Cybersecurity

    "A blanket ban would be of little use"

    Dr. Marcus Bollig, VDA Managing Director Product & Value Creation, on the Notice of Proposed Rulemaking (NPRM) "Connected Vehicles", which provides new regulations for manufacturers of connected vehicles and vehicle connectivity systems

    Dr. Marcus Bollig, VDA Managing Director Product & Value Creation, on the Notice of Proposed Rulemaking (NPRM) "Connected Vehicles", which provides new regulations for manufacturers of connected vehicles and vehicle connectivity systems

    28 October 2024

    The US government plans to ban certain components that are required for connected and automated driving and are manufactured in China, Russia and other countries from the American market. The aim of the regulation is to prevent cyber and sabotage attacks in the long term. This primarily concerns hardware and software components that could be compromised by misuse. In the recently published Notice of Proposed Rulemaking (NPRM), it has specified its ideas on the regulation and released it for comments. What impact could the measures have on companies in the German automotive industry?

    What changes and prohibitions does the current draft law contain?

    Dr. Marcus Bollig: The NPRM "Connected Vehicles" introduces extensive new requirements for manufacturers of connected vehicles and vehicle connectivity systems. The current version still leaves serious definitional ambiguities open, so that the regulation could have the effect of a blanket ban on certain vehicle components. This would of course be of little use. Today, standards and best practices for cybersecurity in type approval already exist, which lead to the reduction of cyber risks and are used by vehicle suppliers and original equipment manufacturers alike.

    And what would the new law mean? Entire supply chains would have to be changed at short notice, and within the specified deadlines - according to the NPRM, by 2027 for software (model year 2027), by 2030 for hardware - this is simply not achievable. Such short transition periods even pose risks. Not only would there be a loss of driving comfort. Safety features for connected driving might also not be available in a timely manner - and this could increase the risk of traffic accidents. It would also be important that vehicles that are currently in production be allowed to be registered - even if they do not meet the requirements of the NPRM.

    Are the concerns about certain states justified – and what is the VDA doing to ensure cybersecurity?

    Dr. Marcus Bollig: The German automotive industry takes a proactive approach to protecting its vehicles. Components are thoroughly tested before they are approved. In addition, regular security checks are carried out not only to keep up with developments in cybersecurity, but also to anticipate any vulnerabilities. The aim is to prevent cyber attacks, defuse potential threats and, above all, to protect vehicles from unauthorized intrusion by external parties.

    Central to this is UNECE Regulation 155 of the United Nations Economic Commission for Europe, which requires the introduction of a Cybersecurity Management System (CSMS). A vehicle only receives type approval for road use once it has been proven that this system works. Ensuring the highest level of safety is in the automotive industry's own best interests. Our focus is on ensuring maximum safety in the vehicle and on the road - and this is not achieved simply by banning components from certain countries.

    What disadvantages could the bans bring for Germany and consumers?

    Dr. Marcus Bollig: Due to the degree of international networking, such a ban would also affect Germany and Europe as export locations. Higher costs and possible delays in the production of vehicles on the US market could have a negative impact on customers. Building up parallel production capacities could slow down technological development. In principle, the more synergies can be exploited through international trade, the more everyone benefits - especially customers.

    Does this mean that the German automotive industry now has to develop different solutions for different markets?

    Dr. Marcus Bollig: The automotive industry faces competition and the demands of each market. However, turning away from international, free trade brings disadvantages in terms of efficiency, development and also costs. That is why it is so important to maintain common standards.

    Hardware and software variants of the vehicles resulting from the regulation will generate additional development costs. This will ultimately lead to a reduction in the synergies of a globally uniform technology and to increased costs for customers.

    The German automotive industry has a strong presence on the American market - and trade relations are strong. It employs 138,000 people in the United States of America. Around one in eleven vehicles in the light vehicle category produced in the USA bears the logo of a German brand. Production by German OEMs grew by 10% in 2023, more than total production, which increased by 5%. The export quota of German OEMs in the USA is 51%.

    What are the next steps and what is the VDA doing?

    Dr. Marcus Bollig: The VDA has made it clear to the current US government how important clarity in legislation and appropriate transition periods are. In addition, duplicate regulations should be avoided. Regardless of this, the German automotive industry remains committed to maximum vehicle and traffic safety - and a strong transatlantic alliance.

    Products & Value Creation

    Dr. Marcus Bollig

    Managing Director

    Coordination Unit for Security & Data

    Martin Lorenz

    Manager of Department