The European Union is tightening its regulatory grip on automotive data. Two overlapping frameworks - the Digital Product Passport and the EU Data Act - now require vehicle manufacturers, software vendors, and aftermarket service providers to overhaul how they govern, share, and secure vehicle-generated information.
Background
The EU Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024, with full applicability for existing connected products from 12 September 2025. Running in parallel, the Ecodesign for Sustainable Products Regulation (ESPR, EU 2024/1781), which entered into force on 18 July 2024, established the legal basis for Digital Product Passports (DPPs) across product categories including vehicles and vehicle components.
The two instruments address different but complementary aspects of automotive data. The DPP - anchored in the ESPR and designed to provide standardised, product-specific sustainability and lifecycle data - focuses on traceability and circularity across the supply chain. The Data Act governs real-time operational access to vehicle-generated data for end users and third parties.
On 16 April 2025, the Commission adopted its first ESPR Working Plan for 2025-2030, setting out priority product groups for delegated acts. A central EU DPP registry is scheduled to go live on 19 July 2026, alongside eight harmonised interoperability standards expected to be finalised by 2026.
Details
The automotive sector sits at the intersection of both frameworks. Regulation (EU) 2018/858 already obliges manufacturers to grant independent operators unrestricted, standardised, and non-discriminatory access to vehicle on-board diagnostics (OBD) information, diagnostic tools, and repair and maintenance information. The EU is now updating Annex X of that regulation to reflect software-era realities - specifically to support faster software updates by independent operators, improve repair and maintenance processes for EV batteries and advanced driver assistance systems, and ensure equal access to OBD information through means other than the standardised connector.
On the Data Act side, the European Commission published automotive-specific guidance on 12 September 2025, clarifying which vehicle data must be shared and on what terms. According to that guidance, OEMs are required to provide transparency on what vehicle data they hold, offer access to both raw and pre-processed data, and provide free access to vehicle users while charging only fair, reasonable, and non-discriminatory fees to data recipients such as parts distributors and service providers.
The guidance distinguishes between in-scope and out-of-scope services. Vehicle-related services subject to the Data Act include remote vehicle control (door locking, engine start/stop, climate pre-conditioning), predictive maintenance displaying alerts on vehicle dashboards, cloud-based driver preference storage, and dynamic route optimisation using real-time vehicle data.
Data governance and cybersecurity obligations add to the compliance burden. Certified third-party DPP service providers - software or platform companies - will be required to host product DPP data and ensure compliance with access rules, standards, and cybersecurity obligations under delegated acts. At the same time, data holders such as OEMs may refuse or restrict access only in narrowly defined circumstances, such as specific cybersecurity risks, protection of trade secrets, or safeguarding personal data - and these grounds must be interpreted restrictively.
Cross-border data governance adds another layer of complexity. EU GDPR mandates European data localisation, while China's Cybersecurity Law requires Chinese storage for certain categories - forcing manufacturers operating in both markets into difficult architectural compromises. Industry analysts note that typical automotive or electronics manufacturers source from 500 to 5,000 direct suppliers across 30 to 50 countries, making unified DPP data collection a significant operational challenge.
Independent aftermarket players are watching the data access question closely. The European automotive aftermarket parts association CLEPA has urged policymakers that "cybersecurity must not come at the expense of competition" and that cybersecurity measures must not limit access to OBD data or the ability to install spare parts. CLEPA called for a thorough revision of Annex X and swift complementary legislation on in-vehicle data access.
Outlook
Design requirements for new connected vehicles under the EU Data Act take effect in September 2026, giving OEMs a finite window to embed data-access-by-design into new model architectures. Battery passports under Regulation (EU) 2023/1542 become mandatory from 18 February 2027 for all EV and industrial batteries above 2 kWh placed on the EU market. With vehicle-adjacent product categories such as tyres and electronics set to enter the DPP regime between 2027 and 2029 under ESPR delegated acts, supplier contract frameworks and IT modernisation programmes must account for a cascading series of compliance milestones over the next three years.
