Cybersecurity in connected buses: understanding the European regulatory framework

Recent developments in Norway, Denmark, and the United Kingdom have drawn attention to potential cybersecurity vulnerabilities in connected electric buses. Tests conducted by Ruter in Norway highlighted how Over-The-Air (OTA) software updates and connectivity modules could, in theory, provide external access to vehicle systems. Such technology is being implemented in new generation buses: the new Mercedes […]

By Editorial staff

Recent developments in Norway, Denmark, and the United Kingdom have drawn attention to potential cybersecurity vulnerabilities in connected electric buses. Tests conducted by Ruter in Norway highlighted how Over-The-Air (OTA) software updates and connectivity modules could, in theory, provide external access to vehicle systems. Such technology is being implemented in new generation buses: the new Mercedes eIntouro for instance (Daimler Buses enthusiastically stressed in late 2024 as being the “first bus manufacturer in Europe to present a bus that is compatible with over-the-air updates“).

While these findings sparked discussions across multiple countries and prompted manufacturer clarifications (the group involved is the Chinese Yutong, the largest bus manufacturer worldwide), they also underscore the importance of understanding the regulatory structures governing vehicle cybersecurity in the European Union (which may differ from those applied in non-EU member states such as Norway, although the latter is a contracting party to the 1958 UNECE Agreement, which means it recognizes and can apply UNECE vehicle regulations, including the R155 and R156).

What are over-the-air updates capabilities?

But first, let’s understand what are we talking about when discussing over-the-air updates. We’ll be borrowing Daimler Buses words (quite exhaustive) on this: “Software updates are transmitted to the vehicle via the mobile network and the system is updated without a workshop visit being required as previously. If an update is available, the fleet manager receives a message and can then release individual vehicles for the update. In all cases, installation only takes place when the vehicle is stationary, the parking brake is applied and drive‑ready state is switched off. No internet connection is required during installation. (…) This means that the software of the control units in the vehicle can always be kept up to date without having to bring the vehicle to the workshop. This reduces the number of workshop visits and improves vehicle availability. The update capability is not limited to necessary security updates. General software updates and changed settings can also be installed in this way quickly and without great expense. And even contactless activation of optional retrofit functions will be possible with over-the-air updates in the future”.

Cybersecurity in connected buses: the GSR2

Back to the regulatory framework, at the EU level, the General Safety Regulation (GSR2, see Regulation 2019/2144) establishes the overarching framework for type-approval of vehicles, including buses. It came into force in 2024. While the regulation itself does not prescribe detailed technical rules for cybersecurity, it mandates that type-approval processes account for these risks and refers to UNECE standards as the technical baseline.

Central to this framework are UNECE Regulation 155 (Cybersecurity Management System, CSMS) and UNECE Regulation 156 (Software Update Management System, SUMS), mentioned in the Annex 1 of the above-mentioned GSR2 regulation.

R155 requires manufacturers to implement a risk-based cybersecurity system that spans the vehicle’s entire lifecycle, encompassing design, production, operation, maintenance, and decommissioning. The regulation explicitly addresses the protection of safety-critical functions, stating: “The technical provisions of the type‑approval policy shall ensure that for vehicles of Categories M and N the type‑approval authority is satisfied that a Cybersecurity Management System has been established which defines processes to verify that the access to the vehicle systems which may affect safety, including the relevant ECUs, cannot be compromised by means of external connectivity.” (R155, Article 7.2.2.2)

This provision frames the expectation that connectivity modules, telematics units, and software update mechanisms must prevent unauthorized access to critical components, including braking, steering, and propulsion, while allowing authorized parties to perform necessary operations such as diagnostics and updates under controlled conditions. It naturally raises a question: is the manufacturer an authorized party, and under what safeguards can they interact with vehicle systems without compromising operational safety?

In this regards, Yutong replied to the Berliner Zeitung that while its vehicles feature data connections for diagnostics and over-the-air software updates, there is no physical connection between the telematics unit (T-Box) and safety-critical systems like steering, propulsion, or braking.

Complementing R155, UNECE Regulation 156 defines the requirements for managing software updates, particularly OTA updates. Updates must be authenticated, traceable, and reversible if necessary, and they must not compromise vehicle type-approval or safety-critical functions. While manufacturers can implement updates to non-critical systems—such as diagnostic tools, interface software, or battery management—critical systems remain isolated from external access unless explicitly authorized under the CSMS.

These regulations form the basis for EU type-approval of connected vehicles, requiring manufacturers to demonstrate that their CSMS and SUMS meet all regulatory requirements.

Highlights

Related articles