With 2025 now well underway, the automotive industry faces a year defined by increased regulatory scrutiny, shifting global trade policies, and a growing emphasis on cybersecurity. Last year very much laid the groundwork for these changes, but we predict the months ahead will bring more decisive action.
As we’ve pointed out before when reviewing our predictions for the current year, forecasting the future with any degree of accuracy is no mean feat in automotive, given the industry’s fluidity and ever-changing nature.
Therefore, some Auto predictions we made for 2024 haven’t panned out as we’d expected them to, whereas some have shown signs of progress, albeit they may need more time to come fully to fruition. Other predictions we made, however, have proven to be correct.
Here are the key developments we expect to shape the automotive cyber security industry this year.
1. Regulators start to get tough about WP.29 and Type Approval
Back in June 2020, the United Nations Economic Commission for Europe World Forum for the Harmonisation of Vehicle Regulations Working Party 29 – or UNECE WP.29 – announced that it was adopting some long-awaited UN cybersecurity regulations. Specifically, these regulations refer to connected vehicles, providing automakers with clearly defined performance and audit requirements in four key areas for cars, vans, trucks, and buses.
These areas are:
- The management of cyber risks for vehicles
- Security by design during vehicle development to minimize risks along the value chain
- Intrusion detection and protection for the entire vehicle fleet
- The provision of secure software updates and the establishment of a legal basis for over-the-air updates
The new guidelines were brought into force in January 2021, and became mandatory for all new vehicle types in the European Union [EU] from July 2022. Then, in July 2024, the regulations were made mandatory for all new vehicles produced from that point onwards.
Despite the regulations having been in place for quite a few months now, UNECE WP.29 has so far given OEMs a fairly easy ride when it comes to proving compliance. That’s not to say that manufacturers haven’t been proactive in doing so.
On the contrary, they have had to submit reams of paperwork as part of the process. Up until this point, however, proving compliance has effectively been an act of self-declaration on the part of OEMs, rather than involving any kind of third-party audit. This, presumably, is because the regulators recognize the hoops that they’re expecting OEMs to jump through to achieve Type Approval, and have therefore elected to take a backseat approach during the initial implementation period.
However, at some point in 2025, once they’ve decided OEMs have had enough time to get used to the guidelines, we anticipate that regulators will start to take a harder line with non-compliant manufacturers.
This may come as a result of heightened pressure on regulators to become more involved in the process, demanding that OEMs are properly audited by a third party, instead of expecting them to self-declare their compliance. For manufacturers, this would be a negative development; after all, paying for a third-party audit would be costly and time consuming for many.
However, it is likely something that we will see regulators increasingly pushing for in the months ahead as WP.29 comes fully into force. In the longer term, this more vigorous enforcement of the regulations would undoubtedly result in some manufacturers incurring hefty fines and other legal action for failing to comply.
While this would be a significant blow for those OEMs who fall afoul, it would certainly give others added incentive to ensure they’ve dotted the ‘I’s and crossed the ‘T’s necessary for securing Type Approval.
2. The West wakes up – and responds – to China’s huge lead in the race for EVs
Over the past 15 years, China has been hard at work preparing itself for the electrification revolution, while much of the rest of the world has continued to fixate over internal combustion engine [ICE] vehicles.
During this time, China has invested in creating a public charging network that is now more than 10 million units-strong, and convinced millions of drivers to embrace EVs by offering attractive subsidies and other incentives. Moreover, the nation has introduced over 100 EVs brands to compete with US giant Tesla, with names like BYD and Nio resonating increasingly with Western consumers.
Due to the speed and scale with which China has embraced its electric-led future, it has now surpassed all other countries in the move to EVs. This has provided a strong foundation for its homegrown automakers to continue dominating the market for many years to come, especially on a domestic level. Indeed, in July and August 2024, electric and hybrid vehicles accounted for over half of all automotive sales in China.
It’s increasingly clear, therefore, that China is currently leaving the US trailing in its dust when it comes to EVs. To mitigate this state of affairs, and to protect domestic manufacturers, the White House took the decision to increase tariffs on Chinese electric vehicles to 100% in May 2024, quadrupling the pre-existing tariff of 25%.
However, as the US remains hamstrung by limited supply-chain access, faltering EV infrastructure development, and the inconvenient reality that most Americans still prefer ICE vehicles, it’s uncertain whether this move will have any lasting impact.
The Americans aren’t the only ones running scared from China on EVs though – the Europeans are as well. After all, a surge of lower-cost, Chinese-produced EVs across Europe has seen China’s share of the EU market recently reach eight per cent, rising from just one per cent in 2019. And with forecasters anticipating that China will have captured 15% of the European market by 2025, the EU has battened down the hatches and launched its only salvo of tariffs against Chinese imports.
Not all member states have welcomed the move, however. In a vote held in early October, Germany was among the five EU nations who opposed the introduction of new tariffs. On the surface, this was a puzzling play by the Germans, who are China’s natural adversary when it comes to vehicle production.
On closer inspection, however, it actually makes a lot of sense, given that many of Germany’s leading OEMs are actively engaged in joint ventures with Chinese automakers. By forming these partnerships with China’s premier EV brands, it is the Germans’ hope that they will acquire the know-how necessary for remaining globally competitive.
As such, it’s understandable why they’d oppose sanctions on Chinese imports, not just for fear of losing access to China’s knowledge, but also that Beijing will retaliate with its own tariffs against the EU.
Whether the West cares to admit it or not, the truth is that it remains highly dependent on China for batteries and a whole host of other technologies that are integral to EV production. Western OEMs must abandon the notion that they can simply put up a big wall and keep China behind it; this ‘us vs. them’ mentality won’t cut it anymore.
If they wish to remain competitive, Western automakers must follow Germany’s example and consider what they may stand to gain by working with China, rather than constantly trying to thwart its dominance. With big question marks looming over the effectiveness of tariffs, we expect to see many more Western OEMs wake up to this notion during 2025, seeking to forge their own partnerships with Chinese automakers.
3. As tampering with electric and computer-driven-vehicle software proliferates, cybersecurity becomes an increasingly important focus
In the case of ICE cars, the primary way for determining vehicle health has traditionally been to get a mechanic to perform a diagnostic inspection. This often sees items like tyres, brakes, suspension, steering, lights, and wipers all being checked manually, with the mechanic evaluating the vehicle’s drivability, and taking steps where necessary to improve safety.
However, as connected and electric vehicles continue to become more commonplace on our roads, methods of diagnosing vehicle health are changing, with software playing a much more integral role. For example, a mechanic is not capable of accurately assessing how well a Tesla’s battery has been treated; owners must rely on the vehicle’s software to tell them via the mobile app or while the car is in ‘Service Mode’.
The rationale behind using vehicle computer diagnostics to evaluate health is that doing so can significantly reduce the time required for repairs, and potentially lead to considerable cost savings, thereby enhancing the user experience.
Sadly, the growing reliance on computer-based diagnostics has prompted many unscrupulous people to exploit vulnerabilities in the software. For example, there has been an alarming rise in incidents of the use of counterfeit or ‘clone’ versions of software diagnostic tools being tampered with to, which can provide an inaccurate picture of a vehicle’s health.
This may allow a driver to manipulate their vehicle’s built-in software settings and history to give the impression that they have taken better care of it than they actually have. In essence, this is like how drivers may choose to wind back their odometer to give the perception that their car has done far fewer miles than it actually has, making it easier to sell.
Therefore, the likelihood of purchasing a second-hand connected or electric vehicle, based on the false belief that it is in good working order, is increased considerably. This heightens the risk of insuring such vehicles at a time when insurers are continuing to move away from EVs, or otherwise raising the premiums that users must pay.
Data stored in the vehicle related to battery or component health is fundamental to vehicle safety. If unscrupulous owners are able to modify data to lie about battery health when selling a vehicle, or are motivated to make changes to enable features or squeeze some extra performance, then they risk putting themselves and future owners at risk.
Tools created to “help” drivers in this way may also perform additional unwanted actions, such as harvesting personal or financial data and sending it to the tool’s creators – a pattern that is increasingly common in the malware ecosystem. Cybersecurity measures to protect vehicles and drivers against diagnostic-based attacks are vital.
With more and more drivers finding ways to cheat the system when it comes to vehicle diagnostics, we predict that cybersecurity will become an increasingly important focus for OEMs over the course of 2025. The status quo is frankly unsustainable, and the ability to accurately assess a vehicle’s history will become increasingly hard if people are allowed to exploit systems like this in perpetuity.
As such, new ways of keeping genuine software safe from the scourge of counterfeit diagnostics will likely emerge, giving second-hand car owners and insurers confidence that vehicles are safe and in good working order.
4. Micromobility gets put under the regulatory microscope
Over the course of the past few years, micromobility sales have gone through the roof. According to recent data, the global electric scooter market, for example, was valued at roughly $18.6 billion in 2022, and is anticipated to grow at a compound annual growth rate [CAGR] of 10.7% from 2023 to 2030.
With such vehicles being small, lightweight, easy to use and pollution-free, it is not difficult to understand why they are proving so popular. Not only this, but the micromobility boom is helping to significantly reduce the amount of traffic and congestion on the roads, furthering the environmental advantages of using such vehicles.
Notwithstanding their intended benefits, micromobility vehicles are far from perfect though. In fact, they can actually be very dangerous, with figures showing that, in the UK alone, there were 1,292 reported collisions involving e-scooters during 2023, resulting in 1,387 casualties and six deaths. This is despite the government having enforced a maximum speed limit of 15.5mph for e-scooters throughout their trial period as a safe mode of transport, which has been ongoing since 2020.
While e-scooter manufacturers have taken the steps necessary for limiting the speed of the vehicles that they produce, the reality is that the safety measures are very easy to bypass. Sometimes this is as simple as a software reconfiguration, as different markets have different limits for the same scooter, but even when a physical change is needed, this is often straightforward.
On some models, users can increase the velocity to more than 21mph by disconnecting the speed limiter and removing the screws that keep it in place. What’s more, with some mechanics offering to illegally override e-scooter software to increase top speeds, e-scooter owners don’t need the technical know-how themselves to bypass the restrictions.
Although many people use micromobility vehicles completely legally and responsibly, the number of accidents involving them has grown considerably, not just in the UK, but all across the world. As such, it is our belief that we will see regulators scrutinising the use of these vehicles much more in 2025.
We have already seen murmurings of this during 2024, with calls for further micromobility regulation having been made during an industry consultation led by the World Health Organization [WHO] in February. Among the attendees were representatives from the Parliamentary Advisory Council for Transport Safety [PACTS], a charity that aims to advise the UK government on air, rail, and road safety issues.
The recommendations they made included setting a new maximum possible speed limit of 12.5kph [7.7mph], and a maximum continuous rated motor power of 250 watts. On top of this, PACTS suggested introducing anti-tampering mechanisms, a minimum front wheel size of 12 inches, and a minimum rear wheel size of 10 inches.
Other participants from around the world highlighted regulations that they believed were necessary for micromobility. These included new rules on the import/export of vehicles, ways of separating users from heavy traffic and other vulnerable road users, and the implementation of a Safe System approach for preventing deaths and serious injuries.
As conversations like this – and micromobility-related accidents – become increasingly common, we expect to see regulators get far tougher around the safe use of vehicles like e-scooters. Doing so would limit the capacity for such vehicles to cause serious harm to owners, as well as other road users and pedestrians, while preserving the environmental benefits of embracing micromobility.
5. A harder line is taken on AI and open-source software development
Historically speaking, the automotive industry has been governed by very structured rules for software development. Compliance with key coding standards and guidelines – such as ISO 26262 and MISRA – has long been vital to the automotive software development process.
This is because such rules help ensure not only that the risk of accidents is greatly minimized, but also that each vehicle component performs its intended function correctly and at the right time.
However, the desire for rigorous software testing is in tension with the desire to make use of rapidly evolving open-source software stacks, and to leverage Artificial Intelligence [AI] systems which are notoriously hard to validate.
Many components of software-defined vehicles [SDVs] make use of both, such as autonomous driving and infotainment systems, as well as smart navigation tools, including applications like Apple CarPlay, Android Auto and Google Maps. While these features are designed to enhance the driver experience, making for more seamless and convenient journeys, they also pose several serious concerns with regards to vehicle safety.
With Google Maps, for example, motorists can now press the Waze incident reporting button via their infotainment system screen to report police presence, speed cameras, accidents, and other potential hazards to other app users.
Although this feature aims to improve driving experiences and road safety, the reality is that it inadvertently creates a new hazard of its own – namely, driver distraction. If a user is busy updating the app while driving, their focus on the road is impaired, and the risk of an accident occurring is increased significantly.
Traffic-sign recognition [TSR], meanwhile, is used to reduce travel time, optimise routes, improve fuel efficiency, and promote safety, but this AI-powered technology has the potential to get things spectacularly wrong. For example, TSR systems have been reported to display the wrong speed limit on dual carriageways, or mistake road signs for completely different objects, posing potentially deadly hazards.
On top of this, it was reported in May 2024 that researchers from several Singapore-based universities had found a way to interfere with autonomous vehicles by exploiting its AI systems to ignore road signs. This, they said, involves using LEDs to shine patterns of light on road signs so that the vehicle’s self-driving software fails to understand road signs. Employed by the wrong people, this technique could have devastating implications for road safety.
Open-source software [OSS] brings its own set of risks for vehicle safety and security. For one, OSS is often deemed ‘out of scope’ for Automotive Software Process Improvement and Capability Determination [ASPICE], thus potentially compromising the value of the overall ASPICE compliance.
Furthermore, while OSS has become integral to the development of SDVs, the fact that the source code of software is often placed in the public domain means it can basically be accessed by anyone. While this is generally a good thing – helping to promote innovation and collaboration – it also means that bad actors don’t need to trawl through millions of lines of code to uncover vulnerabilities they can exploit.
Furthermore, open-source code is not always checked as thoroughly as it should be, not being subject to the same rules as traditional software development. As such, this means that the source code may not be performing the function that it’s supposed to, potentially creating new vulnerabilities that are ripe for exploitation.
The fact of the matter is that, when it comes to the use of AI and open-source software, automotive regulators often don’t fully understand what they are signing up for and approving. This is helping the safety and security risks associated with such technology to run rampant, and the situation is set only to worsen significantly if it continues to go unaddressed. With more and more risks emerging around the use of AI software in vehicles, we anticipate that regulators will begin to take a harder line towards its use next year.
This may see new, AI-specific technical requirements for automotive products being implemented into Type Approval frameworks. This would help the industry to move away from the self-regulatory culture that currently surrounds AI software development, with third-party suppliers like Google and Apple currently self-regulating their use of in-car services. While this would add to the level of red tape OEMs must go through to achieve Type Approval, it would prove a significant win in improving safety and security standards for SDVs.
We may see a similarly hard line taken on the use of OSS development, with regulators perhaps taking steps to greatly limit its use, or to ensure that it is not used “as is” without rigorous testing and enhances to meet automotive grade standards. This could echo the move against OSS in the US medical industry, with Food & Drug Administration [FDA] Medical Device Cybersecurity Regulations mandating that OEMs have full governance over their Software Bill of Materials [SBOM].
This lists all open-source and third-party components within a device’s codebase, as well as the licenses that govern these components, the versions used in the codebase, and their patch status. This has helped medical OEMs to identify any associated security or license risks much quicker and more easily, so implementing similar requirements for automotive could provide the level of governance that the industry vitally needs.
