Key Takeaways
- The rise of software‑defined, connected vehicles makes cybersecurity a cornerstone of safety, consumer confidence, and the broader mobility ecosystem.
- European vehicle manufacturers have already poured significant resources into robust cybersecurity measures and generally support the Cybersecurity Act’s goal of strengthening ICT supply‑chain security.
- The proposed Trusted ICT Supply Chain framework, however, raises four major concerns: it creates an uneven competitive playing field, risks overlapping with existing product‑safety laws, could unjustly penalise suppliers based on geography, and lacks sufficient governance safeguards before imposing prohibitive measures.
- ACEA recommends narrowing the framework’s scope to focus on core manufacturing activities and entities covered by the NIS 2 Directive, while leaving product‑specific cybersecurity to existing sectoral legislation.
- A technically sound, risk‑based approach should require verified risk assessments by competent authorities, treat prohibition as a last resort after a minimum 36‑month mitigation period, rely on European standardisation organisations for proportionate measures, and involve industry experts continuously throughout the assessment process.
Introduction: Connectivity Elevates Cybersecurity Importance
As automobiles evolve into software‑defined, highly connected platforms, cybersecurity has shifted from a peripheral IT concern to a fundamental pillar of vehicle safety, consumer trust, and the smooth operation of the entire mobility ecosystem. Modern cars now rely on continual over‑the‑air updates, telematics, and sophisticated driver‑assistance systems, all of which expand the attack surface that malicious actors can exploit. Consequently, ensuring the integrity and resilience of the ICT supply chain is no longer optional; it is essential for protecting occupants, safeguarding data, and maintaining public confidence in emerging mobility services.
EU Manufacturers’ Proactive Cybersecurity Investments
European vehicle manufacturers have responded to these challenges by investing heavily in comprehensive cybersecurity programmes. These initiatives span secure software development lifecycles, hardened electronic control units, intrusion‑detection systems, and robust incident‑response capabilities. Because of this proactive stance, the industry broadly endorses the overarching objective of the Cybersecurity Act: to fortify ICT supply‑chain security against the rising tide of digital threats. Their support, however, is conditional on the Act’s implementation being sensible, proportionate, and compatible with existing regulatory frameworks.
Overview of the Trusted ICT Supply Chain Framework Concerns
The European Commission’s proposed Trusted ICT Supply Chain framework aims to extend cybersecurity obligations beyond individual products to the entities that supply critical ICT components. While the intention to harden the supply chain is shared by ACEA, the current draft raises several substantive issues that could undermine its effectiveness and create unintended adverse consequences for the automotive sector.
Concern 1: Uneven Playing Field and Enforcement Gaps
A primary criticism is that the framework would apply exclusively to manufacturers established within the European Union. This territorial limitation would place EU‑based automakers at a competitive disadvantage relative to non‑EU rivals who would not be subject to the same scrutiny. Moreover, verifying and enforcing the requirements on foreign suppliers would be exceptionally difficult, if not impossible, leading to weak compliance and a security gap that mirrors the very risks the framework seeks to eliminate.
Concern 2: Potential Interference with Existing Product Legislation
Vehicle cybersecurity is already addressed through a mature set of product‑specific regulations, including UNECE WP.29 regulations, the General Safety Regulation, and various sector‑specific standards. Shifting the focus from regulating companies to regulating products could generate overlaps, inconsistencies, and duplicated obligations. Such regulatory friction may confuse compliance efforts, increase administrative burdens, and dilute the effectiveness of both the new framework and the established product‑safety regime.
Concern 3: Unjustified Exclusion of Legitimate Suppliers Based on Geography
The draft risks designating suppliers as “high‑risk” solely on the basis of their country of origin, without adequately considering the actual safeguards, mitigation measures, or track records of those entities. This approach reduces a nuanced, evidence‑based risk assessment to a blunt geopolitical exercise, potentially inflicting unnecessary legal, commercial, and reputational harm on reputable suppliers that pose no systemic threat. It also diverts resources away from genuine vulnerabilities toward superficial nationality alone.
Concern 4: Insufficient Governance Safeguards Before Prohibitive Measures
The proposal grants the European Commission broad discretion to impose a range of actions—from risk‑mitigation requirements to outright prohibitions—without mandating a clear, graduated, evidence‑based process. Notably, it does not require that less‑restrictive measures be attempted and proven inadequate before moving to prohibition. The absence of a defined timeline or rigorous review mechanism raises the risk of premature, disproportionate actions that could disrupt supply chains and stifle innovation.
ACEA’s Recommendation for a More Targeted Scope
To address these shortcomings, ACEA advocates narrowing the framework’s focus. First, entities whose sole activity is manufacturing finished vehicles should be exempt from the new supply‑chain rules; instead, they should remain governed by existing product‑based sectoral instruments that already address cybersecurity at the vehicle level. Second, the framework should adopt an entity‑based approach, targeting only those organisations performing activities listed in the NIS 2 Directive (such as critical ICT service providers), while leaving product‑specific cybersecurity to the current product safety and cybersecurity legislation. Third, the scope should be limited to companies’ core, systemically relevant activities, excluding ancillary or peripheral functions that do not materially affect ICT supply‑chain risk.
ACEA’s Recommendation for a Technically Robust, Risk‑Based Approach
Beyond scope refinement, ACEA stresses the need for a rigorous, evidence‑driven methodology. Before any supplier can be formally labelled high‑risk, competent authorities must verify the actual level of risk and the effectiveness of existing mitigation measures implemented by that supplier. Prohibition should be reserved as a measure of last resort, applied only after mitigation efforts have been demonstrated insufficient, and only after a minimum observation period of 36 months to allow for remediation. Furthermore, the Commission should rely on recognised European standardisation organisations to develop proportionate, risk‑based ICT supply‑chain management measures, ensuring that technical standards keep pace with technological evolution. Finally, continuous involvement of industry experts throughout the risk‑assessment process is essential to preserve technical relevance, avoid blind spots, and foster collaborative solutions that enhance security without compromising competitiveness.
Conclusion: Toward a Balanced, Effective Cybersecurity Regime
The automotive sector’s transformation into a software‑driven, connected domain makes cybersecurity indispensable. While European manufacturers share the ambition behind the Cybersecurity Act’s supply‑chain objectives, the current Trusted ICT Supply Chain framework, as drafted, risks creating market distortions, regulatory redundancy, unjustified supplier exclusions, and insufficient procedural safeguards. By heeding ACEA’s recommendations—limiting the scope to core manufacturing entities and NIS 2‑listed activities, adopting a graduated, evidence‑based risk assessment, and embedding industry expertise and European standardisation into the process—the EU can achieve a cybersecurity regime that strengthens resilience, preserves fair competition, and upholds the safety and trust that consumers demand from modern mobility.

