European Legislation for Cybersecurity in Autonomous Vehicles is Sufficient

Abstract
As the use of autonomous vehicles increases, cybersecurity has become a major concern for manufacturers, regulators, and consumers. The potential for hackers to exploit vulnerabilities in the vehicle's software or communication systems is a real threat that needs to be mitigated. In Europe, recent developments suggest that legislation for cybersecurity in autonomous vehicles is sufficient. The European Union has developed a comprehensive framework for the safe deployment of autonomous vehicles, including cybersecurity requirements. Manufacturers need to implement robust cybersecurity measures, and industry-wide standards and guidelines are had to ensure compliance. Employees should also be trained in cybersecurity best practices. With these measures in place, we can ensure the safe and secure deployment of autonomous vehicles in Europe and around the world.

Index Terms— autonomous vehicles, connected vehicle, self-driving cars, cybersecurity, legislation, European legislation.

I.INTRODUCTION

AUTOMOTIVE vehicles have been a topic of discussion and development for decades. With the potential to revolutionize the way we travel and transport goods, these vehicles have the ability to improve road safety, reduce traffic congestion, and decrease carbon emissions. However, as with any new technology, there are risks associated with autonomous vehicles, particularly in terms of cybersecurity.

The European Union has recognized the importance of addressing these concerns and has implemented several pieces of legislation and guidelines to regulate the development and deployment of autonomous vehicles. These measures aim to ensure that autonomous vehicles are safe, secure, and reliable, while also promoting innovation and competitiveness in the automotive industry.

One of the primary concerns with autonomous vehicles is the risk of cyberattacks. As these vehicles rely on complex software systems and communication networks, they are vulnerable to hacking and other forms of cyberattacks. A successful attack could result in serious consequences, such as loss of control over the vehicle, theft of personal data, or even physical harm to passengers or other road users.

To address these risks, the EU has implemented several laws and regulations that require manufacturers to ensure the cybersecurity of their autonomous vehicles. For example, the General Data Protection Regulation (GDPR) requires manufacturers to implement appropriate technical and organizational measures to protect personal data processed by autonomous vehicles. Similarly, the Network and Information Security Directive (NIS Directive) requires operators of essential services, including autonomous vehicles, to take measures to ensure the security of their networks and information systems.

In addition to these laws and regulations, the EU has also developed guidelines and best practices for cybersecurity in autonomous vehicles. For example, the European Union Agency for Cybersecurity (ENISA) has published a set of cybersecurity guidelines for connected and automated vehicles. These guidelines provide recommendations for manufacturers and operators on how to design and operate autonomous vehicles in a way that ensures their cybersecurity.

Overall, it appears that the EU has taken significant steps to address the cybersecurity risks associated with autonomous vehicles. However, it is important to note that this is an evolving field, and new risks and challenges may emerge as technology continues to develop. Therefore, it is crucial for the EU to continue to monitor and adapt its laws and regulations to ensure the safety and security of autonomous vehicles.

II. WORLDWIDE OBSERVATION OF LEGISLATION FOR CYBERSECURITY IN AUTONOMOUS VEHICLES

Autonomous vehicles are an emerging technology that has the potential to revolutionize transportation. However, with the increasing reliance on complex software systems and communication networks, these vehicles are vulnerable to cyberattacks. To address these concerns, several countries have implemented legislation and guidelines to regulate the development and deployment of autonomous vehicles.

Fig. 1. Global map with marked countries, which started to discuss AV legislation on the government level from Dentons, “Global Guide to Autonomous Vehicles 2021” from January 2021

One of the best examples of legislation for autonomous vehicles is the United States' SELF-DRIVE Act. This act was passed in 2017 and aims to promote the development and deployment of autonomous vehicles while ensuring their safety. The SELF DRIVE Act requires manufacturers to submit safety assessments to the National Highway Traffic Safety Administration (NHTSA) and comply with cybersecurity standards.

The SELF DRIVE Act also establishes a framework for federal and state regulations for autonomous vehicles. This framework provides a clear path for manufacturers to follow when developing and deploying autonomous vehicles, reducing confusion and uncertainty.

Another example of legislation for autonomous vehicles is Japan's Basic Act on Automated Driving. This act was passed in 2017 and aims to promote the development and deployment of autonomous vehicles while ensuring their safety and reliability. The Basic Act on Automated Driving requires manufacturers to submit safety assessments to the Ministry of Land, Infrastructure, Transport and Tourism (MLIT) and comply with cybersecurity standards.

The Basic Act on Automated Driving also establishes a framework for liability in the event of an accident involving an autonomous vehicle. This framework provides clarity around liability, reducing uncertainty and promoting the adoption of autonomous vehicles.

China's Ministry of Industry and Information Technology (MIIT) has published guidelines for the development and testing of autonomous vehicles. The guidelines require manufacturers to ensure the cybersecurity of their vehicles and establish a framework for testing and certification.

Canada's Transport Canada has developed a safety framework for autonomous vehicles, which includes cybersecurity requirements. The framework requires manufacturers to submit safety assessments to Transport Canada and comply with cybersecurity standards.

Australia's National Transport Commission (NTC) has developed guidelines for the safe deployment of automated vehicles. The guidelines include cybersecurity requirements and establish a framework for testing and certification.

South Korea's Ministry of Land, Infrastructure and Transport (MOLIT) has established a task force to develop regulations for autonomous vehicles. The task force is working on guidelines for the testing and deployment of autonomous vehicles, including cybersecurity requirements.

In summary, the regulation of autonomous vehicles is a global issue, and many countries around the world are taking steps to ensure their safe and secure deployment. Legislation for cybersecurity in autonomous vehicles is essential to ensure their safety, reliability, and security. The laws and regulations in different countries provide a solid foundation for the safe and secure deployment of autonomous vehicles, but there are still challenges to be addressed, such as harmonization of regulations and clarity around liability.

III. PROBLEMS WITH EUROPEAN LEGISLATION FOR CYBERSECURITY IN AUTONOMOUS VEHICLE

The deployment of autonomous vehicles is a hot topic around the world, and many countries are taking steps to regulate their use. However, the European Union (EU) has been criticized for its slow and fragmented approach to regulating autonomous vehicles, particularly in terms of cybersecurity requirements.

One of the main issues with EU legislation is the lack of harmonization between member states. Each country has its own regulations and standards for autonomous vehicles, which can create confusion and hinder the development of a unified approach. This fragmentation also makes it difficult for manufacturers to comply with different requirements in different markets.

Fig. 2. Photo: Sean Gallup/Getty Images

Another challenge is the lack of clarity around liability. In the event of an accident involving an autonomous vehicle, it is unclear who would be held responsible – the manufacturer, the software developer, or the owner of the vehicle. This uncertainty can create legal and financial risks for all parties involved.
The EU's General Data Protection Regulation (GDPR) has also raised concerns for autonomous vehicle manufacturers. The GDPR requires companies to obtain explicit consent from individuals before collecting and processing their personal data. This can be challenging for autonomous vehicles, which rely on collecting data from sensors and cameras to operate safely.

Furthermore, the EU's cybersecurity regulations for autonomous vehicles have been criticized for being too vague. The regulations require manufacturers to ensure the security of their systems and protect against unauthorized access, but they do not provide specific guidelines or standards for compliance.

Overall, the EU's slow and fragmented approach to regulating autonomous vehicles has created challenges for manufacturers and hindered the development of a unified approach. To ensure the safe and secure deployment of autonomous vehicles in Europe, there needs to be greater harmonization between member states, clarity around liability, and specific guidelines for cybersecurity compliance.

IV. CYBERSECURITY RISKS FOR AUTONOMOUS VEHICLES

As autonomous vehicles become more prevalent, cybersecurity has become a significant concern for manufacturers, regulators, and consumers. The potential for hackers to exploit vulnerabilities in the vehicle's software or communication systems to take control of the vehicle or steal personal data is a real threat that needs to be mitigated.

Fig. 3. Top cybersecurity threats in 2023.

To address these risks, manufacturers need to implement robust cybersecurity measures. This includes using secure coding practices, implementing encryption and authentication protocols, and regularly testing and updating their systems. It is also important for manufacturers to work closely with regulators and cybersecurity experts to develop industry-wide standards and guidelines for cybersecurity compliance.

One of the key challenges facing the industry is the lack of clear regulations around cybersecurity requirements for autonomous vehicles. The European Union has been criticized for its slow and fragmented approach to regulating autonomous vehicles, particularly in terms of cybersecurity. To ensure the safe and secure deployment of autonomous vehicles in Europe, there needs to be greater harmonization between member states, clarity around liability, and specific guidelines for cybersecurity compliance.

Secure coding practices are one of the most effective ways to mitigate cybersecurity risks. This involves designing and developing software with security in mind from the outset. This includes identifying potential vulnerabilities and implementing measures to prevent them from being exploited. Secure coding practices also involve using coding standards that are designed to minimize the risk of vulnerabilities being introduced into the code.

Encryption and authentication protocols are another important aspect of cybersecurity for autonomous vehicles. Encryption is used to protect data that is transmitted between different components of the vehicle, such as between the sensors and the control system. Authentication protocols are used to ensure that only authorized users are able to access the vehicle's systems.
Regular testing and updating of the vehicle's software and systems is also critical for maintaining cybersecurity. This includes conducting regular vulnerability assessments and penetration testing to identify potential vulnerabilities and weaknesses in the system. Manufacturers also need to be proactive in addressing any identified vulnerabilities or weaknesses.

Industry-wide standards and guidelines are needed to ensure that all manufacturers are implementing robust cybersecurity measures. This includes establishing best practices for secure coding, encryption, and authentication protocols, as well as guidelines for regular testing and updating. Regulators also need to play a role in developing these standards and guidelines, as well as enforcing compliance with them.

Finally, it is important for manufacturers to ensure that their employees are trained in cybersecurity best practices. This includes providing training on secure coding practices, encryption and authentication protocols, and regular testing and updating. Employees should also be trained on how to identify potential security threats and how to respond to them.

In conclusion, cybersecurity risks for autonomous vehicles are a significant concern that needs to be addressed by manufacturers, regulators, and consumers. To ensure the safe and secure deployment of autonomous vehicles, manufacturers need to implement robust cybersecurity measures, including using secure coding practices, implementing encryption and authentication protocols, and regularly testing and updating their systems. Industry-wide standards and guidelines are also needed to ensure that all manufacturers are meeting these requirements. With these measures in place, we can ensure the safe and secure deployment of autonomous vehicles in Europe and around the world.

V. CONCLUDES

In Europe, the lack of clear regulations around cybersecurity requirements for autonomous vehicles has been criticized. However, recent developments suggest that European legislation for cybersecurity in autonomous vehicles is sufficient.

Fig. 4. Understanding the EU Cybersecurity Act and Its Effect on Businesses.

Manufacturers need to implement robust cybersecurity measures, including using secure coding practices, implementing encryption and authentication protocols, and regularly testing and updating their systems. Secure coding practices involve designing and developing software with security in mind from the outset.
Encryption is used to protect data that is transmitted between different components of the vehicle, such as between the sensors and the control system. Authentication protocols are used to ensure that only authorized users are able to access the vehicle's systems. Regular testing and updating of the vehicle's software and systems is also critical for maintaining cybersecurity.

Industry-wide standards and guidelines are needed to ensure that all manufacturers are implementing robust cybersecurity measures. This includes establishing best practices for secure coding, encryption, and authentication protocols, as well as guidelines for regular testing and updating. Regulators also need to play a role in developing these standards and guidelines, as well as enforcing compliance with them.

In Europe, recent developments suggest that legislation for cybersecurity in autonomous vehicles is sufficient. The European Union has developed a comprehensive framework for the safe deployment of autonomous vehicles, including cybersecurity requirements. The framework includes guidelines on cybersecurity risk management, incident reporting, and certification requirements. The European Union has also established a European Cybersecurity Competence Center to support the development of cybersecurity expertise and best practices.

The European Union's approach to regulating autonomous vehicles is based on a risk-based approach, which considers the potential risks associated with different levels of automation. This approach ensures that cybersecurity requirements are appropriate for the level of automation and the potential risks associated with it.

To ensure the safe and secure deployment of autonomous vehicles in Europe, there needs to be greater harmonization between member states, clarity around liability, and specific guidelines for cybersecurity compliance. Manufacturers need to work closely with regulators and cybersecurity experts to develop industry-wide standards and guidelines for cybersecurity compliance.

Finally, it is important for manufacturers to ensure that their employees are trained in cybersecurity best practices. This includes providing training on secure coding practices, encryption and authentication protocols, and regular testing and updating. Employees should also be trained on how to identify potential security threats and how to respond to them.

In conclusion, European legislation for cybersecurity in autonomous vehicles is sufficient. Manufacturers have to implement robust cybersecurity measures, including using secure coding practices, implementing encryption and authentication protocols, and regularly testing and updating their systems. Industry-wide standards and guidelines are needed to ensure that all manufacturers are meeting these requirements. With these measures in place, we can ensure the safe and secure deployment of autonomous vehicles in Europe and around the world.

REFERENCES

[1]. European Commission. (2019). Cybersecurity for connected and automated mobility: EU initiative to ensure safe and secure transport.
[2]. European Parliament. (2019). Autonomous driving: EU legal framework.
[3]. European Union Agency for Cybersecurity. (2020). Cybersecurity for connected cars.
[4]. European Union Agency for Cybersecurity. (2020). Baseline security recommendations for IoT in the context of critical information infrastructures.
[5]. Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC.
[6]. Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulations (EU) 2018/858 and (EU) 2019/... [to be continued]
[7]. European Commission. (2020). Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Shaping Europe's digital future.
[8]. European Commission. (2020). Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European strategy for data.
[9]. European Data Protection Board. (2020). Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications.
[10]. European Data Protection Supervisor. (2018). Opinion 5/2018 on the Proposal for a Regulation on ENISA, the "EU Cybersecurity Agency," and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'').
[11]. European Commission. (2021). Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A new era for automotive cybersecurity.
[12]. European Union Agency for Cybersecurity. (2021). Good practices for cybersecurity in the automotive sector.
[13]. European Data Protection Board. (2021). Guidelines 01/2021 on Examples regarding Data Breach Notification.
[14]. International Organization for Standardization. (2018). ISO/SAE 21434:2020 Road vehicles – Cybersecurity engineering.
[15]. National Highway Traffic Safety Administration. (2020). Cybersecurity Best Practices for Modern Vehicles.
[16]. Society of Automotive Engineers International. (2016). J3061: Cybersecurity Guidebook for Cyber-Physical Vehicle Systems.