For companies in the automotive and mobility industry, cyber security and software updates are becoming increasingly important. Main drivers are particularly new automated/autonomous driving and connectivity functions in modern vehicles.
The term 'cyber security' basically means that a vehicle's electrical and/or electronic components have sufficient protection and resilience against so-called cyber-attacks/threats, i.e., preventing unauthorized persons or systems from accessing the vehicle and/or its data.
The term 'software update' refers to the process of replacing an 'old' software version with a 'newer' software version, e.g., to fix programming errors (often referred to as 'bugs' or 'bugfix'), to improve or remove existing functionalities and/or to add new functionalities. Software updates are typically either transferred to a vehicle via a local data transfer connection such as a cable between the vehicle and a computer (e.g., in a workshop by a service technician) or via so-called over-the-air ("OTA"), i.e., wirelessly via a mobile/radio data transfer connection between the vehicle and a computer (typically the OEM's backend).
UN R155 and UN R156
The UNECE has adopted UN Regulation No. 155 on Cyber Security and Cyber Security Management Systems1 ("UN R155") and UN Regulation No. 156 on Software Updates and Software Updates Management Systems2 ("UN R156"):
UN R155 is aiming at creating a type-approval framework for reducing cyber security risks basically over an entire product life cycle (i.e., in the so-called development phase, production phase and post-production phase) process including the establishment of a so-called cyber security management system ("CSMS").
Pursuant to Paragraph 2.2. of UN R155, the term "cyber security" means "the condition in which road vehicles and their functions are protected from cyber threats to electrical or electronic components".
Pursuant to Paragraph 2.3. of UN R155, CSMS means "a systematic risk-based approach defining organisational processes, responsibilities and governance to treat risk associated with cyber threats to vehicles and protect them from cyber-attacks".
Pursuant to Paragraph 6 of UN R155, an OEM shall obtain a so-called Certificate of Compliance for its CSMS from a competent type-approval authority. A Certificate of Compliance is typically valid up to three years from the date of deliverance. OEMs shall apply for a new or for the extension of the existing Certificate of Compliance in due time before the end of the period of validity. A valid Certificate of Compliance for the CSMS is the main basis for a valid type-approval.
UN R156 is aiming at creating a type-approval framework for vehicle software updates including the establishment of a so-called software update management system ("SUMS").
Pursuant to Paragraph 2.3. of UN R156, the term "software update" means "a package used to upgrade software to a new version including a change of the configuration parameters".
Pursuant to Paragraph 2.5. of UN R156, SUMS means "a systematic approach defining organizational processes and procedures to comply with the requirements for delivery of software updates according to [UN R156]".
In doing so, UN R156 particularly addresses OTA updates. Pursuant to Paragraph 2.9. of UN R156, an OTA update means "any method of making data transfers wirelessly instead of using a cable or other local connection".
Pursuant to Paragraph 6 of UN R156, an OEM shall obtain a so-called Certificate of Compliance for its SUMS from a competent type-approval authority. A Certificate of Compliance is typically valid up to three years from the date of deliverance. OEMs shall apply for a new or for the extension of the existing Certificate of Compliance in due time before the end of the period of validity. A valid Certificate of Compliance for the SUMS is the main basis for a valid type-approval.
While UN R155 and UN R156 primarily establish type-approval requirements towards OEMs in their typical role as the whole vehicle type-approval holder (i.e., expecting that an OEM implements and maintains proper CSMS and SUMS as well as that the OEM applies its CSMS and SUMS to its respective type-approved vehicle types), proper cyber security and software updates will typically also affect supply parts. Hence, most suppliers will also become involved in cyber security and software update considerations. Accordingly, OEMs and suppliers will need to closely co-operate in ensuring cyber security of vehicles and their components.
Moreover – and potentially even more so than in the past –, OEMs will be obligated to monitor their vehicles in the field, detect potential cyber security or software-related risks, and – if necessary – provide software updates to mitigate those risks in due time (e.g., in the form of a voluntary service measures, a recall or the like).
EU lawmakers are expected to implement UN R155 and UN R156 via Regulation (EU) 2018/858 and Regulation (EU) 2019/2144, expected to enter into force in the EU in 2022. In doing so, UN R155 and UN R156 requirements may already become applicable for the type-approval of new vehicle types as early as July 2022 as well as for the sales and first registration of new vehicles from July 2024 onwards.
OTA software updates
In this context, OTA software updates are expected to play an increasingly important role. OTA software updates offer numerous opportunities. In particular, OTA software updates may be a rather convenient way to implement vehicle changes rather swiftly and without the vehicle owners having to visit a workshop. On the other hand, OTA software updates may pose certain new challenges. For example, OEMs should ensure that they avoid creating the incorrect impression that OTA software updates could be some form of a so-called 'hidden recall'. Moreover, OEMs should diligently assess if (prior) authority notification is necessary. Similarly, OTA software updates may require (prior) customer communication and/or approval.
From a practical perspective, OEMs should ensure that OTA software updates can be installed safely and without jeopardizing vehicle conformity. Particularly where vehicles have experienced prior modifications (e.g., through third-party tuning), OEMs should have processes in place that (i) detect such modifications and (ii) ensure adequate consideration.
Lastly, OEMs may gain access to large amount of data – often referred to as so-called 'big data' – when having a connected vehicle with OTA capabilities. Having access to this data can significantly impact an OEM's product monitoring obligations under product safety and product liability law. In particular, in certain cases, OEMs might be obliged to assess and use the available data to properly identify and handle potential product safety aspects (e.g., to identify issues in the field and, if necessary, launch appropriate corrective actions as early as reasonably possible).
Digital Content Directive and Sales of Goods Directive
The Digital Content Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services ("Digital Content Directive") and the revised Sales of Goods Directive (EU) 2019/771 ("Sales of Goods Directive") may also affect OEMs' obligations to provide regular vehicle software updates. Among others, the Digital Content Directive contains the following provisions:
Art. 8 (2) Digital Content Directive provides the following:
"The trader shall ensure that the consumer is informed of and supplied with updates, including security updates, that are necessary to keep the digital content or digital service in conformity, for the period of time:
- during which the digital content or digital service is to be supplied under the contract, where the contract provides for a continuous supply over a period of time; or
- that the consumer may reasonably expect, given the type and purpose of the digital content or digital service and taking into account the circumstances and nature of the contract, where the contract provides for a single act of supply or a series of individual acts of supply."
Art. 20 Digital Content Directive provides the following:
"Where the trader is liable to the consumer because of any failure to supply the digital content or digital service, or because of a lack of conformity resulting from an act or omission by a person in previous links of the chain of transactions, the trader shall be entitled to pursue remedies against the person or persons liable in the chain of commercial transactions. The person against whom the trader may pursue remedies, and the relevant actions and conditions of exercise, shall be determined by national law."
Similarly, Art. 7 Para. 3 of the Sales of Goods Directive provides the following:
"In the case of goods with digital elements, the seller shall ensure that the consumer is informed of and supplied with updates, including security updates, that are necessary to keep those goods in conformity, for the period of time:
- that the consumer may reasonably expect given the type and purpose of the goods and the digital elements, and taking into account the circumstances and nature of the contract, where the sales contract provides for a single act of supply of the digital content or digital service; or
- indicated in Article 10(2) or (5), as applicable, where the sales contract provides for a continuous supply of the digital content or digital service over a period of time."
Hence, purchase laws do also provide for a general obligation to perform software updates over a certain period of time. Therefore, not only from a type-approval but also from a purchase law perspective, OEMs may have an obligation to update their vehicles. Where OEMs fail to fulfill these obligations, warranty and/or compensation claims may arise.
In Germany, the Digital Content Directive and the Sales of Goods Directive have been implemented through an amendment to the German Civil Code ("BGB"), particularly through a revision of Sec. 327 et seq. as well as Sec. 453 BGB effective 1 January 2022.
1 UN Regulation No 155 on "Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system" of 4 March 2021.
2 UN Regulation No 156 on "Uniform provisions concerning the approval of vehicles with regards to software update and software updates management system" of 4 March 2021.