Amidst technological advancements, the prevalence of not just fully autonomous vehicles, but also those incorporating autonomous and automated capabilities, is increasing. The EU's regulatory framework is swiftly adapting to this shift, encompassing a range of initiatives from the Data Act through the AI Act to the Cyber Resilience Act. This article delves into these emerging regulations and explores their potential impact on manufacturers of such vehicles, as well as on the producers of their components.

This article was written by Sefa Gecikli ([email protected]) and Cem Adiyaman ([email protected]) , who are both part of RSM Netherlands Business Consulting Services with a specific focus on technology regulations.

Evolving EU Regulations Shaping the Future of Autonomous and Semi-Autonomous Vehicles

In the swiftly changing landscape of the automotive industry, the concept of autonomy has shifted from science fiction to a tangible reality on our roads. Autonomous vehicles operate without human intervention, relying on a suite of sensors and AI algorithms to navigate the complexities of traffic. However, a broader spectrum of innovation has led to the emergence of vehicles that blend autonomous features with traditional driving, such as Tesla's Autopilot and GM's Super Cruise systems. These vehicles boast an array of automated capabilities, from advanced driver-assistance systems (ADAS) that include adaptive cruise control and lane-keeping assistance to more sophisticated functions that allow for limited hands-off road travel. As these technologies become increasingly commonplace, the European Union is actively sculpting its regulatory environment to keep pace.

The Data Act, which became effective on January 11, 2024, is set to be a key regulation in the progression of autonomous vehicles and those integrating autonomous features, significantly reforming data governance within the EU's automotive market. As vehicles become increasingly interconnected, falling under the scope of “connected products”, so called “the Internet of Things (IoT)”, they not only navigate our streets but also generate vast quantities of data regarding their operation and surroundings. The Data Act mandates that the data produced by these smart automotive technologies be inherently accessible to the end-user, securely and without cost. It ensures that if such data are not immediately available, manufacturers have the obligation to provide it upon request. Crucially, the Data Act enforces transparency, requiring that users are well-informed about the use of their data beforehand. Additionally, the act lays down provisions for business to business data sharing, potentially facilitating a more collaborative ecosystem among manufacturers, tech companies, and service providers.

The rise of autonomous vehicles and those with advanced autonomous features indicates a new era of mobility, where cybersecurity becomes as crucial as the physical safety of the passengers. The upcoming European Cyber Resilience Act addresses this by setting forth rigorous cybersecurity requirements for hardware and software with digital elements—standards that are particularly pertinent to the automotive sector in the EU. Under this Act, manufacturers of autonomous and semi-autonomous vehicles are compelled to integrate robust cybersecurity measures from inception to the end-of-life of the product. This involves not only the vehicles themselves but also the extensive array of digital components they encompass. These range from onboard sensors and cameras that feed real-time data to the vehicle's AI, to the smart systems that process this information, including mobile devices and routers facilitating vehicle-to-everything communication. The software that acts as the brain of these vehicles -operating systems and various applications- must be designed to be resilient to cyber threats. Additionally, the hardware components, such as computer processing units and video cards, along with the software libraries that support them, are also covered under this act.

The integration of AI systems in autonomous vehicles and those with autonomous features presents groundbreaking advancements in transportation but also introduces potential risks to health and safety. Recognizing this, the upcoming EU AI Act specifically addresses AI systems that serve as critical safety components in products or systems, or that are standalone products or systems themselves under certain sectoral legislations. Such systems are marked as high-risk AI tools when they fall under the purview of certain sectoral legislations, including EU regulations concerning motor vehicles, their trailers, and all related components and technical units, focusing on general safety and the safeguarding of vehicle occupants and vulnerable road users. This risk-based approach of the EU AI Act imposes stringent obligations on high risk AI systems, affecting a wide array of automotive supply chain from manufacturers to distributors, and importers.

Forward thinking

The automotive industry is rapidly evolving towards a future where vehicles are not merely transport tools but complex data hubs on wheels. Addressing the challenges posed by these developments, EU’s legislative frameworks are not only redefining the boundaries of data governance and cybersecurity but are also compelling market players to fundamentally rethink how they design and manufacture their products. This directs us to revisit key technology law term, “compliance by design”.

On the other hand, the Data Act, in particular, may catalyze innovation by encouraging business-to-business data sharing, enhancing a collaborative market environment. By ensuring that users have transparent access to the data generated by their vehicles, the Act also enhances consumer autonomy. This openness is not just good for customer trust; it's a gateway for innovation as companies find new ways to leverage data responsibly and creatively.

At its core, the proactive approach required by EU regulations marks the beginning of a transformative era for the automotive sector. This new phase is characterized by a greater emphasis on enhanced security measures and continuous innovation integrated directly into the development and production of vehicles. By embracing these EU regulations, manufacturers and businesses have the opportunity to not only adapt to emerging technologies but also to lead the charge in shaping a safer, more interconnected future of mobility.

At RSM, we possess extensive expertise on technology law and governance, qualifying us to guide businesses, particularly medium-sized enterprises and family businesses, through these challenges. By understanding the unique requirements and regulatory landscapes our clients face, both locally and internationally, we tailor our services to address their specific needs with utmost attention and care.