Delegated Regulation sets out new guidelines for secure gateways, OBD access and RMI
Delegated Regulation (EU) 2026/699 fundamentally reshapes Annex X to Regulation (EU) 2018/858. This is especially relevant for vehicle manufacturers because in the wake of the secure gateway debate the EU is for the first time setting out in detail which security measures are permissible when accessing OBD information – and where those measures cross the line into unlawful restrictions on access.
Independent operators rely on Article 61 onwards, read together with Annex X to Regulation (EU) 2018/858, to claim unrestricted, standardised and non‑discriminatory access to vehicle OBD information as well as to repair and maintenance information (RMI). At the same time, vehicle manufacturers must protect vehicles against cyber‑attacks and unauthorised digital access. This conflict has so far remained not adequately resolved under EU law.
The issue escalated after the ECJ’s judgment in Case C-296/22 concerning Carglass. In the proceedings, independent repairer chains ATU and Carglass were in dispute with car manufacturer FCA Italy over its “secure gateway”, which made access to vehicle data via the OBD interface subject to additional requirements such as registration, a server connection and paid subscriptions. The ECJ stated in this regard: “ It follows that conditions to which access to the information referred to in Article 61(1) of Regulation 2018/858 is subject, other than those laid down in that regulation, such as that the diagnostic tool must be connected via internet to a server designated by the manufacturer or that independent operators must register beforehand with the manufacturer, are not permitted under that regulation.” In practice, this ruling has been interpreted to mean that manufacturers are not permitted to implement any security measures at all, such as secure gateway systems, if this makes access for independent market participants even slightly more difficult. For OEMs, that interpretation has created significant legal uncertainty.
The Commission now seeks to resolve this legal uncertainty through the new Delegated Regulation.
Core of the reform: yes to cybersecurity, but only under the new rulebook
The key innovation lies in the new Appendix 4 to Annex X. It sets out the conditions and procedures that vehicle manufacturers may apply when implementing their cybersecurity strategy in relation to access to the vehicle data stream via the OBD port or other on-board access points (greater flexibility is to be allowed for additional remote access options). The Regulation now expressly permits security measures, but only within a narrowly defined scope.
Depending on the type of access, OEMs may in particular require authentication of the diagnostic tool and its manufacturer; where the access involves changes to the vehicle, OEMs may also require authentication of the independent operator and, in certain cases, even of the individual employee.
The OEM may not restrict access beyond the limitations laid down in Appendix 4. Cybersecurity measures must remain necessary and proportionate and may not discriminate against independent operators. For OEMs, the key question is therefore no longer whether security measures are permissible at all, but whether they implement their security plan in line with the Delegated Regulation.
The Delegated Regulation does not provide for a separate transitional period for the new security plan set out in Appendix 4. As a rule, the requirements in Appendix 4 therefore apply from the date the Regulation enters into force on 23 June 2026. The other implementation deadlines are set out in more detail below.
Practical implications: what businesses should be doing now
The new Regulation only resolves the conflict between access and security in the manufacturer’s favour where the security plan complies with the requirements of the new regulatory framework. Any deviations from the Regulation can render the security plan incompatible with Union law.
The issue carries significant economic weight and is under close scrutiny from independent operators, associations, diagnostic tool manufacturers and aftermarket service providers. This makes it highly likely that non‑compliant access restrictions will become the subject of private enforcement. On top of that may come regulatory action by public authorities and consequences under the type‑approval framework, ranging – depending on the case – from supervisory measures and fines through to measures that affect the relevant type‑approval.
OEMs should now promptly benchmark their existing secure‑gateway and other access‑security plans against Appendix 4 and adjust them where necessary. In doing so, they need to bear in mind that the Commission clearly envisages close and structured involvement of diagnostic tool manufacturers. That involvement has to be reflected in organisational and technical arrangements and especially in contractual terms.
In practice, this will usually require amendments to existing agreements with diagnostic tool manufacturers. In parallel, OEMs should review their RMI portal, their data‑package architecture and their API structures.
Our view: Delegated Regulation (EU) 2026/699 does not put an end to the secure gateway debate but simply shifts it. In future, the focus will no longer lie on whether security measures are permissible as such, but on whether the specific security plan stays within the narrow boundaries set by EU law. That is precisely where future disputes will be decided.
Other significant changes
| Points in Annex X | Subject of amendment | Synopsis |
|---|---|---|
| 2.9(a)-(c) | Extended access to the vehicle data stream | Access not only via the standardised OBD port but also via other on-board interfaces and remote systems, provided these are used within the authorised network |
| 2.5.4; 2.5.12; 2.5.13 | Extended RMI content | Further information on ADAS/DCAS, battery diagnostics, battery repair and the safe handling of battery components |
| 2.5.7; 2.5.7(a) | Software updates / variant coding | Information on whether updates or variant coding are required, and how to identify the correct software version or coding |
| 6.1.1 | RMI packages | RMI information packages based on ISO use cases are compliant (see ISO 18541). |
| 6.1.1 | API for certain packages | Data for certain use cases must, where applicable, be made available via an API. |
| 6.4(a) | Software / interfaces for diagnostic tools | Manufacturers must progressively provide software, web services or implementation information to independent diagnostic tool manufacturers. |
| 6.4(b) | Transitional rules / API information | Additional obligations concerning API information, test information and transitional conditions for remote service providers. |
Deadlines at a glance
| Date | Subject | Provision |
|---|---|---|
| 23.06.2026 | Entry into force of the Delegated Regulation | Article 2 |
| 23.09.2026 | API information for activities other than software updates | Annex X, point 6.4(b)(a)(ii) |
| 23.12.2026 | General deadline for providing software, web services and information to independent diagnostic tool manufacturers | Annex X, point 6.4(a), first sentence |
| 23.12.2026 | API information for vehicles with an initial type-approval granted before 6 July 2022 | Annex X, point 6.4(b)(a)(iii) |
| 23.06.2027 | VIN-related information packages to be provided only via API | Annex X, point 6.1.1, sixth subparagraph |
| 23.06.2027 | API for the electronic maintenance record | Annex X, point 6.1.1, seventh subparagraph |
| 23.06.2027 | Software, web services and information for vehicles with an initial type-approval granted between 1 September 2020 and before 6 July 2022 | Annex X, point 6.4(a), second subparagraph, point (i) |
| 23.06.2027 | API information for activities related to software updates | Annex X, point 6.4(b)(a)(i) |
| 23.12.2027 | Information for verifying the update function and hardware interoperability | Annex X, point 6.4(b)(b) |
| 23.06.2028 | Obligations for activities that involve or depend on software updates | Annex X, point 6.4(a), second subparagraph, point (ii) |
Well
informed
Subscribe to our newsletter now to stay up to date on the latest developments.
Subscribe nowInsights
