Around 80% of industrial data generated by connected devices across Europe goes unused, according to the European Commission. For the automotive sector, that statistic is not simply an economic observation - it is the regulatory fault line the EU is now moving to close. A convergence of vehicle diagnostics data portability rules and the expanding Digital Product Passport (DPP) framework is rewriting how original equipment manufacturers (OEMs), independent repair networks, and Tier-1 suppliers must manage, share, and structure vehicle data through the remainder of the decade.
The Regulatory Stack Driving Data Access
Automotive data portability in the EU is not governed by a single law. Three overlapping instruments now define the compliance landscape.
Regulation (EU) 2018/858 establishes the foundational obligation: the European Commission has amended this regulation to require manufacturers to grant independent operators unrestricted, standardised, and non-discriminatory access to vehicle on-board diagnostics (OBD) information, diagnostic equipment, and vehicle repair and maintenance information.1Digital Product Passport (DPP) 2026: EU, China & US Requirements + Implementation Guide This information must be presented in an easily accessible manner as machine-readable and electronically processable datasets.
The EU Data Act (Regulation 2023/2854) extends those principles horizontally across all connected products. The regulation entered into force on 11 January 2024 and into application on 12 September 2025. The European Commission issued definitive guidance in September 2025 clarifying which vehicle data automotive manufacturers must share, with enforcement beginning September 2026 - OEMs must provide access to raw and pre-processed vehicle data while protecting proprietary algorithms.
The SERMI scheme (Secure Repair and Maintenance Information) adds a security layer. As part of the EU's legislative framework, SERMI requires manufacturers to offer a standardised, secure, and remote facility through which independent repairers can access vehicle security functions. If current timelines hold, these changes could take effect from late 2025, with phased implementation of multi-brand tool access running from 2026 to 2028.
ECJ Rulings Remove Manufacturer Barriers
OEMs that have attempted to impose conditions on data access have encountered firm resistance from the courts. In a ruling of 5 October, the European Court of Justice (ECJ) delivered a decision in Case C-296/22 on access to vehicle OBD information and diagnostic tools, marking a pivotal moment in the debate over independent repairers' rights.
The case concerned Stellantis Italy (formerly FCA) and its refusal to give independent garage chain ATU and windscreen repair specialist Carglass full access to OBD data and diagnostic tools. The ECJ sided with the independent repairers, clarifying that they should have full access to the information necessary for repairs and maintenance, without conditions beyond those stipulated in the regulation.
The ECJ dismissed the manufacturer's cybersecurity concerns, emphasising that security measures should not impede data access. It also rejected the manufacturer's reliance on UN Regulation 155, stating that this regulation explicitly leaves regional or national cybersecurity laws unaffected.
The practical effect is significant: manufacturers must reassess their data access and security strategies, and existing access restrictions may need to be reconsidered.
The Digital Product Passport: From Battery Pilot to Vehicle Compliance
The DPP is not a distant concept - it is already entering force. Designed as a digital data container, the DPP enhances transparency, traceability, and circularity by providing standardised, product-specific sustainability and lifecycle data. Anchored in Regulation (EU) 2024/1781 - the Ecodesign for Sustainable Products Regulation (ESPR) - DPPs will become central to EU product compliance.
The first hard DPP deadline falls on 18 February 2027, when a mandatory Battery Passport becomes required for all EV and industrial batteries with a capacity over 2 kWh placed on the EU market. This unique Battery Passport, retrievable via a QR code, applies regardless of the battery's origin.
Motor vehicles are not in the first wave but are clearly on the roadmap. Between 2028 and 2029, categories such as electronics, furniture, mattresses, and vehicles will be added to the DPP scope. By 2030, the EU plans a progressive extension to nearly all physical consumer and industrial products.
The connection to vehicle diagnostics data portability is direct. DPPs are structured, machine-readable records containing product lifecycle data, materials, and sustainability information. Starting from February 2027 for batteries and expanding to other product categories, they represent a parallel data-sharing obligation that will benefit from the same architectural approach as Data Act compliance.
EU Automotive Data & DPP Compliance Timeline
| Date / Deadline | Regulation / Initiative | Key Obligation | Primary Stakeholder |
|---|---|---|---|
| Sept 12, 2025 | EU Data Act (Reg. 2023/2854) | B2B & B2C data-sharing obligations active; automotive-specific guidance published | OEMs, Aftermarket |
| Sept 12, 2026 | EU Data Act - Design Obligation | New connected vehicles must have data accessibility built in by default | OEMs, Tier-1 Suppliers |
| Feb 18, 2027 | Battery Passport (Reg. 2023/1542) | Mandatory DPP for EV & industrial batteries >2 kWh | Battery Makers, OEMs |
| 2027 (phased) | ESPR / DPP Delegated Acts | First DPPs for textiles, tyres, aluminium; vehicle DPP in preparatory stage | Manufacturers, Importers |
| Sept 12, 2027 | EU Data Act - Contractual Terms | B2B data-sharing contract terms extended to pre-Sept 2025 agreements | OEMs, Data Platforms |
| 2028-2029 | ESPR - Vehicle DPP | Full DPP expected for motor vehicles, including software and data streams | OEMs, Independent Repairers |
| 2030 | ESPR Full Scope | DPP mandatory for nearly all physical products on the EU market | All Industry |
Implications for OEM Data Architectures
The layered regulatory environment creates compounding compliance obligations for manufacturers. The EU Data Act requires OEMs to enhance data transparency, implement robust cybersecurity measures, and adapt to data-driven business models such as predictive maintenance and usage-based insurance. Compliance demands substantial updates to IT systems, operational processes, and contractual frameworks to meet regulatory standards and ensure user control over vehicle-generated data.
The "extended vehicle" architecture - where data flows continuously from vehicles to manufacturer backend servers - is both an asset and a source of obligation. This architecture makes data readily available to OEMs, who must then provide equivalent access to users and third parties.
Crucially, the Data Act prohibits differential treatment. Data cannot be made available to independent service providers at lower quality than what manufacturers provide to their own subsidiaries, authorised dealers, or partners. The Act takes a technology-neutral approach, allowing manufacturers to choose how they provide access - whether through remote backend solutions, onboard access, or data intermediation services.
On the commercial side, direct user access is free, but B2B data sharing can be monetised under reasonable compensation rules.
Key compliance actions for OEMs:
- Conduct a comprehensive data audit mapping all vehicle-generated data streams against Data Act and Reg. 2018/858 obligations
- Assess current technical architecture for access-by-design gaps ahead of the September 2026 design-obligation deadline
- Begin DPP infrastructure planning now, using the Battery Passport as an architectural template for future vehicle-level passports
- Review and update all B2B data-sharing contracts to meet the September 2027 contractual-terms deadline
- Establish SERMI-compliant remote access facilities for independent repairers
Impact on Independent Repair Networks
For independent workshops, the regulatory shift is substantively positive - but implementation will be uneven. Under the EU Data Act, independent operators will be able to access key vehicle information such as real-time diagnostics, service histories, and performance data without waiting for manufacturer approval. That means faster diagnostics, predictive maintenance capabilities, and the ability to build new services around connected car data.
However, a candid assessment is warranted. Very few manufacturers currently comply fully with the Act, so independent workshops should expect a transition period where requests are difficult or delayed until OEM systems catch up.
Consumer consent introduces an additional variable. Drivers will share data only if they trust the businesses requesting it - research has found that 79% of UK drivers choose garages based on trust, while 64% feel they lack control over how their vehicle data is protected. Consent-management processes will need to be built into workshop workflows, not treated as an afterthought.
The evolving SERMI accreditation framework also requires action from workshops servicing modern, software-rich vehicles. Independent operators that have not begun accreditation processes risk being locked out of security-related repair functions during the 2026-2028 phased rollout.
Important - SERMI Accreditation: Independent repairers seeking access to vehicle security functions under the EU's SERMI scheme must complete an accreditation process. Businesses that have not begun this process face operational risk as phased multi-brand tool access rolls out between 2026 and 2028.
Cross-Border Interoperability: The Unresolved Challenge
One dimension of the pilot that warrants close monitoring is cross-border data interoperability. The EU Data Act applies uniformly across member states, but enforcement infrastructure varies. The Act went live in September 2025, yet its rollout across Europe has been uneven, with only a few member states having completed national set-ups.
For the DPP framework, the European Standardisation Organisations CEN and CENELEC are developing harmonised standards to create a functioning IT ecosystem. Major industry consortia - including OPC Foundation, Industrie 4.0, and DPP4.0 - are collaborating to ensure interoperability between DPP data ecosystems. The EU Central DPP Registry is scheduled to go live in July 2026, providing a centralised infrastructure node.
As of early 2026, ISO/IEC JTC 5 launched as the global DPP standards committee, with first deliverables expected from 2028, signalling that DPP interoperability is becoming a global trade consideration, not merely an EU compliance exercise.
This international dimension matters for automotive supply chains that extend beyond EU borders. The DPP applies not only to companies based in the EU - all products in the relevant categories entering the EU market, regardless of country of manufacture, must have a corresponding DPP.
For context on how these data-transparency frameworks are reshaping automotive supply-chain packaging and logistics practices, see earlier coverage on EU advances in standard reusable packaging for automotive aftermarket parts and smart packaging advances in auto spare-parts logistics.
Key Takeaways for Industry Professionals
The vehicle diagnostics data portability initiative and the DPP expansion are not parallel tracks - they are converging. The structured, machine-readable data flows mandated under the EU Data Act today will directly feed vehicle-level DPP schemas when delegated acts are finalised in 2028-2029.
With 82% of companies currently unprepared for DPP requirements and the first mandatory battery passport deadline arriving in February 2027, the window for structured preparation is narrowing.
Organisations that treat Data Act compliance as an isolated exercise will face compounding retrofit costs when vehicle DPP obligations materialise. Those that design interoperable, access-by-default data architectures now - and invest in SERMI accreditation and consent-management infrastructure - will be structurally positioned for the full scope of EU automotive data regulation through 2030.
Frequently Asked Questions
What is the difference between the EU Data Act and Regulation 2018/858 for vehicle data access?
Regulation (EU) 2018/858 imposes a sector-specific obligation on vehicle manufacturers to provide unrestricted, standardised, and non-discriminatory access to OBD information and repair/maintenance data to independent operators. The EU Data Act (Reg. 2023/2854), in force since September 2025, establishes a broader horizontal framework requiring manufacturers of all connected products - including vehicles - to make user-generated data available under fair conditions. Both frameworks apply concurrently; the Data Act does not override sector-specific automotive access rules.
When does the Digital Product Passport become mandatory for vehicles?
The first mandatory DPP deadline applies to EV and industrial batteries from 18 February 2027. Full vehicle DPP requirements are expected to follow under ESPR, with delegated acts for motor vehicles anticipated in the 2028-2029 timeframe.
Can manufacturers charge independent repairers for OBD data access?
Under Regulation 2018/858, manufacturers must grant independent operators unrestricted and non-discriminatory access to OBD information. The ECJ confirmed in October 2023 that manufacturers cannot impose additional conditions such as mandatory server registration or paid subscriptions. Under the EU Data Act, however, B2B data sharing beyond direct user access can be monetised under reasonable and non-discriminatory compensation rules.
What is the SERMI scheme and who needs to comply?
SERMI is an EU-mandated accreditation scheme governing independent repairers' access to vehicle security-related functions. Independent workshops servicing modern, software-rich vehicles - particularly EVs - require SERMI accreditation to access security functions lawfully.
How does vehicle data portability connect to the DPP framework?
The DPP functions as a structured, machine-readable record of a product's lifecycle - materials, repairs, software updates, and sustainability data. Diagnostic data, service histories, and software version records generated through data-portability frameworks will likely form core DPP data inputs when vehicle-specific delegated acts are finalised. OEMs that build interoperable data architectures for Data Act compliance now will be better positioned to feed those streams into vehicle DPP schemas.
