Cybersecurity regulations: Are non-compliant cars more vulnerable?

News that Porsche will continue to sell the 718 Boxster, 718 Cayman and Macan in the UK while withdrawing the models from the EU, where a forthcoming cybersecurity regulation will forbid their sale, might please British consumers, but its decision raises questions: what exactly will buyers be missing and will their cars be more vulnerable to theft or hacking as a consequence?

The UNECE WP.29 Cybersecurity regulation has been agreed by the EU and the UN and comes into force across the EU from 1 July. Models that don’t comply with it will no longer be eligible for new registration.

The regulation is concerned with vehicle cybersecurity, and every new car sold in the EU from then on must come with a certificate confirming that it’s protected against 70 vulnerabilities – including cyber attacks – during development, production and post-production.

The difficulty and expense of retrofitting models to satisfy the new regulation means many of them, including the Volkswagen e-Up, as well as the 718 and Macan, have been withdrawn from sale in the EU.

Because fewer cars are produced for right-hand drive markets, by default, most models covered by the regulation will also be withdrawn from sale in countries including the UK, which doesn’t as yet recognise it (although no domestic car maker could afford to ignore it).

However, as Porsche has demonstrated, where continuing to produce these versions is possible, they may continue to be sold. The new regulation arrives at a time when another – General Safety Regulation 2 – recently came into force.

As its name suggests, GSR2, which went live in July 2022, is concerned with vehicle safety and makes at least 20 technologies – including advanced emergency braking, driver drowsiness and attention sensing, and intelligent speed assistance – standard on all new models.