In its regulatory frenzy, the European Commission has once again found itself a new patch of turf to conquer: connected and automated vehicles. Because apparently a sector already covered by type-approval law, dedicated cyber rules, software update rules, data protection law, artificial intelligence law and assorted compliance machinery was still looking a bit too relaxed. So now the idea is to pull automotive into the orbit of a future Cybersecurity Act 2 and its supply-chain toolbox, allegedly to deal with “non-technical” risks that existing vehicle regulation supposedly does not capture well enough. That is the theory, anyway. In practice, the argument is a lot less clean than Brussels would like it to sound.
Let us start with the part that is actually true. The EU’s coordinated risk assessment on connected and automated vehicles does not pretend the risk landscape is fictional. It identifies 107 risks, with 14 top risks, and it says plainly that connected vehicles can be hacked through multiple pathways, with consequences ranging from data leakage to full remote takeover. It also flags two issues that the Commission is especially keen on: weak charging infrastructure and “high-risk suppliers” that could, in theory, be pressured by governments or military actors to introduce malicious hardware, software, updates or configurations. The report also singles out vehicle control systems, processing and decision-making systems, communication and connectivity systems, and cloud or backend systems as especially critical assets. None of that is trivial, and pretending otherwise would be intellectually lazy.
But here is where the Commission’s logic starts wobbling. The same risk assessment also says, quite explicitly, that many of the top risks are already addressed by the EU’s current type-approval rules, provided those rules are implemented properly. That includes attacks on in-vehicle AI, vehicle control systems, connectivity pathways, sensing systems, backdoors in open-source libraries and even manipulated over-the-air updates. In other words, the report itself admits that a large part of the actual technical attack surface is already inside the perimeter of the existing automotive regime. That matters, because once you say that out loud, you are no longer arguing about a sector with a missing framework. You are arguing about a sector that already has one and that the Commission now wants to revisit through a second regulatory door.
That second door is where the real problem starts. The Commission’s political line is that CSA 2 would focus on non-technical risks in supply chains. Fine. But when the risk assessment explains where action is supposedly needed, it does not stay at the level of geopolitics, coercion or strategic dependency. It immediately goes back to vehicle-related critical assets: processing and decision-making systems, communication and connectivity systems, vehicle control systems capable of receiving remote updates. That is not some abstract supply-chain governance exercise floating above the product. That is product-adjacent regulation in everything but name. Call it “non-technical” if that helps with the press line, but once your intervention logic is anchored in the hardware and software architecture of the vehicle, you are regulating the vehicle ecosystem again.
That is exactly why the automotive industry should attack this proposal on grounds of regulatory coherence rather than on the weaker claim that UN R155 magically covers the entire universe. Because it does not. UN R155 is strong, but it is not a metaphysical shield against all possible geopolitical scenarios. What it does do is require a Cybersecurity Management System across the vehicle lifecycle, continuous risk assessment, vulnerability monitoring, incident response and supply-chain cybersecurity management. UN R156 adds a dedicated Software Update Management System, including disciplined governance of update processes. That is not nothing. It is already a serious, lifecycle-based regime aimed squarely at the real-world cyber risks of modern vehicles. So the right industry argument is not “there is no residual issue anywhere.” The right argument is that the Commission has not shown a credible residual gap that justifies another horizontal layer landing on top of systems that are already regulated.
The Commission will respond, of course, that this is not about ordinary vulnerabilities. It will say this is about high-risk suppliers under state pressure, hidden access pathways, malicious updates and strategic dependencies. Fair enough. But that only helps the Commission up to a point. If the concern is that a supplier may be coerced by a third country, then the problem is not simply that a component is insecure. The problem is economic security, foreign influence and dependency risk. That is a different category of problem, and it should be treated honestly as such. Once you admit that, the obvious follow-up question is this: why exactly is the answer a second product-proximate cyber regime for vehicles rather than an economic security instrument, investment screening, trade controls, procurement restrictions or targeted foreign policy tools? There is no convincing answer to that, except perhaps the old Brussels classic: if in doubt, add another layer.
Charging infrastructure is another good example of the Commission’s overreach problem. The risk assessment points to weak cybersecurity in charging infrastructure and treats that as part of the broader concern. But it also states that charging infrastructure in the EU falls under NIS 2, with charging point operators treated as critical entities in the energy sector. So even the report itself shows that this is already an infrastructure governance issue with its own regulatory home. It is therefore a very odd basis for arguing that OEM supply chains now need to be swept into CSA 2 as well. If the charger is the problem, regulate the charger properly. Dragging vehicle manufacturers into another horizontal framework because somebody found a soft spot outside the vehicle is not smart regulation. It is just scope expansion with better stationery.
There is also a more awkward institutional point the Commission would rather not dwell on too much. The same risk assessment notes that connected and automated vehicles that fall under Regulation (EU) 2019/2144 are excluded from the scope of the Cyber Resilience Act because they are already covered by UN R155. That was the Union’s own legislative logic: automotive is already sectorally regulated, so the horizontal product regime steps back. Sensible enough. But if CSA 2 now comes in through the side entrance and starts imposing supply-chain measures tied to the same vehicle-related systems and assets, then the neat boundary the EU itself drew begins to look rather decorative. It is difficult to argue with a straight face that vehicles should stay out of one horizontal cyber regime because sector-specific regulation exists, while also trying to pull them into another horizontal regime built around the same technical reality.
And then there is the certification angle, which deserves more attention than it usually gets. Once the EU starts talking about trusted ICT supply chains, critical assets and toolbox-style mitigation, industry is right to worry that certification expectations will not be far behind. Maybe not immediately, maybe not in black and white on day one, but the pathway is obvious enough. For automotive, that matters because anything drifting toward Common-Criteria-style assurance logic can become deeply awkward once it hits modern vehicle development: software-heavy architectures, frequent updates, reuse across platforms, tight SOP timing, variant complexity and the constant need to balance cybersecurity, safety and time-to-market. For a sector built around iterative engineering and controlled updates, dragging slow, heavy certification culture into component sourcing is a good way to reduce agility while claiming to improve resilience. A very Brussels outcome, in other words. The paperwork would be magnificent.
The strongest case against applying CSA 2 to automotive is therefore not ideological and not anti-security. It is structural. Automotive is already a regulated cyber sector. The existing framework may need better enforcement, clearer guidance and more consistent interpretation across approval authorities, but that is not the same as saying a new horizontal layer is needed. Where the remaining concern is genuinely technical or organisational, UN R155 and UN R156 already provide the right regulatory home. Where the concern is genuinely geopolitical, then the right tools are economic security tools, not disguised product regulation. What makes the Commission’s current approach weak is that it tries to have both arguments at once. It says the issue is non-technical, then defines the solution through critical vehicle assets. It says the problem lies beyond the existing framework, then relies on scenarios that already sit very close to what the existing framework regulates. That is not precision. That is policy sprawl.
So the industry should not waste time claiming that nothing is left to discuss. That would be sloppy, and the Commission would rightly attack it. The smarter line is sharper and more credible: yes, there are risks; yes, some of them involve awkward geopolitical dependency questions; no, that does not justify re-regulating vehicle systems through CSA 2. The EU should either strengthen the implementation of the existing automotive cyber regime or use economic security instruments for genuinely geopolitical problems. What it should not do is pretend that a new horizontal toolbox somehow remains “non-technical” while quietly taking aim at the same software, connectivity and control systems already sitting inside the type-approval framework.
Because once that game starts, this is no longer about closing a gap. It is just Brussels doing what Brussels does best: finding a sector that is already regulated, declaring it newly strategic, and then regulating it again from a slightly different angle.
