Court Case ECJ ruling Carglass/ATU vs. FCA on secure gateways on the OBD port: an important step forward for Fair Competition in the Automotive Aftermarket
Autopromotec Editorial Staff
On October 5, the European Court of Justice clarified once and for all that vehicle manufacturers cannot hinder or prevent independent operators from accessing data. The latter must be enabled to use the information flow for diagnosis, maintenance and repair of the vehicle
AFCAR welcomes the recent ECJ ruling in the case of CarGlass/ATU vs. FCA. This landmark decision represents a significant step forward for effective competition in the automotive aftermarket industry to the benefit of all European consumers. The ruling vindicates AFCAR’s long-standing call for a level-playing field and equitable access to diagnostic, repair & maintenance information (RMI) and vehicle data. A level-playing field and equitable access are pre-requisites for the competitiveness of Aftermarket services that are provided every day to the consumers and businesses that own the 280 million vehicles on Europe’s roads.
This judgment states unequivocally that vehicle manufacturers cannot impose conditions for access to the OBD other than those specifically foreseen in the Type Approval Regulation 2018/858, and that independent operators must have access to the “full diagnostic data stream” via the OBD port. This covers the reading and writing of data when the vehicle is in stand-still, and the reading when the vehicle is in motion.
Another key aspect of the ECJ judgement is the recognition that the requirement to comply with UNECE Regulation R155 on Cybersecurity (now cross-referenced in the EU General Safety Regulation 2019/2144) may not negate vehicle manufacturers’ RMI obligations under the Type Approval legislation. The Court ruled that adding a secure gateway, with conditions which inhibit legitimate operators’ rights of access, is prohibited.
AFCAR fully supports the clear need for cybersecurity in vehicles and has always supported effective and proportionate protections measures. The creation of the Europe-wide certification ‘SERMI’ scheme for independent operators, enshrined in the Type-Approval Regulation for security (anti-theft)-related RMI, is one approach under consideration by all key stakeholders that may enhance cybersecurity going forward.
The Court has ruled decisively on one key dimension of fair competition in the automotive aftermarket. We call upon the Commission to complete the legal framework and bring forward its proposal on Sector-specific data legislation without delay. In particular this would address the requirement to keep the OBD ports’ data & functions accessible, with provision for balanced requirements that the manufacturers can implement in order to prevent interference with safety/security-critical functions of the vehicle. This would protect the interests of legitimate operators, by ensuring effective access, while allowing manufacturers to fulfil their obligation to maintain vehicle safety and security.
The ECJ case only addressed repair and maintenance use cases. Sector-specific legislation must enable innovation and service development in the wider mobility and automotive services market. The opportunities of the digital & green transition can be best served by ensuring that all market players get equitable and secure access to in-vehicle data, functions & resources in the proposed legislation.
This judgment states unequivocally that vehicle manufacturers cannot impose conditions for access to the OBD other than those specifically foreseen in the Type Approval Regulation 2018/858, and that independent operators must have access to the “full diagnostic data stream” via the OBD port. This covers the reading and writing of data when the vehicle is in stand-still, and the reading when the vehicle is in motion.
Another key aspect of the ECJ judgement is the recognition that the requirement to comply with UNECE Regulation R155 on Cybersecurity (now cross-referenced in the EU General Safety Regulation 2019/2144) may not negate vehicle manufacturers’ RMI obligations under the Type Approval legislation. The Court ruled that adding a secure gateway, with conditions which inhibit legitimate operators’ rights of access, is prohibited.
AFCAR fully supports the clear need for cybersecurity in vehicles and has always supported effective and proportionate protections measures. The creation of the Europe-wide certification ‘SERMI’ scheme for independent operators, enshrined in the Type-Approval Regulation for security (anti-theft)-related RMI, is one approach under consideration by all key stakeholders that may enhance cybersecurity going forward.
The Court has ruled decisively on one key dimension of fair competition in the automotive aftermarket. We call upon the Commission to complete the legal framework and bring forward its proposal on Sector-specific data legislation without delay. In particular this would address the requirement to keep the OBD ports’ data & functions accessible, with provision for balanced requirements that the manufacturers can implement in order to prevent interference with safety/security-critical functions of the vehicle. This would protect the interests of legitimate operators, by ensuring effective access, while allowing manufacturers to fulfil their obligation to maintain vehicle safety and security.
The ECJ case only addressed repair and maintenance use cases. Sector-specific legislation must enable innovation and service development in the wider mobility and automotive services market. The opportunities of the digital & green transition can be best served by ensuring that all market players get equitable and secure access to in-vehicle data, functions & resources in the proposed legislation.
For more information, read the European Court of Justice (Eighth Chamber) ruling here, regarding Case C-296/22 opposing ATU and Carglass to FCA Italy.