMS) Align with UNECE WP.29 R155, covering risk assessment, incident response, and ongoing monitoring. Extend security principles to OTA Software Update Management Systems (SUMS) per R156.
3. Build third-party data access infrastructure Develop standardized, secure interfaces granting vehicle owners and authorized parties access to vehicle-generated data as required by the EU Data Act. Establish contractual frameworks governing B2B data sharing.
4. Prepare for conformity assessments Engage accredited bodies - available from June 2026 - to validate cybersecurity controls. Compile technical documentation and Declarations of Conformity for all in-scope connected systems.
5. Integrate DPP-compatible data layers Connect software configuration data, maintenance histories, and diagnostic records into a DPP-compatible architecture accessible via a persistent digital identifier throughout the vehicle lifecycle.
6. Participate in pilot programs and public consultations EU-hosted cross-border data portability pilots are planned ahead of full-scale implementation. The Commission encourages affected industry stakeholders to engage in dialogue toward balanced implementation, and emphasizes coordination between Data Act enforcement authorities and other automotive regulators to ensure smooth regulatory interplay.
What to Watch in the Coming Months
Industry groups and national regulators are set to host a series of public consultations on the exact data schemas, audit regimes, and enforcement mechanisms for both the DPP and the Data Act's automotive provisions. The European Commission has announced that further tools are in progress, including a "Data Act Legal Helpdesk," guidance on trade secrets provisions, and model terms for data sharing.
Deadlines can shift based on delegated act publication timelines - they typically move later, not earlier. The February 2027 battery deadline is confirmed, while others may adjust slightly. Stakeholders should plan against confirmed dates and treat any shifts as contingency rather than an extension of runway.
The convergence of cybersecurity mandates, data portability rights, and product-level transparency requirements is not a temporary compliance cycle. It reflects the EU's long-term direction: a digitally legible, interoperable, and secure automotive ecosystem. For OEMs, Tier-1 suppliers, logistics operators, and packaging professionals managing automotive supply chains, building that infrastructure now - not in late 2027 - is the only viable path to sustained market access.
Frequently Asked Questions
Does the EU Digital Product Passport apply to finished vehicles now? The confirmed mandatory DPP deadline currently applies to EV batteries above 2 kWh, beginning 18 February 2027 under the EU Battery Regulation. Full vehicle DPP requirements are expected to follow as the Commission publishes further delegated acts - vehicles and electronics are likely to come into scope in the 2028-2030 window under the broader ESPR framework.
How does the CRA interact with UNECE WP.29? WP.29 R155 and R156 establish binding cybersecurity and OTA update requirements for new vehicle types across more than 60 countries. The CRA is a broader horizontal regulation that does not replace WP.29 but adds requirements for vulnerability reporting to ENISA, SBOMs, and long-term software support commitments. OEMs should treat the frameworks as complementary, not duplicative.
Who has the right to access vehicle data under the EU Data Act? Vehicle owners and lessees have the right to access their vehicle-generated data directly, or through third parties they authorize - including independent repairers, insurers, and fleet managers. End-user data access must be provided free of charge, while B2B access can be subject to reasonable compensation under Article 9 of the regulation.
What are the penalties for non-compliance? Under the CRA, non-compliant products can be barred from the EU market from December 2027. Products without valid Digital Product Passports cannot legally be sold in the EU after the applicable deadline. Penalties include fines up to €500,000+, product bans, customs seizures, and potential criminal liability.
