Mobility

Cybersecurity in the connected and autonomous vehicle supply chain: the EU's ICT Supply Chain Security Toolbox and cyber risk assessment

Published on 17th March 2026

A new EU risk assessment identifies 14 top cybersecurity risks for connected and autonomous vehicles, with implications extending across the entire supply chain

View from inside self driving car, overlooking traffic and onboard screen

At a glance

  • New EU and UK cybersecurity rules for connected vehicles are evolving in parallel, with compliance deadlines approaching.

  • Existing type approval frameworks leave material gaps that the new tools are designed, in part, to address.

  • Businesses should map supplier dependencies, classify critical components and review contracts against the updated risk landscape.

On 13 February 2026, the European Commission published an ICT Supply Chain Security Toolbox and a cyber risk assessment specific to connected and autonomous vehicles (CAVs). Together, they signal a decisive shift from vehicle-level compliance to ecosystem-level resilience. Original equipment manufacturers (OEMs), autonomous vehicle (AV) stack software developers, software providers and operators should assess what this means for their business.

Cybersecurity as defining challenge for the CAV supply chain

The new risk assessment, conducted under the revised Network and Information Systems Directive (NIS2) by the NIS Cooperation Group alongside the Commission and the European Union Agency for Cybersecurity (ENISA), sends a clear message: cybersecurity is no longer a compliance formality.

For manufacturers and their supply chains, it is a core business risk, requiring a shift from “Have we made the vehicle compliant?” to “Is our whole CAV ecosystem resilient?”

Of the 107 risks assessed, 14 were rated as top risks. Vehicle control systems and processing and decision-making systems are identified as the most critical, given the potential for attacks to cause accidents and therefore serious physical harm. Connectivity and cloud infrastructure are also flagged as significant exposure points, owing to their outward-facing interfaces and the breadth of access they can provide to a determined attacker.

The principal gap lies in what existing vehicle type approval cannot cover. Frameworks such as UN Regulations R155 and R156, which govern vehicle cybersecurity and software update management, address many vehicle-level risks; they were not built to counter the more sophisticated supply chain threats now facing the sector. Research and real-world incidents have shown that CAVs can be compromised remotely, with consequences ranging from loss of vehicle control to large-scale exposure of sensitive personal data. Type approval processes may be ill-equipped to detect or prevent attacks of this nature.

The sharpest illustration concerns suppliers operating under pressure from foreign governments. Such actors can potentially exploit remote access pathways, including routine software updates, to circumvent vehicle-level controls entirely. The risk assessment acknowledges that these threats remain insufficiently addressed.

The EU tools: what they are and why they matter

Together, the toolbox and the CAV risk assessment provide a practical reference point for managing cyber risk across the entire CAV ecosystem: from vehicle hardware and software to cloud services, connectivity and infrastructure.

The ICT Supply Chain Security Toolbox sets out a structured approach for evaluating and managing ICT supply chain risks. While currently non-binding, it will help stakeholders strengthen supply chain security, in line with the revised Cybersecurity Act proposal presented on 20 January.

The CAV-specific cyber risk assessment analyses the threats and vulnerabilities particular to CAVs and their supporting systems, as part of the EU's coordinated risk assessment process under NIS2. It covers:

  • key critical asset groups: vehicle control systems, cloud and backend systems, processing and decision-making systems, and communication and connectivity systems;

  • likely threat actors; and

  • representative attack scenarios such as compromise of over-the-air (OTA) updates, manipulation of sensor or mapping data, and attacks on fleet management or mobility platforms.

These initiatives are likely to shape what investors, regulators and commercial partners regard as good practice in CAV cybersecurity.

The regulatory context: what's in force and what's coming

The cybersecurity requirements applicable to CAVs and their supply chain are actively evolving, across the EU and UK.

In the EU, for example, consideration needs to be given to the Cyber Resilience Act, vehicle type approval cybersecurity requirements (compliance with UN Regulations R155 and R156), and NIS2 (which already applies to a number of CAV ecosystem participants, requiring technical, operational and organisational cybersecurity risk management measures). 

The recent proposal to revise the Cybersecurity Act adds further momentum, reinforcing ENISA's mandate and laying groundwork for a more cohesive EU-wide approach to ICT supply chain security.

In the UK, the government's call for evidence on the Automated Vehicles Act recently closed (on 5 March). It is shaping secondary legislation governing self-driving vehicle deployment, including cybersecurity. UN Regulations R155 and R156 under the GB type approval scheme have upcoming mandatory compliance dates, and the Cyber Security and Resilience Bill, currently before Parliament, will expand the UK's network and information systems security framework, with implications for certain electric vehicle (EV) charging operators and CAV ICT providers.

Osborne Clarke comment

Businesses across the CAV supply chain should act now. In practical terms, they should:

  • Map systems, suppliers and vulnerabilities. Build a clear picture of the components, software, infrastructure and services on which the products depend. Use the risk assessment to identify which appear in the most serious threat scenarios.
  • Prioritise critical components and suppliers. Classify components and services as safety-critical, mission-critical or data-critical. Focus due diligence on those categories and reduce dependency on suppliers whose risk profile could increase the likelihood or impact of an incident.
  • Assess technical, supply chain and jurisdictional risk. For higher-criticality elements, consider technical robustness (architecture, patching, secure communications, OTA mechanisms), supply chain concentration (single points of failure) and jurisdictional exposure (supplier location, data-access laws, sanctions risk).
  • Strengthen contractual protections. Update contracts to include risk-proportionate security requirements, vulnerability disclosure obligations, incident notification, and audit or testing rights calibrated to criticality.
  • Plan for supply-chain-originated incidents. Incorporate realistic scenarios into incident response plans: such as a critical vulnerability in a widely used component, a cloud outage affecting fleet control, or the compromise of a mobility application. Agree roles and responsibilities across OEMs, software vendors and operators in advance.
Related articles
M&A on the move: what consolidation in international e-mobility means for strategic buyers and investors
06/08/2025 2 mins
International regulatory advances for autonomous and electric vehicles will shape the future of mobility
15/07/2025 3 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up