Garages Gain Full Data Access as EU Slaps Automakers With Record Fines for Cyber Lapses

A sweeping regulatory overhaul is reshaping the European automotive landscape. From July 2026 onward, independent repair shops and insurers will be entitled to the same vehicle data as manufacturers. The EU mandate requires standardized access via OBD ports, Ethernet connections or remote APIs, with all brands expected to comply within a year. The move aims to level the playing field in the lucrative after-sales market — an area the industry had long resisted opening up.

That is just one piece of a much larger puzzle. Automakers face a potential avalanche of penalties starting September 2026 if they fail to meet new cybersecurity requirements. The fines are tiered across three separate regulations. Under the Cyber Resilience Act (CRA), companies can be liable for up to €15 million or 2.5 percent of global annual turnover. The NIS2 directive carries penalties of up to €10 million or 2 percent of turnover. The strictest of the three, the CSA2 regulation, exposes violators to fines reaching 7 percent of worldwide revenue.

For a manufacturer like Volkswagen, those percentage-based figures translate into potential demands in the billions. A key operational change: security vulnerabilities must now be reported to the EU’s cybersecurity agency ENISA within 24 hours.

The push stems from the rapid rise of software-defined vehicles and connected car architectures. Hardware-based security is becoming mandatory. Semiconductor supplier Infineon has embedded a dedicated security module into the NVIDIA Jetson Thor platform, protecting cryptographic keys at the chip level — a design that also helps meet the EU AI Act’s requirements. Meanwhile, the security organization ASIO has flagged risks: without proper safeguards, conversations inside connected cars could be intercepted remotely.

Even before the September fines kick in, a new batch of safety features becomes obligatory on 7 July 2026 for all new M1 and N1 vehicles — passenger cars and light commercial vans. A driver distraction warning system will use cameras or sensors to monitor attention levels. The advanced emergency brake assistant must reliably detect pedestrians and cyclists. Also required: an enhanced emergency lane-keeping assistant and improved pedestrian protection at the vehicle front.

According to Switzerland’s Federal Roads Office (Astra), data collected by these systems stays inside the vehicle and is not stored permanently. Automotive expert Ferdinand Dudenhöffer considers the new functions sensible. Public sentiment is mixed: 75 percent of surveyed consumers said they trusted driver assistance systems as of late 2025, yet 65 percent of frequent drivers reported having experienced malfunctions.

"The data-access rule is a game-changer for the repair industry," said an unnamed workshop association representative in a background briefing. "For years, manufacturers kept diagnostic and software information under wraps. Now the EU is forcing openness."

The complexity of modern vehicle software was highlighted by a recent Ford recall of roughly 58,000 cars due to a malfunction in the e-call emergency system.

Liability is also becoming a competitive differentiator. Chinese manufacturer BYD announced that from the end of May 2026, it will assume full financial responsibility for accidents involving its own "God’s Eye" assistance system — a move that could pressure rivals to follow suit.

Automakers are now racing to retrofit their cybersecurity architectures, update supply chains and train staff before the penalties take effect. The convergence of data access mandates, strict liability rules and layered fine structures means the industry faces its most intensive regulatory period in decades.

en | boerse | 69490587 |