(fra kommisjonsforordningen)

(1) Regulation (EU) 2018/858 requires vehicle manufacturers to provide to independent operators unrestricted, standardised and non-discriminatory access to vehicle on-board diagnostics (OBD) information, diagnostic and other equipment, tools including the complete references, and available downloads, of the applicable software and vehicle repair and maintenance information. 

(2) Article 4(5), point (d), of Regulation (EU) 2019/2144 of the European Parliament and of the Council (the Union cybersecurity rules) provides that the manufacturers are to comply with the applicable requirements on the protection of vehicles against cyberattacks. Technical requirements and testing procedures adopted to that effect reference the requirements of UN Regulation No 155. 

(3) Pursuant to UN Regulation No 155, the technical requirements and testing procedures provided therein are, however, without prejudice to the Union legislation governing the access by authorised parties to the vehicle, its data, functions and resources, and conditions of such access: 

(4) Regulation (EU) 2018/858 precludes a vehicle manufacturer from making access by independent operators to vehicle repair and maintenance information and to OBD information, including write access to that information, subject to conditions other than those laid down therein, such as those motivated by cybersecurity. 

(5) The Union legal framework governing cybersecurity measures to be applied on access to vehicle OBD information is not complete. The Union cybersecurity rules require the manufacturers to protect vehicles against cyberattacks but limit the effect of the technical requirements specifying the applicable measures as regards access to vehicle data. On the other hand, rules on access to vehicle OBD information do not sufficiently take cybersecurity into account. As a result, vehicle manufacturers face important legal constraints preventing them from applying effective measures protecting the vehicle from cyberattacks related to access to vehicle OBD information. 

(6) It is therefore necessary to ensure that car manufacturers are allowed to apply effective and proportionate cybersecurity measures while providing access to OBD information. 

(7) The increase of cybersecurity threats and the related adoption of the Union rules requiring the vehicle manufacturers to protect vehicles against cyberattacks constitute technical and regulatory developments justifying such amendments to Annex X. 

(8) In order to permit the manufacturers to address those threats while maintaining effective access of independent operators to vehicle OBD information, the Regulation (EU) 2018/858 should contain the conditions and procedures that vehicle manufacturers are allowed to apply to ensure secure access to OBD information by independent operators. 

(9) Depending on the nature and the consequences of the access sought, vehicle manufacturers should be allowed to require the manufacturers of diagnostic tools used for access to OBD information to authenticate the tool and the independent operator seeking access or its employee and to ensure traceability by recording and storing the relevant information on such access. They should also be allowed, in specific cases, to require connection to the vehicle manufacturer’s server. 

(10) To protect the equal conditions for competition, the information on the independent operators seeking access to the vehicle OBD information should be pseudonymised. 

(11) In order to enable vehicle manufacturers to manage dependencies, as required under the applicable vehicle cybersecurity rules, they should be allowed to verify that the diagnostic tools and their manufacturers comply with relevant cybersecurity standards and security implementations. 

(12) In case of cybersecurity incidents, serious abuse or incidents involving the vehicle manufacture’s liability, vehicle manufacturers should be able to obtain information on specific cases of access and to temporarily suspend, as appropriate and under the control of the approval authority, access of a tool, and independent operator or its employee. 

(13) Vehicle manufacturers should provide all necessary technical information to the manufacturers of generic diagnostic tools sufficiently in advance of a vehicle being placed on the market to allow those tool manufacturers to provide adequate service to independent repair operators 

(14) In addition to the conditions and procedures for secure access to OBD information, this Regulation should further facilitate access to vehicle OBD information and repair and maintenance information (RMI), taking into account the technical progress. 

(15) The catalogue of information to be made available by vehicle manufacturers should be clarified and updated, notably taking into account the needs related to repair and maintenance of vehicle batteries and new driver assistance systems. 

(16) Whenever vehicle manufacturers, for the purpose of accessing vehicle OBD information, diagnostics, repair and maintenance, monitoring and inspection, enable access to the in-vehicle data stream by other mean than using the serial data port on the standardised connector, the same access and information should be available under non-discriminatory conditions to all independent operators. 

(17) Recognising the role of data publishers in facilitating the vehicle repair and maintenance, the information sharing requirements of the vehicle manufacturers should be further clarified. 

(18) In order to enable independent repairers to reprogram vehicle control units in the same conditions as those available to vehicle manufacturers and authorised repairers, it is necessary to set out additional requirements for manufacturers to make specific software or information available to independent diagnostic tool manufacturers. 

(19) However, complying with these requirements requires the vehicle manufacturers to implement important preparatory measures, therefore the application of these requirements should be deferred to provide for an appropriate lead-time. 

(20) This Regulation applies without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council and Directive 2002/58/EC of the European Parliament and of the Council. In particular, the obligations of manufacturers as regards providing access to vehicle OBD information to independent operators under this Regulation are without prejudice to the rights of data subjects and the obligations of vehicle manufacturers, manufacturers of diagnostic tools and independent operators under those acts. 

(21) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on 20 February 2026. 

(22) Regulation (EU) 2018/858 should therefore be amended accordingly,