Since FCA/Stellantis became the first vehicle manufacturer to protect the OBD interface with a security gateway, other manufacturers have followed suit. To get through these gateways, a car repair shop must register with the manufacturer and obtain the online activation of the vehicle for a fee. Against this, market participants have sued before the German regional court of Cologne. The reasoning: Security gateways limit the possibilities of free workshops to carry out necessary diagnostic and repair procedures. The regional court of Cologne has referred the case to the European Court of Justice (ECJ). And in October 2023, it was decided that the security gateways (only those of FCA/Stellantis) were not permitted under the European type of approval regulation. Registration with the vehicle manufacturer as well as the necessary permanent online connection with its servers is specifically prohibited.

Of course, it makes sense that vehicles are protected from unauthorised access, which is also required by the global regulation UNR155. Therefore, many car manufacturers have equipped their vehicle models with secure diagnostic access. Active diagnostic work, such as the replacement of lenses or the calibration of driver assistance systems, is usually no longer possible. This presents workshops with technical and administrative challenges, as vehicle manufacturers sometimes rely on individual safety solutions. Without activation, a diagnosis for these vehicle models is limited to reading and deleting error memories as well as some actual values.

New EU legislation on vehicle diagnostic data

The German association of parts wholesalers GVA (Gesamtverband Autoteilehandel) put interim injuntions on other vehicle manufacturers based on the ECJ judgment, so that they also correctly close their security gateways. But there is a dilemma: on the one hand, the ruling on the closure of inadmissible security gateways, on the other hand, the global regulation UNR155 requires that cybersecurity be ensured in cars. As a feasible option, the European Commission decided to amend the law.

 

Since last March, vehicle manufacturers and their associations, workshops, parts dealers and suppliers such as MAHLE have been providing intensive advice. Most recently at the conference of the European automotive suppliers' association CLEPA in Brussels: there, Felix-Matthias Walter, global head of Service Solutions at MAHLE Lifecycle and Mobility, discussed the issue with the European Commission, workshop associations and fleet management operators.

The current outcome of the draft law:

  • In the future, independent service providers should receive more information on installed components in the vehicle, such as necessary software updates for repairs, more information about driver assistance systems (ADAS) or battery repairs. Access should also be guaranteed beyond the OBD port (for example over-the-air) in a future-proof manner - as they are available to OEM partners.

 

  • The key point of the legal act is cybersecurity: vehicle manufacturers must not restrict access disproportionately and must take measures in their own network as a benchmark. At the same time, diagnostic tools are subject to more stringent safety requirements, such as ISO 27001 or TISAX and compliance with the cybersecurity and software update requirements of vehicle manufacturers.

 

  • Depending on the significance of diagnostic access, different requirements are set for the tool, its online connection, validity of the access data, authentication of the workshops and tracking.

 

  • Reading error codes or FIN becomes possible offline without tracking. Read access to control units and adjustments, calibrations require a one-time online connection of the diagnostic tool with the manufacturer server and valid access data for 30 days. Writing functions, programming with permanent changes or even direct backend interaction have 24-hour valid access data and permanent online connection as well as detailed documentation of the work performed in the service.

 

  • The costs for individual cyber security access are eliminated, but license fees, determined by the vehicle manufacturer, are still allowed for the development of diagnostic tools and thus the diagnosis is not free.

The authentication and authorization of the workshops should be possible both from the diagnostic device manufacturer or via SERMI in a light version. The SERMI scheme regulates those who have access to theft and security-related functions and information in vehicle manufacturer portals and via diagnostic devices. The aim is to use industry standards as quickly as possible to make work as easy as possible for garages.

“We welcome the clarifications and the increase in digital opportunities for workshops, and we hope for a swift passage of the legislation. However, a growing dependence of diagnostic tools and workshops on vehicle manufacturers is also foreseeable. That said, workshops have no reason to hold back when it comes to cybersecurity,” says Felix-Matthias Walter, Global Head of Service Solutions at MAHLE Lifecycle and Mobility.

The delegated act, more specifically the type-approval regulation and its Annex 10, is to be finalised by the end of the third quarter of 2025. A transition period for implementation and the question of which vehicles in the market are affected is still being discussed.

Full access - guaranteed

MAHLE had developed the MAHLE Cybersecurity Pass early on, a solution for implementing the locks for the MAHLE TechPRO® and CONNEX diagnostic devices in order to be able to access the vehicle systems regularly and completely. The MAHLE Cyber Security Pass now covers the top 5 car brands in Europe: VAG, Mercedes, BMW, FCA/Maserati and Renault.

You can read more about it here.

The MAHLE Cybersecurity Pass will implement the new legal requirements as soon as possible, so that workshops can continue to carry out repairs relevant to cyber security.

Further articles