Back to overview
October 2017

ATS Report: Key Legal Issues — Automotive Over-The-Air Updates

The automotive industry faces new challenges for cyber security, safety, privacy, liability/customer experience and regulations. Regulators and standardization bodies are under high pressure to provide adequate control and guidance due to the fast pace of innovation. As of today, specific regulations for OTA updates are uncertain. Instead the situation is confusing as OTA updates are affected by diverse – national and international – regulations depending on various criteria.


  • Legislation increasingly calls for mandatory over-the-air (OTA) software updates for cars.
  • Following U.S. efforts in 2016 to regulate automated and autonomous vehicles, Germany published their own regulations in June 2017. Both parties propose that permanent up-to-date algorithms, localization data and traffic regulations be installed.
  • In addition, several nations have published cyber security policies for connected cars addressing the full lifetime of a vehicle which require continuous remote updates.
  • On the other hand, OTA updates must adhere to other regulations, especially type approval
  • Apart from national legislators, a major international initiative from the UN Task Force on Cyber Security and OTA issues plans to release guidance by the end of 2017, affecting numerous nations.

Main impact for automotive OTA updates:

  • From our work with regulatory bodies, we see that the UN Task Force on Cyber Security and OTA issues has strong influence due to its structure and participants. Even if it will publish a non-binding guidance initially, it is foreseeable that it will turn into some form of national or international regulation at a later date addressing cyber security and type approval for OTA updates.
  • In addition on an international level, the European Union will affect automotive OTA updates with regulations not specific to the automotive industry, like the ''Cybersecurity Act'' and the General Data Protection Directive (GDPR).
  • On a national level, several countries work on implementation of regulations for automated and connected driving which address issues of safety and security by proposing the use of remote updates.

This report gives an overview of current and upcoming regulatory and standardization activities to support parties involved in automotive over-the-air updates. It covers regulatory initiatives from the United Nations, the European Union, Germany, the United Kingdom, the United States of America, and China.

Request the full report here
or stop by at the ATS booth at ELIV (ELectronics In Vehicles) conference to talk with us about OTA security.