A critical analysis of the VSDPS testing framework in light of existing regulation, industrial realities, and technological developments
Introduction
Industry associations are businesses too – always on the lookout for new revenue streams and monetisation models. Euro-NCAP is no exception: Having made its name (and money) from vehicle safety assessments and crash tests, the organisation’s business development executives seem to have had a moment of inspiration following the entry into force of automotive cybersecurity regulations (including UN R155, GB 44495-2024) and related industry standards (ISO/SAE 21434:2021, ISO/PAS 5112:2022, ISO/SAE PAS 8475, ISO/SAE TR 8477). Their “brilliant idea”: expand their revenue-generating activities to include the cybersecurity domain.
On the surface, it’s a logical progression – they started with safety ratings, added assisted driving gradings, and now come cybersecurity ratings. With the latter, customers are meant to gain a third key insight: Not just whether they’re likely to survive a crash, or whether the lane-keeping assistant will suddenly veer them into a three-lane highway adventure – but also whether their car will still be where they parked it in the morning, or whether hackers have already breached the vehicle’s onboard network and tampered with critical data.
Through the introduction of VSDPS (Vehicle Security, Data Privacy and Sovereignty), Euro-NCAP aims to establish a rating framework for in-vehicle IT security, privacy, and data sovereignty – akin to its established crash tests and ADAS evaluations. Yet what appears at first to be a forward-looking initiative quickly raises serious concerns: methodologically, legally, and in terms of industrial policy.
I. Strategic Background: NCAP’s Overreach
1. Mandate Expansion Without Legitimacy
OEMs perceive the VSDPS initiative as a strategic attempt by Euro-NCAP to extend its influence into domains that lie well outside its established mandate. The evaluation of Automotive Cybersecurity is already governed by legally binding frameworks such as UN R155, EU7 (in certrain way), and GB 44495-2024 – all of which are tied to vehicle type approval. All the more astonishing, then, is the fact that Euro-NCAP – a consortium of associations that includes not only automotive associations and insurance companies, but also senior federal authorities from Germany (such as the Federal Ministry of Transport) and executive bodies from other European states – appears to acquiesce without objection to the erosion of the normative framework for automotive cybersecurity. This includes, for example, a shift away from a risk-based approach towards a checklist-style requirement.
Either the participating authorities within the Euro-NCAP consortium are not involved in the preliminary coordination of such initiatives, or they are simply indifferent. Neither alternative reflects favourably on the operational conduct of Euro NCAP.
2. Regulatory Competition Instead of Complementarity
Instead of closing regulatory gaps, VSDPS creates a parallel assessment system that imposes double work on OEMs without adding any clear benefit for consumers. This duplication undermines regulatory consistency and clarity. In this context, any form of assessment of a vehicle’s cybersecurity capabilities ought to adhere closely to the applicable normative requirements. It is neither appropriate nor advisable to introduce alternative, potentially misleading, or wholly unsuitable criteria which would, in effect, establish a parallel framework of baseline requirements for automotive cybersecurity. At the very least, in light of its de facto ability to influence end-user purchasing decisions, Euro-NCAP should recognise both the scope of its competence and the extent of its responsibility prior to the dissemination of such proposals.
II. Methodological Critique: A Rigid Framework in a Dynamic Reality
1. Static Checklist Model vs. Risk-Based Security
The VSDPS methodology is built around a predefined list of interfaces (Bluetooth, USB, OBD, etc.). Vehicles that do not include certain technologies are automatically penalised with zero points, regardless of whether these features are relevant or required for the vehicle’s operation. That’s neither technically fair nor security-relevant.
2. Risk-Ignorant Scoring
All vulnerabilities – regardless of their real-world security impact – are treated equally. A successful roll-jam attack on keyless entry is rated the same as a theoretical GPS spoofing scenario. This defies the core principles of risk-based security and misallocates development and testing resources.
3. Inapplicability = Penalty
If a test cannot be applied due to the vehicle’s architecture or lack of a specific interface, it is still rated as a failure. This amounts to systematic distortion and unfair scoring against innovation and design diversity.
III. Technological Concerns: Past-Oriented Instead of Forward-Looking
1. Outdated Threat Assumptions
VSDPS ignores modern vehicle architecture concepts such as over-the-air (OTA) updates, Vehicle-to-Everything (V2X) communication, secure boot, and zero-trust designs. Instead, it focuses on outdated vectors such as USB password strength or manual app installation from memory sticks.
2. Testing Methodology Not Future-Proof
The VSDPS approach lacks long-term applicability. As vehicle systems evolve rapidly, many test criteria will become obsolete. Comparing ratings across model years will become meaningless.
3. Lack of Architectural Flexibility
VSDPS is implicitly based on a monolithic view of vehicle E/E architectures. In reality, OEMs are increasingly deploying zonal, service-oriented, and software-defined architectures. A “one-size-fits-all” test methodology is not viable in such a context.
IV. Data Privacy and Sovereignty: Legal and Practical Issues
1. Outdated Legal References
The VSDPS paper references EU Directive 95/46/EC, which was repealed in 2018 and replaced by the GDPR. This raises serious doubts about the legal literacy of the proposal.
2. “Data Sovereignty” as an Undefined Concept
The term “data sovereignty” is overused without any legal anchoring, technical operationalisation, or measurable test criteria. Most so-called “sovereignty tests” are usability assessments (“Is it clear how to launch apps?”) and lack any actual security relevance.
3. Conflict with Legal Obligations
Some test items (e.g., requiring full internet disconnectability) directly conflict with mandatory systems like eCall, for which connectivity is legally required. OEMs are caught between contradictory demands.
V. Economic Implications for OEMs
1. Poor Cost-Benefit Ratio
Implementing test structures to accommodate VSDPS adds cost in development, verification, and documentation – with no demonstrable benefit over existing regulatory compliance. For smaller OEMs in particular, this is a clear barrier to innovation.
2. Risk of Market Distortion
Vehicles may receive poor ratings due to irrelevant or superficial criteria. A technologically advanced vehicle without a guest user profile, for instance, might score worse than a simpler competitor model. This distorts competition.
3. False Sense of Security
A high VSDPS score might suggest a vehicle is “secure,” even though it merely passed outdated or non-representative tests. This undermines real security engineering and promotes compliance over resilience.
Conclusion: VSDPS – A Well-Meant Misstep
Euro-NCAP’s intention to raise awareness around vehicle cybersecurity is not wrong in principle. But the VSDPS initiative in its current form fails on multiple levels. It is methodologically unsound, technologically backward, legally confused, and economically burdensome.
OEMs should feel confident in pushing back – not because they oppose security, but because security is too important to be trivialised by an ineffective and underdeveloped scoring system.
German version? Here …
