“TikTok on Wheels” Expands to Europe, Considering Stricter Regulations on Chinese Connected Vehicles and Tier-1 Suppliers
Connected vehicles “can register everything where it is, and it can also transmit that data to those who have access to the data… it’s legitimate to look into whether or not that kind of technology can be misused when it comes to security issues”
Margrethe Vestager, European Commissioner for Competition (as quoted on Politico)
The European automotive sector is undergoing a tectonic shift, with several top OEMs headquartered across Europe having to face the reality of downsizing production capacity due to decreasing demand, a struggle to launch EV models or delays in the supply chain.
At the same time, electrification brings about an inherent increase in connectivity and data streaming from vehicles to backend systems. In this highly volatile and dynamic context, the data security topic is emerging as a critical battleground.
Politico reported that following the recent announcement by the US Government, the European Union is also evaluating taking measures to protect against the potential cybersecurity and surveillance risks posed by the mass adoption of Chinese connected vehicles across Europe. Emphasis is on the role of data sovereignty in the automotive industry.
This move on security grounds should be seen as unrelated to the imposition of trade tariffs on imported Chinese electric vehicles to curb their dominance in the European market, an approach that may have limited impact for those Chinese OEMs assembling vehicles at new plants set up within the European Union. Ultimately, from a cybersecurity perspective, the goal is to monitor fleets and detect potential threats, rather than “to try and stop the river flow”.
Europe’s regulatory-based approach to tackling potential cybersecurity and data privacy concerns
The European Union, like the United States, is becoming more attentive to the potential considerations around using Chinese technology in vehicles. Margrethe Vestager, European Commissioner for Competition, and other European officials are scrutinizing software and hardware produced by Chinese companies, particularly in light of the cybersecurity and data privacy challenges these pose.
This mirrors actions taken by the US, which recently moved to ban technologies from China and Russia in critical infrastructure sectors, including the automotive industry. The proposed US ban gives automotive stakeholders time to prepare. Software restrictions start with the 2027 model year, allowing manufacturers to find secure alternatives, while hardware restrictions take effect in the 2030 model year or January 2029.
The EU’s approach seems to be less about outright bans and more about implementing stricter regulations. Yet, the message is clear: the security of automotive technology is paramount, and steps must be taken to mitigate potential risks associated with software applications designed and developed outside of the EU, and in particular from China.
The method of leveraging regulations to manage and reduce cybersecurity risks is well-noted in various global regulations. Effective since 2022, the UNECE WP.29 R155 and R156 have set a clear standard for connected vehicle cybersecurity monitoring and risk management. R155 focuses on ensuring that automotive manufacturers implement robust cybersecurity management systems (CSMS) to address potential cyber threats throughout a vehicle’s lifecycle. It mandates that manufacturers identify, assess, and mitigate cybersecurity risks, ensuring secure vehicle systems. R156, on the other hand, addresses software updates, requiring manufacturers to establish secure software update processes. This includes over-the-air (OTA) updates, ensuring that updates are managed in a way that preserves the vehicle’s safety and security resilience.
The EU’s Cybersecurity Act serves also as a cornerstone for cybersecurity certification across Europe. This is a horizontal legislation, covering all products with digital components (both hardware and software) and establishing a unified standard. The focal point for the CRA is consumers, safeguarding their usage of modern connected devices, from smartwatches, and connected IoT devices, to electric and even autonomous vehicles. Effective June 2019, this Act introduced a voluntary certification framework that sets a high cybersecurity standard, aiming to harmonize practices across all member states. Manufacturers can certify their products once to achieve compliance across the EU, simplifying the regulatory burden while ensuring devices meet stringent security requirements.
According to Politico, European cyber experts are rumored to be crafting a new set of non-binding recommendations focused on measures on electric vehicle connectivity.
Implications for the Global Automotive Industry
The EU’s evolving position highlights the critical role of cybersecurity in the automotive ecosystem. As vehicles become increasingly connected, the potential for cyber threats grows, making it imperative for automakers to prioritize secure software and hardware solutions. This includes rigorous vetting of software suppliers, comprehensive risk assessments, and a proactive approach to mitigating vulnerabilities.
The European market is a vital battleground for automakers globally, especially as the region shifts toward electric and autonomous vehicles. Norway, for example, is the first country globally to have electric vehicles outnumber gas-powered cars. The EU’s increased scrutiny of Chinese software suppliers means that automakers, particularly those with extensive supply chains involving Chinese components, will need to adapt their strategies. Furthermore, the US ban will directly impact European automakers, forcing them to adjust the supply chain for vehicles sold in the US.
Furthermore, the Chinese market has been a strategic market for European automakers, driving a significant portion of revenue. The recent dramatic announcement on taxation of Chinese EVs in the EU, set to rise from 10% to up to 45% over the next five years poses the question of what impact this might have on decisions by the Chinese government towards European automakers who are actively present on Chinese soil with Global-to-China, China-to-Global and China-to-China initiatives.
The bottom line is simple: this legislation trend in the US, and soon also in Europe, signals a broader industry shift towards prioritizing cybersecurity in vehicle development. Automakers who proactively address these concerns will be better positioned to navigate the evolving regulatory landscape and meet both consumer and regulator demands for secure, privacy-respecting technologies.