The European Commission has published a sweeping cybersecurity legislative package imposing new security controls, incident-reporting obligations, and structured third-party access rules on automakers operating in the EU - a development with direct compliance consequences for OEMs as vehicle software ecosystems grow more complex.
On January 20, 2026, the European Commission presented a new EU cybersecurity package combining a proposed overhaul of the Cybersecurity Act with targeted amendments to the NIS2 Directive. The package consists of a proposed regulation revising the Cybersecurity Act - designated Cybersecurity Act 2, or CSA2 - and a proposed directive amending NIS2 with targeted simplification measures. For the automotive sector, the proposals arrive alongside an already-active wave of data access requirements under the EU Data Act, placing OEMs at the intersection of two converging regulatory tracks.
Background
From connected infotainment systems and over-the-air software updates to vehicle-to-everything (V2X) communications, modern cars function as complex networks relying on cellular, Wi-Fi, and V2X protocols - the same protocols that introduce security risks and can serve as entry points for cyberattacks targeting vehicle systems and data transmission.
Foundational type-approval rules are already in force. UNECE Regulations R155 and R156 require cybersecurity and software update management systems for vehicle type approval, giving regulators the authority to block unsafe vehicles.1With Its Second Milestone Coming Soon, the Impact of UNECE R155 Continues to Expand UN R155 is the first globally recognized framework to prescribe specific cybersecurity requirements for road vehicles in a legally binding manner and has applied to all new vehicles in UNECE member states since mid-2024.
On data access, the EU Data Act, adopted in 2023, came into full effect on September 12, 2025, establishing new requirements for data sharing, accessibility, and security in the digital economy. The Act requires automakers to open their data ecosystems to third parties under fair and transparent conditions, fundamentally changing how many OEMs manage vehicle-generated data.
Details
The CSA2 proposal targets supply-chain risk as a central concern. Given the growing severity of cyber threats, the recast aims to deliver measurable improvements to the EU's cybersecurity posture and ensure that supply-chain risks are effectively addressed - with potential fines of up to 7% of total worldwide annual turnover for infringements. The framework opens the possibility of binding risk-mitigation measures, including prohibitions on components from high-risk suppliers - marking a shift toward binding, harmonized intervention in critical supply chains.
For incident reporting, the CSA2 proposal establishes a central reporting point under ENISA supervision, allowing businesses to meet obligations under multiple pieces of legislation through a single submission using a one-incident, one-report principle.
A separate but parallel compliance layer now applies at the vehicle-data level. Under the EU Data Act, data holders - including OEMs - may refuse or restrict access only in narrowly defined circumstances such as specific cybersecurity risks, protection of trade secrets, or safeguarding of personal data. These grounds must be interpreted restrictively and cannot serve as a general instrument for blocking access. UNECE R155 and R156 also stipulate that security measures such as secure gateways must not effectively block legitimate access for independent repairers or public authorities.
Research published in September 2025 by Óbuda University and the University of Oslo identified a significant gap: no single existing framework addresses all threat areas, with some focusing on system integrity, others on privacy, and others on safety - while supply-chain security remains a weak spot because many standards do not directly require third-party accountability.2UN Regulations R 155 & R 156 : Steps For Improving ...
Industry practitioners warn that compliance interpretation remains uneven. According to Darren Shelcusky, Senior Consultant for Vehicle and Mobility Cybersecurity at Ford Motor Company, R155 requires implementation of a Cybersecurity Management System to manage risks throughout the vehicle lifecycle - encompassing not only in-vehicle software but anything that can remotely change or query the state of a vehicle.
Outlook
The CSA2 overhaul signals a shift by turning cybersecurity certification from a voluntary quality label into a core compliance and risk-management tool, with political agreement on both proposals targeted for early 2027. Negotiations in the European Parliament and Council are expected throughout 2026. Once adopted, the regulation will apply immediately and directly in all member states, with implementing acts setting sector-specific transition periods for phasing out components from high-risk suppliers. For OEMs, the overlapping demands of CSA2, the EU Data Act, and existing UNECE type-approval rules mean compliance planning now spans vehicle development and post-market data governance simultaneously.
