With attention to connected car cybersecuity issues increasing globally, the European Union Agency for Network and Information Security (ENISA) is leading the EU’s first bloc-wide initiative to identify cybersecurity rules of the road for connected cars. On July 13, ENISA announced a study aimed at creating a comprehensive list of cybersecurity policies, tools, standards, and measures to enhance security in next-generation automobiles. ENISA will include interviews with relevant stakeholders like car manufacturers and Tier 1 and 2 suppliers and solicit feedback on its findings at an open workshop October 10 in Munich, Germany. The study will also be reviewed by members of ENISA’s CaRSEC Expert Group, a collection of government, private, and public-sector experts knowledgeable about cybersecurity as it relates to car manufacturing, vehicular hardware and software, road standards, and car security. At the end of the study, ENISA will provide recommendations on how to enhance smart car security for EU consumers.
ENISA’s cybersecurity recommendations will join a growing list of European proposals focused on smart car data. Initially, member state initiatives focused on protecting consumer privacy in connected cars. For example, both France and Germany have proposed parameters for how to collect and use data derived from smart vehicles. But in the last year, EU efforts have shifted to more broadly focus on not just privacy but also security and technical standards as public concerns about car safety have grown. In December 2015, a multi-stakeholder group called “C-ITS Working Group 6” published a report identifying guiding principles for connected car data sharing platforms and potential technical solutions to ensure conformity with EU regulations and strong data protection.
The EU’s broader connected device initiatives will also likely impact ENISA’s findings. In October 2015, the Alliance for Internet of Things Innovation Working Group 4 issued a report recommending the development of privacy assessment methodologies and information sharing for connected devices, including cars, that could impact connected car privacy by design. And earlier this month, the European Parliament passed the Network and Information Security (NIS) Directive, which imposes data breach reporting obligations, cyber security standards, and audits on ITS-related infrastructure, including connected cars.