Regulatory Compliance for European Connected Car Programs

In July 2022, Volkswagen was fined €1.1 million under GDPR. The fine was not due to a data breach, but rather for operating a test vehicle with cameras without the required consent signage, processor agreement, or DPIA. The violation was not related to the research purpose, but to missing documentation. This is now the standard for all OEMs and Tier-1 suppliers developing ADAS and autonomous systems. — A single AV test vehicle can generate several terabytes of sensor data daily. Samsung Semiconductor estimates this may reach 40 TB per hour, depending on the sensor suite. Cameras capture faces, LiDAR records license plates, and radar tracks behavioural patterns. Each frame used to train perception models is considered a high-risk personal data processing event under current regulations. These requirements are rapidly converging. → ISO/PAS 8800:2024, the first international standard for AI safety in road vehicles, now treats training datasets as "safety artefacts" that must be version-controlled, traceable, and auditable. → The EU AI Act classifies autonomous driving systems as high-risk. Article 10 obligations, such as data governance, bias testing, and representativeness, will be enforceable starting 2 August 2026. Penalties can reach up to €15M or 3% of global turnover. → UNECE R155, which has been mandatory for all new vehicles since July 2024, requires OEMs to provide cybersecurity evidence for the entire supplier chain, including your annotation vendor. → TISAX VDA ISA 6.0, in effect since April 2024, explicitly places AI training datasets at the highest protection level (AL3). → India's DPDP Rules 2025 apply the same requirements to every OEM operating in India, with fines up to ₹250 crore. Simply put, if you cannot demonstrate how your training data was labeled, who labeled it, and what was redacted, you cannot proceed to deployment. — LabelFort by Predusk AI is a compliance-first annotation platform tailored for regulated AI applications. For the automotive sector, this includes: 1. Audit-ready annotation logs — tamper-evident version history for every label, aligned to ISO/PAS 8800 traceability and EU AI Act Article 10 record-keeping. 2. PII redaction at scale — automated face and license-plate anonymisation across camera, LiDAR, and fusion datasets before an annotator ever sees the frame. 3. TISAX AL3-aligned controls with data residency options for India and the EU, built on VDA ISA 6.0 and an ISO 27001:2023 posture. 4. Multi-sensor workflows — 3D cuboids, semantic segmentation, lane polylines, and corner-case curation for SOTIF (ISO 21448) completeness. 5. Multi-stage Labeller → QC → Independent Auditor review, matching ISO/PAS 8800 best practice. If you are a perception lead, AV safety officer, or supplier quality head preparing for August 2026, let’s connect. #AutonomousDriving #ADAS #DataAnnotation #EUAIAct #ISO8800 #TISAX #AutomotiveAI #AICompliance #LabelFort #Predusk

Connected vehicles are no longer just mobility products: they are data-intensive digital ecosystems. Key takeaways from the European Data Protection Board #guidance on connected vehicles and mobility data: • A connected car is “terminal equipment”, like a smartphone or computer. Accessing or storing data in the vehicle will often trigger #ePrivacy consent requirements. • #Consent cannot be bundled with the purchase or lease of the car. Users must remain free to refuse data collection and still use the vehicle. • #GDPR still applies to any subsequent processing of personal data, including the need for a valid legal basis and additional safeguards for sensitive data. • Local processing should be the default. Where possible, data should be processed inside the vehicle or on the user’s device, rather than exported to the cloud. • Location data deserves particular caution. It may reveal highly sensitive aspects of a person’s life and should not be collected continuously by default. • #Biometric features should always have a non-biometric alternative. Templates should be encrypted and stored locally, not sent to external servers. • Data revealing offences or driving violations requires strict protection and should generally remain under the driver’s control inside the vehicle. • Vehicles must include simple #deletion tools, especially when they are sold, leased, rented, or shared. • Safety-critical vehicle functions should be separated from infotainment and telecommunication systems to reduce cybersecurity risks. • #DPIAs should be carried out early, given the scale, sensitivity, and potential risks of connected vehicle data processing. The broader message is clear: #privacy, #cybersecurity, and user control must be embedded by design in the connected mobility ecosystem.

🚗🔒 Automotive Cybersecurity: Protecting the Connected Vehicles of Tomorrow The future of mobility is connected, electric, and autonomous—but with great innovation comes greater cyber risks. As vehicles evolve into software-defined machines, cybersecurity is no longer optional—it’s a life-saving necessity. Why Automotive Cybersecurity Matters ✔ A modern car has 150+ ECUs and 100M+ lines of code—each a potential entry point for hackers. ✔ Cyberattacks can be life-threatening—imagine a hacker disabling brakes or steering at 70 mph. ✔ Regulations are tightening—UNECE R155 & R156 now mandate cybersecurity compliance globally. Key Threats & Solutions 🔴 Threat: Unauthorized ECU access ✅ Solution: Secure Boot (only trusted code runs) + Hardware Security Modules (HSMs) 🔴 Threat: Malicious OTA updates ✅ Solution: Cryptographic signing + Rollback protection 🔴 Threat: CAN bus attacks ✅ Solution: Intrusion Detection Systems (IDS) + Encrypted CAN FD The Road Ahead 🚀 AI-powered threat detection – Real-time anomaly monitoring 🚀 Quantum-safe cryptography – Preparing for future hacking threats 🚀 Zero Trust Architecture – Continuous authentication for all ECUs 💬 Let’s Discuss: What’s the biggest cybersecurity challenge in automotive today? Supply chain risks? Balancing security vs. cost? Meeting UNECE deadlines? Drop your thoughts below! 👇 #AutoCybersecurity #ConnectedCars #UNECER155 #SecureByDesign #SoftwareDefinedVehicles

🇪🇺 PSCOPE MATURITY FRAMEWORK: RED DA & CRA COMPLIANCE REIMAGINED by David Nosibor from CyberPass Visualize your product security compliance as a dynamic, continuously improving journey, not a last-minute scramble. || WHAT THIS POST COVERS ↳ Introducing the PSCOPE Maturity Framework: an innovative approach to managing product security compliance efficiently and effectively. ↳ Understanding how this framework transforms RED-DA and CRA regulations from burdens into competitive advantages. || WHY YOU SHOULD CARE ↳ Regulatory demands for connected device security are growing fast, and compliance is now mandatory in the EU and expanding globally. ↳ Traditional manual, checklist-based compliance slows product launches and risks reputational damage. ↳ PSCOPE provides a shared language and measurable maturity levels that align security, compliance, operations, and suppliers. || ACTIONABLE STEPS TO GET STARTED ↳ Assess your current maturity across PSCOPE’s five pillars: governance, automation, supply chain integration, certification efficiency, and continuous compliance. ↳ Document existing policies, workflows, and supplier engagements. ↳ Plan iterative improvements prioritizing automation and supplier collaboration. ↳ Use self-assessments or third-party reviews to validate progress regularly. || AUTHORITY IN INDUSTRY STANDARDS ↳ PSCOPE draws inspiration from the CMMI model, aligning with key EU regulations, including RED-DA and the Cyber Resilience Act (CRA). ↳ Leverages harmonized standards, such as ETSI EN 303 645 and EN 18031, for technical compliance pathways. ↳ Meets expectations for continuous compliance monitoring and supplier integration mandated by these regulations. ♻️ Share this post with your network to elevate product security compliance as a strategic advantage. P.S. What challenges do you face in moving from manual security checklists to automated compliance? Let’s discuss below!

🔐 The EU Cyber Resilience Act is reshaping manufacturing's digital landscape. While some see it as just another compliance burden, smart manufacturers recognize it as both a challenge and a strategic opportunity to strengthen their market position. Here's what you need to know: 📋 Scope & Timeline: The CRA impacts any manufacturer producing connected products - from industrial control systems and IoT devices to smart manufacturing equipment and digital infrastructure. This sweeping regulation affects not just EU manufacturers, but anyone wanting to sell into the EU market. Manufacturers need to prepare now for implementation, ensuring their products meet security-by-design requirements, incident management protocols, and ongoing monitoring obligations. The regulation will enter into force 20 days after publication (likely this year) and apply 3 years later, in 2027, although some provisions will apply at earlier stages. ⚠️ Key Threats: The regulation could bring significant challenges, likely: increased compliance costs, potential development delays, and new legal exposures. Smaller manufacturers may find the documentation and security requirements particularly burdensome, impacting their ability to compete effectively. 💡 Strategic Opportunities: However, forward-thinking manufacturers can leverage CRA compliance to differentiate themselves in the market. Early adopters can position as security leaders, accelerate digital transformation initiatives, and strengthen their global competitiveness. The regulation's requirements can drive beneficial innovations in security testing, development processes, and supply chain transparency. ⏱️ Next Steps: Start by assessing your product portfolio against CRA requirements. Identify gaps in your security processes and documentation. Consider partnering with cybersecurity experts to develop a comprehensive compliance strategy. The time to act is now - those who move quickly will turn this regulatory challenge into a competitive advantage. #Manufacturing #Cybersecurity #EURegulation #DigitalTransformation #IndustryTrends https://lnkd.in/gj6wfBRz Heather Varner, Paul Brownlee, Kimia Dargahi, Jeff Brehm, Paul Bresnahan, Mike Poland,

As vehicles evolve with increased connectivity, Functional Safety and Cybersecurity must go hand-in-hand. Enter ISO 26262 and ISO 21434—the twin pillars of modern automotive standards! But what sets them apart, and where do they intersect? 🚗🔒 ISO 26262 vs. ISO 21434: A Closer Look at Functional Safety & Cybersecurity As automotive systems become more complex, ensuring safety and security is critical. Here’s how ISO 26262 and ISO 21434 tackle these areas: 🔵 ISO 26262 – Functional Safety 🟢 Objective: Prevent hazards from hardware/software malfunctions that could cause accidents. 🔹 Risk Approach: Uses Automotive Safety Integrity Levels (ASIL) to classify risks based on severity, exposure, and controllability. 🟠 Lifecycle Coverage: Encompasses the vehicle’s entire safety lifecycle—from concept to decommissioning. 🔸 Key Practices: Applies Failure Mode Effects Analysis (FMEA), Fault Tree Analysis (FTA), and rigorous testing to ensure system reliability. 🔴 ISO 21434 – Automotive Cybersecurity 🟣 Objective: Protect systems from cyber-attacks that could compromise safety, privacy, or functionality. 🔷 Risk Approach: Follows a Threat Analysis and Risk Assessment (TARA) process to identify potential threats and their impacts. 🟡 Lifecycle Coverage: Spans the cybersecurity lifecycle, covering secure design, implementation, and incident response. 🔹 Key Practices: Uses vulnerability assessments, penetration testing, and planning for incident response to secure vehicle systems. ✅ Where ISO 26262 & ISO 21434 Meet As connected cars become the norm, functional safety and cybersecurity increasingly overlap. For instance, a cyber breach in the braking system affects both security and safety, requiring a coordinated approach to handle both risks effectively. At Xenban, we guide automotive innovators in achieving compliance with both ISO 26262 and ISO 21434, ensuring systems are both safe and secure: 🟢 Comprehensive Risk Management: We assess both safety and cybersecurity risks, ensuring compliance across the board. 🔵 Tailored Compliance Solutions: Our solutions seamlessly integrate safety and security for full protection. 🔴 Framework Development: We align ASIL and TARA for consistent protection, keeping you compliant and safeguarded. Ready to ensure your systems can withstand both internal failures and external threats? Connect with Xenban today to safeguard your innovation journey! #Functionalsafety #ISO26262 #Cybersecurity #ISO21434 #ASPICE

Continuing the steady flow of new regulations in Europe, the EU Cyber Resilience Act (“CRA”) passed through the final legislative step today with its publication in the Official Journal. This marks a new era of regulation, introducing detailed cross-sector requirements for manufacturers, importers and distributors to ensure cyber security of connected products. It’s also indicative of the “layered” approach to product regulation that is now emerging in the EU. The CRA sits alongside the new General Product Safety Regulation, the new Artificial Intelligence Act, the new Batteries Directive, and the new Ecodesign for Sustainable Products Regulation, as well as the various existing “harmonisation” measures, such as the Radio Equipment Directive, the Electromagnetic Compatibility Directive, and the Low Voltage Directive. For manufacturers of products containing digital technologies, these developments bring significant additional complexity and regulatory burden, and with it new risks. Those risks are further enhanced by other new regulatory developments, including the newly minted Product Liability Directive, and the new Collective Redress Directive. It’s a lot. The CRA itself is a novel piece of regulation in the world, imposing detailed requirements on manufacturers of products to assess cybersecurity risks and to design products to mitigate those risks, as well as to take responsibility for providing security updates for at least 5 years (unless the expected life of the product is shorter). There are also new obligations to report cybersecurity incidents within 24 hours of becoming aware of the incident, with ancillary obligations to provide more detailed information within tight time frames after that. The CRA comes into full force on 11 December 2027. The obligation to report incidents and vulnerabilities applies earlier, from 11 September 2026. This is an onerous new regulation, which product manufacturers need to start getting their heads around straight away given that products to be placed on the market when this regulation comes into force may well be in early phases of design right now. Consequences of non-compliance include fines of up to EUR 15 million or 2.5% of worldwide annual turnover. Authorities can order products be recalled. Check out our blog Productwise for analysis from the Cooley LLP Products Law team of this, and other international developments in this fast-moving space. #productregulation #productsafety #consumerprotection #cooleyproductwise

Enhancing Vehicle Cybersecurity: UNECE Regulation & SoftwareUpdates (R156 & ISO24089) In the dynamic tech landscape, the auto industry faces a critical challenge: cyber threats. Addressing this, the UNECE regulation for vehicle cybersecurity and software updates has been active since 2022. This compels automakers to build strong systems to counter cyber threats through software updates. Let's explore key insights on this crucial topic. 1. UNECE Regulation Basics: Since 2022, the UNC regulation ensures vehicle cybersecurity, obligating manufacturers to follow these vital regulations. 2. Methodology & Structure: UNECE Resolution 156 outlines an effective approach to cybersecurity in vehicles, aiding manufacturers in implementing strong measures. 3. Software Update System Goal: The software update system tackles cybersecurity by defining roles, protocols for vehicle cyber safety, and explaining the importance of software updates in a timely manner 4. Compliance & Security: The management system ensures adherence to vehicle type approval and oversees processes critical to auto security. It assesses software update integration's impact. 5. Security, Safety, & Documentation: The software update system prioritizes security, safety, and thorough documentation. This ensures secure software updates to fend off cyber threats. 6. Automotive Software Update System (ASUMS): ASUMS handles varied configurations for a vehicle type. Treating connected vehicles as a unified system streamlines software updates and cybersecurity. 7. Regulatory Software ID (RX's WIN): The RX's WIN is a designated identifier required by regulators, offering insights into type approval-related software for function assessment. 8. Establishing the System: Setting up the system involves recording versions, updating key software, managing dependencies, and considering legal and safety aspects. 9. Compliance & ISO 24089: UNECE regulation lists 156 activities for compliance, while ISO 24089 guides implementing software update systems practically. 10. Certification & Approval: Neutral audits certify compliance, and critical components need independent certification. System validation reports and national approval precede production. Conclusion: Driving Cybersecurity The UNECE regulation on vehicle cybersecurity and software updates is a vital step in securing connected vehicles. Manufacturers can bolster cybersecurity by adhering to protocols and routine software updates. Compliance and certification pave the way for type approval, ultimately enhancing cybersecurity and providing a safer driving experience. #VehicleCybersecurity #UNCRegulation #SoftwareUpdates #AutomotiveTech #CyberSafety #ConnectedVehicles #TechSecurity #AutoIndustry #CyberThreats #DigitalSafety #Innovation #CyberResilience #TypeApproval #SecureDriving #DigitalProtection #SafetyFirst #CyberAwareness #TechCompliance #ISO24089 #DataSecurity #FutureMobility

💥 EU Data Act implementation: key developments to know. Support for Data Act compliance has strengthened in recent months following the EU’s launch of its new Data Union Strategy. 1. Reasonable Compensation. The Commission published draft guidelines on the concept of “reasonable compensation” under Article 9 of the Data Act, which governs what data holders may charge data recipients where data sharing is mandated. This has been one of the most contentious aspects of the regime to date. The guidance is especially relevant to mandatory B2B data-sharing arrangements. The guidelines clarify that compensation for data sharing is optional and, where charged, must comply with fair, reasonable and non-discriminatory (FRAND) principles - for example, prohibiting excessive pricing and ensuring that similarly situated data recipients are treated equally. For example, where a car manufacturer is required under the B2B data-sharing rules to share data with two different providers of mapping software, the rules would generally prevent the manufacturer from charging materially different fees to each of them. 2. Model contractual terms. The Commission has also published sets of model contractual terms addressing B2B sharing of connected product data under the Act and standard contractual clauses focussed on switching between cloud services. Each set includes versions reflecting the different legal obligations, categories of counterparty, and commercial assumptions possible under the Act.  https://lnkd.in/eYXexZsi 3. Data Act Legal Helpdesk. To further support practical implementation, the Commission has launched a Data Act Legal Helpdesk, through which organisations can submit questions on compliance via an online portal. Responses are expected within 15 days in most cases and are intended to provide tailored case-specific clarification. https://lnkd.in/ePA6Bi8B

Step-by-Step Approach to #EV Vehicle Development Using the #VModellifecycle: The entire process using an adapted V-model lifecycle, which is widely adopted in the automotive industry for its emphasis on early verification and validation to ensure safety, reliability, and compliance. The V-model divides development into a left arm (decomposition: requirements and design), a bottom point (implementation/prototyping), and a right arm (integration and validation). This aligns with standards like Automotive SPICE (#ASPICE) and #ISO26262 for functional safety, which I enforce across cross-functional teams (e.g., mechanical, electrical, software, testing, and regulatory experts). Manage timelines using tools like Gantt charts and Agile sprints for software elements, budgets via cost tracking (e.g., allocating 20-30% for prototyping and testing), and risks through hazard analysis and risk assessment (#HARA) per ISO 26262. For EVs, the process incorporates unique aspects like battery management systems (#BMS), electric powertrains, and charging infrastructure, while ensuring global regulatory compliance. Homologation (type approval) is integrated primarily in the validation phase, involving certification for market access. Global requirements include UN ECE R100 for EV-specific safety (e.g., battery protection against shocks, fire), EU Regulation 2018/858 for whole vehicle type approval (#WVTA), US #FMVSS (Federal Motor Vehicle Safety Standards) and #EPA for emissions/energy efficiency, China’s GB standards, and India’s #ARAI #CMVR rules. These vary by region: #EU #UNECE focuses on third-party testing; US allows self-certification (except emissions); Asia (e.g., Japan #JEVS, China GB/T) emphasizes #EMC and battery testing. Ensure compliance by engaging accredited bodies like #TÜV #SÜD or #VCA early. #EV, #EMobility, #VModel, #SoftwareDefinedVehicle, #SystemsEngineering #BatteryManagementSystem, #Simulation, #Validation, #ISO26262 #SustainableMobility