The European Union is converging three parallel regulatory tracks - mandatory cybersecurity baselines, standardized vehicle data-access rights, and a new Digital Circularity Vehicle Passport - into a single compliance horizon centered on late 2027, placing significant obligations on automotive OEMs, Tier 1-2 suppliers, and third-party service providers operating in the EU market.
Background
EU vehicle cybersecurity compliance has been building since 2022. Under Regulation (EU) 2018/858, UN Regulation No. 155 (UN R155) - which mandates a Cybersecurity Management System (CSMS) - has applied to new type approvals of passenger cars, vans, trucks, and buses since July 2022, and to new vehicle registrations in those categories since July 2024. The CSMS requirement covers Threat Analysis and Risk Assessment (TARA) as well as ongoing monitoring of new vulnerabilities and known attack vectors.
In parallel, the EU enacted the Cyber Resilience Act (CRA) in December 2024 to raise the cybersecurity baseline for all digital products sold in the EU. The CRA entered into force on 10 December 2024, with main obligations applying from 11 December 2027 and reporting obligations commencing on 11 September 2026.
On the data-access front, the EU Data Act, adopted in 2023, introduces rules for data sharing, accessibility, and security in the digital economy. The European Commission subsequently published sector-specific guidance on vehicle data in September 2025, offering tailored advice to automotive stakeholders on implementing Chapter II of the Data Act - focusing on data that falls within scope and the applicable access rules.1Cyber Resilience Act | Shaping Europe’s digital future
Regulatory Details
Cybersecurity - CRA and UN R155 Expansion
UN R155 has been revised to include L-category vehicles - light motor vehicles such as those with two, three, or four wheels. A Commission Delegated Regulation is being adopted to make UN R155 mandatory for these vehicles from 11 December 2027, coinciding with the CRA's application date. To prevent overlapping obligations, the Delegated Regulation excludes from the CRA's scope any products with digital elements already regulated under Regulation (EU) 168/2013.
With the CRA, the EU has moved beyond voluntary guidelines to mandatory cybersecurity requirements for "Products with Digital Elements" (PDEs). Non-compliance carries fines of up to €15 million or 2.5% of global turnover, along with potential EU market bans. Starting in September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA/CSIRTs within windows often as short as 24 hours.
Data Access - EU Data Act Phased Obligations
The Data Act requires automakers to open their data ecosystems to third parties under fair and transparent conditions, fundamentally changing how many OEMs manage vehicle-generated data.2EU’s Digital Product Passport: What It Is, Which Products It Affects, and How to Prepare | S-GE The rollout is phased: B2B and B2C data access obligations under Chapter II became applicable on 12 September 2025; accessibility-by-design requirements under Article 3 apply from 12 September 2026; and contractual obligations under Chapter IV extend to pre-September 2025 contracts from 12 September 2027.
Data provided to users and third parties must match the quality available to the manufacturer itself. The guidance explicitly prohibits discrimination: data cannot be made available to independent service providers at lower quality than what manufacturers provide to their own subsidiaries, authorized dealers, or partners. Manufacturers and data holders must ensure access is provided under fair, reasonable, and non-discriminatory (FRAND) terms.
Digital Product Passport - Battery and Vehicle Passports
The Digital Product Passport (DPP) is a digital data container designed to enhance transparency, traceability, and circularity. It is already being piloted through the Battery Passport under Regulation (EU) 2023/1542, which mandates digital data requirements for certain battery types from 18 February 2027.
For the broader automotive fleet, every new vehicle will require a Digital Circularity Vehicle Passport within 72 months of the ELV Recast Regulation entering into force. This passport will provide access to information including material composition, recycled content data, and instructions for the removal and replacement of key parts - facilitating better repair and recycling. The passport will align with other similar passports established by EU law to reduce duplication across data systems. The Council's ELV position expands vehicle scope beyond cars and vans to heavy-duty trucks, motorcycles, three-wheelers, and quadricycles.
Outlook
Following the general agreement reached by the European Council in June 2025 and the adoption of the European Parliament's position in September 2025, the ELV Recast file entered trilogues - the negotiation process between the Commission, Council, and Parliament - to reach a common text. With the December 2027 CRA compliance date fixed and the Data Act's design obligations arriving in September 2026, OEMs face simultaneous pressure to implement secure-by-design architecture, open third-party data interfaces, and structured digital passport data pipelines. Compliance demands substantial updates to IT systems, operational processes, and contractual frameworks as automakers adapt to heightened data transparency and cybersecurity requirements.
