acf domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/ecg/ecgassociationdev/wp-includes/functions.php on line 6121Automotive News Europe — 2026-05-11
Automotive Industry
Software-defined vehicles are exposing automakers to cybersecurity risks that traditional automotive security systems weren’t designed to handle, with a single vulnerability potentially affecting millions of vehicles simultaneously, according to a new report.
As the industry shifts toward SDVs, traditional automotive security, built for mechanical not digital failures, is no longer enough. The SDV model introduces a new layer of risk – one that is “remote, scalable and potentially invisible until it is exploited,” according to an analysis of cybersecurity in the connected vehicle era from Reuters Events.
A single vulnerability could impact millions of vehicles at once, the report said.
According to a March 2026 study by Germany’s Center of Automotive Management with Cisco, cyberattack-related damages to the global automotive sector exceeded $20 billion in 2025, a twentyfold increase since 2022.
Heightened cybersecurity threats targeting connected factories are behind the surge in costs, the report found. Production stoppages resulting from these attacks cost companies tens of millions per day, Stefan Bratzel, the director of CAM, said in the report.
The attack surface of SDVs is growing
Modern SDVs are software-heavy, with about 100 million lines of code, the report said. Every interface, such as WiFi or Bluetooth, represents a possible entry point, expanding the “attack surface” of that vehicle. The risk is growing rapidly and exponentially, according to the report.
The challenge is compounded by vehicle longevity. Cars remain on the road for 15 years or more, but software security measures can become obsolete within months.
At the same time, new types of cyber threats are emerging, such as malicious over-the-air updates from compromised servers, hacked telematics units accessing vehicle controls, and charging stations used as attack entry points.
The industry has already experienced such large-scale disruptions, with Toyota, Honda, Thyssenkrupp Automotive and Bridgestone among those suffering from production downtimes.
In August 2025, a cyberattack brought Jaguar Land Rover’s global production to a standstill for six weeks, halting manufacturing, crippling IT systems and affecting suppliers, contributing to a pretax loss of $386 million in the quarter that ended Dec. 31.
Regulatory gap: Europe structured, U.S. fragmented
An inconsistent regulatory landscape is further complicating issues.
European regulation is relatively structured. UN R155 regulation, adopted under the UNECE World Forum for Harmonization of Vehicle Regulations, requires automakers to implement a certified cybersecurity management system.
And the UN R156 regulation mandates a software update management system. In other words, European automakers need to show that they have identified cybersecurity risks and have processes in place to monitor and respond to those risks throughout a vehicle’s life cycle.
The U.S. has no equivalent. “The question for U.S. policymakers is not whether federal vehicle cybersecurity standards are coming,” the report said. “The question is whether standards arrive before a high-profile, safety-critical breach forces the issue – or after.”
Supply chain vulnerabilities amplify risk
Most cyber incidents start with suppliers, not automakers. Almost 57 percent of all relevant cyberattacks are now directed at suppliers, compared with just 10 percent targeting vehicle makers themselves, according to the Center of Automotive Management study.
The automotive supply chain is highly interconnected, meaning that a single, compromised vendor can affect multiple automakers at once, potentially leading to production system disruptions, customer data breaches and failures in connected-vehicle services.
Plus, automakers lack visibility deep into the supply chain, with critical components, such as battery systems or navigation data, passing through multiple layers, the report said. “A large automaker may have direct relationships with hundreds of Tier 1 suppliers, but limited visibility into the cybersecurity practices of the Tier 2 and Tier 3 vendors those suppliers rely upon.”
Supplier governance varies widely between automakers. Regulations, such as UNECE UN R155, are extending cybersecurity requirements to suppliers in a bid to address this gap.
“The vehicles of the next decade will be defined as much by their software as by their steel,” the report concluded. “The organizations that secure that software – and the relationships, data, and trust that flow through it – will be the ones that earn the right to build the decade after that.”