As part of the ongoing digital transformation of modern vehicles, so-called security gateways have become a standard feature of everyday workshop operations. As electronic control instances, they determine how diagnostic tools are granted access to cybersecurity-critical vehicle systems. Over time, however, this measure has proven to be an increasing obstacle to the independent operation of non-affiliated repair shops.

 

This became particularly evident in a landmark case before the European Court of Justice, which found that a vehicle manufacturer had unlawfully restricted open vehicle access through its gateway solutions. The European Union has now followed up with a final legal framework designed to ensure cybersecurity while also guaranteeing equal access to vehicle diagnostics for authorized dealerships and independent market participants alike.

 

Felix-Matthias Walter, Head of MAHLE Service Solutions, discusses the practical implications of this new regulation.

Mr. Walter, why is this legal text so important for vehicle diagnostics – and why should repair shops take an interest in it?

 

The regulation stipulates that manufacturers must grant independent market participants comprehensive access to vehicle diagnostics, effectively rendering existing gateway solutions obsolete. Symbolically speaking, the carburetor has long been replaced by control units and sensors. Spare parts often have to be digitally coded, and as a result, the requirements for diagnostics, qualifications, and business models are increasing. Anyone who wants to remain competitive in the future needs the appropriate tools and the authorization to access vehicle data. As an industry, we must ensure that we prepare for this development not only technically but also from a regulatory perspective at an early stage. Those who focus only on day-to-day business today risk falling behind tomorrow. This is why workshops, too, should take a close look at regulation now.

 

What does this mean for repair shops?

 

For workshops, the diagnostic tool will become an even more central working instrument in the future. Activities that go beyond simply reading fault codes are considered cybersecurity-relevant and require authorization. For simple tasks, such as resetting a service indicator, a one-time server connection may be required to obtain access credentials. More extensive software interventions, such as coding new replacement parts, will require a continuous online connection – a new situation for workshops.

 

In day-to-day operations, however, this should be as unobtrusive as possible. It is therefore the responsibility of diagnostic tool developers to handle authentication and connection processes in the background so that technicians can focus on the repair work. In addition, legislators now explicitly protect the independent aftermarket. Basic functions such as reading and clearing fault codes within the scope of legally required emissions testing or retrieving the vehicle identification number (VIN) will remain possible without authentication. Service providers will also continue to be authorized through their training and expertise – the only new requirement is digital verification.

What is MAHLE’s stance on vehicle access for independent repair shops?

We welcome the fact that there is now a clear and binding regulation, as we support the independent aftermarket and independent workshops. Court cases in this area have shown that cybersecurity must not be used as a pretext to exclude market participants from vehicle access. If independent players are unlawfully denied access to vehicles, this must be resolved through legal means – and that is exactly what has happened. Together with our industry associations, we are working to ensure that such restrictions will not persist in the future.

 

The new rules take effect in June. What does this mean specifically for MAHLE?

We must continue to adapt our diagnostic solutions to individual vehicle manufacturers. What is new is that we now have clear legal requirements to guide us. Depending on the type of service, our devices must meet the manufacturers’ specific requirements regarding authentication and connectivity. What we want to emphasize is that the new legal framework provides us with greater planning certainty and a reliable foundation for our development work.

Is this technically straightforward to implement?

 

The requirements have become significantly more complex. Although we already had a solution in place with the MAHLE Cybersecurity Pass (MCS), which enabled centralized access to various OE systems, the new regulation goes further.

 

In the future, diagnostic tool manufacturers must not only verify the identity of the tool to the OEM but also, in the case of vehicle-altering interventions, the pseudonymized identity of the workshop and the technician performing the work. This is technically demanding and must be implemented individually for each OEM and each specific service. If the highest requirements apply when coding a component in a particular vehicle, we integrate these into the diagnostic tool – for example, with regard to workshop authentication, online connectivity of the tool, or the validity period of access rights. For workshops, this remains invisible; they see only the click, not the processes in the background. We are, however, well prepared. For some time now, we have been in close dialogue with relevant OEMs in order to align our diagnostic tools early and specifically with the new requirements.

Are there any drawbacks to this legislation?

 

Yes, there are. Development efforts are considerable, and our dependence on vehicle manufacturers is increasing, as they alone determine which requirements apply to which type of service. The level of effort ultimately depends heavily on how transparently and cooperatively OEMs open their systems. Although manufacturers are legally obliged to provide the necessary technical information, implementation in practice is often challenging. This means that independent workshops remain significantly dependent on the goodwill of vehicle manufacturers. We are therefore making substantial investments in technical integration – this is a burden that must be acknowledged openly. However, as a partner of independent workshops, we see it as our responsibility to ensure that fair competition in the aftermarket is not just promised but implemented in practice.

It will probably be some time before the regulation actually takes effect in everyday workshop operations – won’t it?

 

There are transitional periods, that is correct, for example, for individual technical requirements such as the VIN-specific provision of repair information. In terms of content, however, the topic is already highly relevant for the aftermarket.

 

At MAHLE, we have been dealing with cybersecurity and regulated vehicle access for several years and have actively contributed to the regulatory process, including directly in Brussels. We recognized early on where the development was heading and prepared our solutions accordingly. We use our experience to translate regulatory requirements into practical solutions for workshops. Our goal is to actively support workshops and provide them with security and operational flexibility as a strong partner – even in an increasingly regulated environment.

Other Topics