What the future holds for cybersecurity in connected vehicles

Geo­loca­tion, driv­ing habits, wear and tear, bat­tery charge, infotain­ment, driver assist­ance fea­ture – a mod­ern car com­prises more than 100 mil­lion lines of code¹, sig­ni­fic­antly more than an air­liner. These soft­ware-laden vehicles oper­ate with hun­dreds of sensors designed to improve driv­ing, com­fort and energy effi­ciency and, more broadly, to con­trib­ute to road safety and infra­struc­ture optimisation.

Far from their ini­tial status as “simple” mech­an­ic­al machines, today’s vehicles are noth­ing less than mobile com­puters. “Vir­tu­ally all com­pon­ents of a mod­ern vehicle pro­duce data. Some data is exclus­ively related to the vehicle, such as engine tem­per­at­ure or revolu­tions per minute, while oth­er data is related to the user,” explains Thomas Le Goff, seni­or lec­turer in digit­al law and reg­u­la­tion at Télé­com Par­is (IP Paris).

This inform­a­tion inev­it­ably cre­ates new vul­ner­ab­il­it­ies in secur­ity terms, wheth­er from the per­spect­ive of cyber­at­tacks, cyber espi­on­age or the pro­tec­tion of per­son­al inform­a­tion. How can we recon­cile the neces­sary shar­ing of data between users and mobil­ity-related ser­vice pro­viders (main­ten­ance, driv­ing assist­ance, enter­tain­ment, etc.) with the con­fid­en­ti­al­ity of this data?

In prac­tice, in Europe, the sec­tor is gov­erned by a patch­work of reg­u­la­tions, includ­ing the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR), the Cyber Resi­li­ence Act, and the very recent European Uni­on Data Act. This set of stand­ards over­laps with a com­pre­hens­ive body of nation­al and inter­na­tion­al sec­tor­al rules, mak­ing the leg­al land­scape par­tic­u­larly com­plex for the auto­mot­ive industry.

Data gen­er­ated by a vehicle, like that from oth­er con­nec­ted ser­vices or objects, must now be access­ible to users and trans­fer­able to third parties of their choice

“We want to under­stand how the dif­fer­ent texts fit togeth­er in order to elim­in­ate redund­an­cies, sim­pli­fy the scope of applic­a­tion, cla­ri­fy the respons­ib­il­it­ies of each play­er, and lim­it the num­ber of oblig­a­tions to what is strictly neces­sary,” explains Thomas Le Goff, who con­ducts his work with­in the Research Chair on Intel­li­gent Cyber­se­cur­ity for Mobil­ity Sys­tems. “Our work can con­trib­ute to the sim­pli­fic­a­tion of legis­la­tion at the French and European levels,” he emphas­ises. Estab­lished by Télé­com Par­is (IP Par­is) with six major indus­tri­al part­ners (Renault, Thalès, Solent, ZF Group, IRT Sys­temX and Boston Con­sult­ing Group), the Chair aims to help com­pan­ies nav­ig­ate this con­stantly evolving leg­al frame­work, in addi­tion to devel­op­ing new approaches to enhance the secur­ity of con­nec­ted vehicles.

In this rap­idly evolving leg­al frame­work, the Data Act, which came into force in Septem­ber 2025, increases the flow of data between users and busi­nesses (B2C), between busi­nesses (B2B) and between busi­nesses and pub­lic author­it­ies (B2G). The reg­u­la­tion “is designed to empower users, both con­sumers and busi­nesses, by giv­ing them great­er con­trol over the data gen­er­ated by their con­nec­ted products, such as cars or indus­tri­al machines. It lays the found­a­tions for an open, com­pet­it­ive, fair and innov­at­ive European data eco­nomy,” accord­ing to the European Com­mis­sion².

In oth­er words, data gen­er­ated by a vehicle, like that from oth­er con­nec­ted ser­vices or objects, must now be access­ible to users and trans­fer­able to third parties of their choice. “Typ­ic­ally, we could have a GPS or driver assist­ance sys­tem developed by a French com­pany with data hos­ted in France, ensur­ing a high level of sov­er­eignty, where­as cur­rently it is inev­it­ably the man­u­fac­turer who has con­trol over all the data,” explains Thomas Le Goff.

In doing so, how­ever, the reg­u­la­tion cre­ates ten­sion between the drive for open data and secur­ity cri­ter­ia, as com­pan­ies must com­ply with these oblig­a­tions while pro­tect­ing pri­vacy, trade secrets and pro­pri­et­ary tech­no­lo­gies. “This ten­sion is the sub­ject of two theses with­in the Chair: one on the artic­u­la­tion of cyber­se­cur­ity reg­u­la­tions in the auto­mot­ive sec­tor, and the oth­er on tech­nic­al meas­ures to recon­cile the dynam­ics of open­ness and data secur­ity,” says the lawyer.

This raises sev­er­al ques­tions. What degree of indus­tri­al secrecy do we want to pro­tect? What encryp­tion tech­no­logy should be imple­men­ted to share this data securely? How can cyber­se­cur­ity guar­an­tees be integ­rated into all stages of the life cycle of a vehicle that can be on the road for around 15 years? 

One thing is cer­tain, “the pur­pose of the data reg­u­la­tion is not to impose con­straints,” the expert points out. “The aim is to force play­ers who have an eco­nom­ic incent­ive to keep inform­a­tion secret to release it so that oth­er com­pan­ies can cre­ate ser­vices.” The idea is to stim­u­late European com­pet­it­ive­ness by “open­ing up” data from con­nec­ted objects.

By open­ing up the flow of data in this way, the Data Act could poten­tially help to increase digit­al sov­er­eignty by redu­cing stra­tegic depend­en­cies on non-European players. 

It should be remembered that more than 70% of the data³ of European com­pan­ies is stored on clouds that are mainly Amer­ic­an and Chinese. “In cyber­se­cur­ity legis­la­tion and new data reg­u­la­tions, pro­vi­sions require com­pan­ies to pro­tect data from poten­tial access by for­eign powers,” says Thomas Le Goff.

Indeed, like the Cloud Act or FISA in the United States, sev­er­al for­eign jur­is­dic­tions allow access to data hos­ted by their com­pan­ies, even if it is phys­ic­ally stored on European ter­rit­ory. “These extra­ter­rit­ori­al laws fur­ther com­plic­ate the pic­ture. The idea is to loc­ate the data in Europe and put meas­ures in place to pre­vent act­ors sub­ject to for­eign legis­la­tion, such as Amazon or Microsoft, from exfiltrat­ing data…”

In this regard, the Data Act also removes the bar­ri­ers that pre­vi­ously pre­ven­ted easy migra­tion to anoth­er pro­vider. It requires cloud com­put­ing ser­vice pro­viders to guar­an­tee data port­ab­il­ity, allow­ing com­pan­ies to move their data freely and break free from pro­pri­et­ary sys­tems and siloed infra­struc­tures. “But there is no ideal solu­tion,” warns Thomas Le Goff. “Total immunity from extra­ter­rit­ori­al laws, such as the US FISA, is very dif­fi­cult to guar­an­tee in prac­tice. All it takes is for a com­pany to have oper­a­tions in the ter­rit­ory of a third coun­try to risk being required to share data with the author­it­ies of that coun­try, as con­firmed by the recent decision in Canada con­cern­ing OVH­Cloud⁴, which is a French com­pany. We can there­fore only adopt a risk min­im­isa­tion approach, without ever really being able to elim­in­ate risk completely.”

Interview by Célia Chaboud