European Automobile Manufacturers Association

07/08/2026 | Press release | Distributed by Public on 07/08/2026 02:16

Position paper – Proposal for a Cybersecurity Act 2

Position paper - Proposal for a Cybersecurity Act 2

8 July 2026

As vehicles become increasingly connected, software-defined products, cybersecurity has become essential for safety, consumer trust, and the functioning of the mobility ecosystem. European vehicle manufacturers have invested heavily in robust cybersecurity systems and therefore support the overall objective of the Cybersecurity Act to strengthen ICT supply chain security in response to growing digital risks.

However, the proposed Trusted ICT Supply Chain framework raises several important concerns:

  • Uneven playing field: the framework applies only to EU manufacturers, creating a competitive disadvantage and a security gap. Extending it to non-EU manufacturers would be difficult, if not impossible, to verify and enforce, resulting in weaker enforcement and therefore leading to the same outcome.
  • Interference with existing product legislation: vehicle cybersecurity is already comprehensively regulated, and shifting from regulating companies to regulating products could create overlaps and inconsistencies with existing legislation. Additionally, without limitation to companies' core activities, the framework could bring into scope secondary activities that are not systemically relevant from a cybersecurity perspective.
  • Unjustified exclusion of legitimate suppliers: suppliers could effectively be considered high-risk based only on their country of origin, without sufficient consideration of existing safeguards and mitigation measures. This approach risks creating unnecessary legal, commercial, and reputational harm while reducing the assessment to a largely geopolitical exercise, rather than an objective, evidence-based evaluation.
  • Insufficient governance safeguards: The proposal gives the Commission broad discretion to impose measures ranging from risk mitigation requirements to prohibition. It fails to require clear, graduated and evidence-based assessment demonstrating less restrictive measures have failed before imposing prohibition.

ACEA therefore recommends:

  • A more targeted scope:
    • Exempt entities carrying out manufacturing activities: manufacturers should only be regulated through existing product-based sectoral instruments
    • Focus on an entity-based approach (entities carrying out activities listed in NIS 2 Directive), while products should only be regulated by existing legislation on product safety and cybersecurity.
    • Limit the framework to companies' core activities, excluding non-systemically relevant ancillary activities.
  • A technically robust, risk-based approach:
    • Require verification by competent authorities of the effective risk and existing mitigation measures implemented by a supplier, prior to any formal designation as high-risk.
    • Ensure prohibition measures remain last resort, only after mitigation measures have proven insufficient, a minimum of 36 months after their implementation by the supplier.
    • Require that the Commission rely on competent European standardisation organisations to develop risk-proportionate ICT supply chain management measures.
    • Ensure meaningful and continuous industry experts' involvement throughout the risk assessment process.
As vehicles become increasingly connected, software-defined products, cybersecurity has become essential for safety, consumer trust, and the functioning of the mobility ecosystem. European vehicle manufacturers have invested heavily in robust cybersecurity systems and therefore support the overall objective of the Cybersecurity Act to strengthen ICT supply chain security in response to growing digital risks.

Downloads

Copyright notice

Reproduction of the content of this document is not permitted without the prior written consent of ACEA. Whenever reproduction is permitted, ACEA shall be referred to as source of the information. Quoting or referring to this document is permitted provided ACEA is referred to as the source of the information.

Content type Publication
Vehicle types All vehicles
European Automobile Manufacturers Association published this content on July 08, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on July 08, 2026 at 08:16 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]