On 20 November 2020, the European Union Agency for Cybersecurity ("ENISA") published a report on the connected and automated mobility ("CAM") cybersecurity ecosystem ("Report").
The Report aims to provide a comprehensive understanding of the CAM cybersecurity ecosystem, to map the key stakeholders in the European Union, and to provide an overview of the critical services, systems and infrastructures. The CAM ecosystem encompasses multiple stakeholders from the original equipment manufacturers and users (drivers, passengers, pedestrians) to suppliers, automotive aftermarket operators, industry associations, telecommunications companies, IT suppliers and other services providers, and national and international authorities.
The Report outlines the interactions among the main stakeholders which are required to create a secure CAM ecosystem. It also summarises whether the interaction among stakeholders with regards to cybersecurity is mandatory (i.e. based on a legal requirement in EU or national legislation) or voluntary under current rules.
The Report highlights that new cybersecurity challenges and threats have been brought about by the increasing connectivity and automation of vehicles and the associated mobility infrastructure. As a result, policymakers are developing cybersecurity standards and measures to facilitate safe infrastructure and service delivery. For example, the World Forum for the Harmonisation of Vehicle Regulations (WP.29), which is a part of the UN Economic Commission for Europe ("UNECE"), has approved two regulations providing a framework for type approvals of vehicles with regard to cybersecurity earlier this year:
- UN Regulation on Cybersecurity and Cyber Security Management Systems1, requiring manufacturers to prove that they have implemented adequate processes that go from identifying, assessing and categorising cybersecurity risks to testing and monitoring, as well as detecting and responding to cyber-attacks; and
- UN Regulation on Software Updates and Software Updates Management Systems2, imposing requirements such as recording hardware and software versions, identifying interdependencies of the updated system with other systems and assuring that over-the-air software updates are only executed if there is sufficient power.
The European Commission is expected to transpose these UN Regulations into EU law and, amongst others, require car manufacturers to secure connected vehicles against cyberattacks from July 20223. According to the Report, transposition of these texts shall take into account the needs of all CAM stakeholders.
ENISA states that one of the aims of the Report is to help the European Commission and national authorities in EU Member States in transposing the UN cybersecurity regulations into EU policy. However, the Report might also be helpful to original equipment manufacturers and other stakeholders involved in the CAM ecosystem in understanding the key issues they need to consider from a cybersecurity standpoint.
Businesses involved in the CAM ecosystem might also be interested in an earlier ENISA report on good practices for security of smart cars published in November 2019. ENISA is also expected to soon publish Recommendations for the Security of Connected and Automated Mobility which will aim to "contribute to the improvement and harmonisation of cybersecurity in the CAM ecosystem in the European Union".
While the United Kingdom is unlikely to adopt the European Commission's proposals after the end of the Brexit transition period, UK businesses involved in the CAM ecosystem might expect UK specific regulation on cybersecurity of connected and automated vehicles which will implement the UN Regulations. The UK implementation is likely to build on the eight key principles published by the UK Government in 2017. Furthermore, any UK business in the CAM ecosystem wishing to operate on the EU market will likely be required to comply with the European Commission's proposals with regards to cybersecurity of connected and autonomous vehicles.