If you are reading this, it is likely that you are involved in the broadest sense with cybersecurity in the automotive industry and vehicle development. In this case, it is part of your profession to be able to distinguish the relevant from the irrelevant. This is exactly where looking at trends helps. Trends that show us where the industry is heading and what challenges it is facing. In the following blog post, we take a look at the most important automotive cybersecurity trends for 2025.
Philipp Veronesi
The developments outlined below are based on the countless insights we currently have into very different organizations, projects and processes. If you have completely different experiences and additions, I look forward to an in-depth exchange, e.g. via LinkedIn.
So, here we go with our nine automotive cybersecurity trends for the year 2025 (and probably beyond).
1. Leftovers in vehicle cybersecurity: Moving from fire fighting mode to consolidation
It is fair to say that the last few years have brought the automotive and vehicle development industry a lot of work in terms of applied cybersecurity, compliance with regulatory requirements and adherence to industry standards. Nevertheless, not all organizations, processes and workflows have been able to meet all the requirements.
At present, the focus is increasingly on systematically catching up on cybersecurity topics and fields of action in the automotive industry that have not yet been addressed and have not received sufficient resources and attention.
In theory, it is clear that cybersecurity in vehicles, for example, will continue to affect the entire lifecycle of systems and components and cooperation with suppliers and partners for many years to come. In concrete terms, however, individual fields of action such as the end of the lifecycle (decommissioning, end of support, etc.) are still far from being fully defined for concrete handling in practice.
Here, it is essential for both OEMs – who already place far-reaching obligations on their suppliers in their requirements – and suppliers to work out concrete procedures, processes and structures for handling cybersecurity in the advancing lifecycle. Clarifying responsibilities, functions and processes, establishing new working groups, positions and responsibilities – the whole nine yards.
With the specification of UN Regulation No 155 for all newly registered vehicle types since the middle of last year, the course must now be set to ensure cybersecurity capabilities in the future in a structured manner, for example with regard to continuous cybersecurity activities, incident response management, etc. Forward-looking players are striving to set up processes that will still work smoothly in ten or fifteen years’ time, precisely with a view to the average service life of vehicles.
Specifically, the aim is to ensure that previously only theoretical requirements can be handled seamlessly in practice. Ambiguities must be eliminated, e.g. how different suppliers and manufacturers and their systems/components are to be assessed from a cybersecurity perspective. Processes and structures must be established so that theoretically required and agreed measures are also effective in practice.
As with almost all cybersecurity matters in vehicle development, there has long been a lack of experience, knowledge and, above all, the necessary resources to tackle these challenges in a structured manner.
There is now an opportunity to close these gaps in holistic cybersecurity in the vehicle product lifecycle and to achieve more systematic and meaningful implementation within the company’s own organization and in the interaction between all stakeholders. Not least, of course, as a contribution to the necessary cost reductions, for example by increasing efficiency.
2. Strengthening efficiency in cybersecurity engineering
One of the next major fields of action in vehicle cybersecurity will inevitably have to be the aforementioned increase in efficiency in the design and implementation of security. Similar to the previous point of ‘unresolved’ issues that are now being addressed, it is important to make the paths already taken to implement cybersecurity in engineering and management more efficient across the industry in the current situation. (Also because there are still too few experts in this field worldwide).
This sounds very general at first, after all it is about nothing less than ensuring cybersecurity in processes, projects and individual development steps. The current approach is likely to be the same everywhere: Stop letting complexity get out of hand and encourage greater efficiency.
It is no shame to admit that cybersecurity as a new field of activity, not least with ISO/SAE 21434, has brought a great deal of confusion into the processes of vehicle development and the automotive industry. However, it is now important to address a number of issues at a higher level of maturity in order to eliminate the inadequacies, complications or even errors that have arisen due to a lack of experience and best practices or simple ignorance in the long term. There is a broad spectrum of what this can mean in the organization, in projects or in processes.
Take the omnipresent TARA method (Threat Analysis and Risk Assessment). It generally needs to become clearer, more comprehensible and more targeted. Of course, more attack scenarios and attack paths can still be constructed in theory – but how much do these findings ultimately contribute to the actual protection of the product?
All measures and activities in the area of cybersecurity must be measured by whether they offer real added value and must no longer be “occupational therapy and job creation measures”. The analysis, definition and design of cybersecurity must no longer be theoretical work; comprehensibility and traceability must be systematically promoted, both internally across departmental and functional boundaries and beyond the boundaries of the organization itself.
Tackling this consistently may also require reassessments: Structures, settings, teams and competence arrangements in the field of cybersecurity need to be rethought. For example, what is perhaps an exciting subject but not (yet) relevant in everyday life?
Current content-related areas and activities, such as crypto-agility or post-quantum, should also be reassessed.
With a focus on sustainability, without getting lost in theoretical discussions or excessive measures, cybersecurity engineering needs to implement targeted and efficient steps that focus on the actual requirements and ensure the right level of efficiency in products, projects and organizations. A key success factor in the future will continue to be the composition of teams, for example in bringing together technical experts with system architects and system engineers who focus more on the big picture of the overall product.
3. The necessities of cybersecurity are catching up with neighboring vehicle industries
In recent years, the automotive industry, including the automotive value chain, has played a pioneering role in terms of regulations, industry standards and the corresponding implementation of automotive cybersecurity. Not least due to the sheer size of the vehicle fleets affected and the resources of the organizations and supply chains behind them.
In the meantime, however, neighboring vehicle industries are also increasingly being challenged by the need to implement cybersecurity.
For example, UN Regulation No. 155 is aimed at trucks, trailers, semi-trailers and special vehicles and will extend its scope to motorcycles from 2029. Or consider the area of agricultural vehicles, some of which are operating automatically in fields today and must also take regulatory cybersecurity requirements into account.
Here we are talking about completely different organizations, processes and ultimately industries that are completely different from automotive. For example, complex vehicle bodies such as garbage trucks or special vehicles such as ambulances, which go through special supply processes and value creation steps. This value creation is characterized by smaller quantities, completely different development processes and resource options that differ fundamentally from the mass automotive business. Last but not least, awareness of cybersecurity is by no means as strong here as in the automotive environment.
However, in this sectors too, it is important to find answers to how cybersecurity can be integrated into processes and products in a regulatory-compliant manner under completely different conditions and usually with very specific processes. At present, there is an immense need to catch up in order to reach the level of cybersecurity maturity of the colleagues in the automotive industry.
Companies, organizations, teams and developers see it as their duty – also in cooperation with institutions, auditors and neutral bodies – to find answers as to how cybersecurity can be sufficiently and properly integrated into processes without making the core business impossible. This represents an essential challenge in some cases, especially when the tension between the implementation of cybersecurity and efficiency in the core business is so great that, in case of doubt, the feasibility as a whole must be questioned.
4. Security of vehicle-related data as a new quality dimension
Pretty much everyone interested in automotive cybersecurity will have followed the disclosures made by the Chaos Computer Club between the years. The “misconfiguration” uncovered at the Volkswagen Group with external access to vehicle movement data from hundreds of thousands of vehicles shows how real cyber risks in relation to the vehicle are nowadays.
The ongoing development towards the Software Defined Vehicle is accompanied by numerous changes in the vehicle that require a radical reorganization across the industry with regard to the security of information, data and communication flows.
In particular, the car is no longer just a physical means of transportation, but in the modern complexity of data and information flows – especially taking into account the entire backend infrastructures and connectivity options behind it – it is increasingly developing into a completely new type of attack surface. In particular, the entire handling of data and PII data, its generation, use and storage, must be consistently understood as a crucial security issue.
Everything that can be connected to the vehicle must be systematically and holistically assessed in terms of vulnerability and security risks. The increasing connectivity of the vehicle, particularly with regard to vehicle-to-everything (V2X), mobile data flows and internet connections, should prompt those responsible to think about cybersecurity in an interlinked way at every point.
It is also clear that closer integration between automotive and the fields of action of traditional information security and measures from the world of IT security is becoming indispensable. IT security providers are already positioning themselves to secure this new market of growing data and information flows with their solutions. The establishment of so-called Vehicle Security Operations Centers (VSOC), based on the SOCs of the IT world, will also need to be discussed further as part of the overall vehicle security strategy.
However, security cannot be a wildflower meadow where everything can grow as it pleases. Especially in today’s world, effective solutions that are implemented efficiently and in a resource-saving manner are the most important maxim in the automotive industry. Advancing technological developments and cybersecurity that is designed to save resources but functions properly will continue to be a complex task in the future.
5. Growing importance of cybersecurity testing and V&V
Cybersecurity testing and holistic Verification and Validation (V&V) measures have always been a central challenge for the interconnected value chain of vehicle development, especially in the interaction between OEMs and suppliers.
By its very nature, the in-depth testing of security mechanisms, including along the product lifecycle, is more complex than classic system tests.
In recent years, industry players have focused primarily on being able to carry out penetration testing internally or externally – the actual verification of the correct implementation of requirements has been largely neglected. There is a complex backlog demand here that goes beyond pure testing.
The need to implement efficient V&V strategies and a systematic evaluation of automotive cybersecurity is beyond question. Although ISO/SAE 21434 has included the topic, it has not yet provided the industry with a framework that fundamentally clarifies all questions relating to competencies, processes and specific measures in the area of Verification and Validation (V&V). (There is often even a lack of understanding that a V&V concept encompasses more than just penetration testing).
This field of action, which will receive additional guidance with the forthcoming ISO/SAE TR 8477 technical report, will definitely gain in importance. Simply because it is no longer sufficient to test specific mechanisms with selective individual measures and test methods, but to systematically test the quality and resilience of cybersecurity implementations as a whole and with an underlying strategy – this is the only way to check whether sustainable cybersecurity is achieving its goals.
More strategy, collaboration and professionalization in testing and V&V are becoming central topics for the entire industry and interaction across organizational boundaries.
6. Advancing and deepening cybersecurity regulations & standards
Anyone who assumes that UN Regulation No. 155 and ISO/SAE 21434 have clarified everything as far as cybersecurity in vehicle development is concerned is mistaken. From a regulatory perspective, it will continue to be essential to maintain an overview of the various sales markets worldwide and to understand when what is relevant and in what form.
In addition to the implementation timelines, it is important to understand the duplication and overlaps in content between the different regulations/legal requirements and standardizations worldwide, as well as the differences in the individual requirements. At the same time, updates and updates with possible changes are imminent.
It will continue to be essential for cybersecurity managers to recognize new necessities at an early stage, ensure their ability to act and adapt structures and processes to the requirements.
For 2025 and beyond, it is worth taking a look at, among other things:
- NIS 2 Directive of the EU
- Cyber Resilience Act (CRA)
- New ISO and SAE standards, such as ISO SAE PAS 8475 for Cyber Security Assurance Levels (expected in the second half of 2025). (OEMs and suppliers have recognized the need to define more uniform procedures in order to be able to communicate more specifically what is appropriate in cybersecurity engineering. Also with the aim of creating more clarity as to how much security testing and validation is required for a component).
- The ISO SAE TR 8477, a planned technical report for the specification of verification and validation (V&V) activities
- the revised EU Product Liability Act
- Industry-specific guidelines such as EU Machinery Regulation 2023/1230, ISO/CD 24882 Agricultural Machinery and Tractors – Cybersecurity Engineering, etc.
- …
Although guidelines and standards have different effects on processes in engineering and cybersecurity management, it is still important to know the interfaces and affected process, management and organizational levels in order to avoid black holes and ambiguities in structures and processes.
7. International showdown in cybersecurity regulation
This also includes an international view of the evolving regulatory landscape against the backdrop of serving international markets. What began in the UNECE area of application with UN R155 and ISO/SAE 21434 now has localized counterparts. For the Chinese market, the GB 44495 regulation for vehicle cybersecurity, which was officially published at the end of 2024, should be applied. India has also provided clarity for its market with the AIS189 CSMS and AIS190 SUMS regulations (currently still in draft status).
To some extent, there appears to be a continued trial of strength in the area of cybersecurity regulation for the automotive industry in terms of guidelines and regulatory competence. A one-size-fits-all approach is losing ground to the sovereignty of the respective institutional scopes and country-specific solutions.
In addition, it is now important to keep an eye on further geopolitical developments in various countries and their consequences. Only recently, under the Biden administration, the USA took stricter measures against China and Russia, particularly with regard to components and systems in connected vehicles. Further tightening of countermeasures could follow here. At the same time, the EU is accused of excessive overregulation, while the USA is presumably heading towards further deregulation – these developments could also have an impact on automotive.
Supply chain management will also remain a key area of action from a cybersecurity perspective. Past crises are still having an impact, which is why particular attention must be paid to the resilience of supply chains while at the same time taking care with regard to security requirements.
8. Cost savings, cutbacks and staff reductions
If you take a look at the newspaper, you will see that the entire automotive industry has slowed down over the past year. Industry professionals and market observers agree that this trend will obviously continue to intensify. The industry and the entire supplier value chain associated with it will continue to experience (massive) resource savings.
Extensive cost-cutting programs will be the new normal; staff reductions, budget cuts and the reorganization of teams will be the order of the day. In view of the slump in demand and globally networked value creation processes and projects, no short-term relief is to be expected. On the contrary, it can be assumed that business will become even more difficult, which downstream supply chains will also increasingly feel the effects of delays.
As a consequence, there will be an immense reluctance to further develop and maintain existing plans, projects and directions in almost all areas.
At the same time, a consistent ability to act must be guaranteed in the development of (new) products, particularly with regard to cybersecurity, which must nevertheless take into account the requirements of the market. Specifically, in cybersecurity engineering and management, it can be assumed that simple external outsourcing or new appointments will only be possible to a very limited extent. External consulting mandates are also likely to become more complex, and the cost perspective will continue to be of fundamental importance. In general, assignments will no longer be handled in the same way as they were a few years ago, when the automotive sector recovered after the Covid crisis.
Answers must be found to the massive cost-cutting programs in order to reconcile the continued ability to act with the given cuts – both at the organizational level and in the projects and in the doing of the measures required from a cybersecurity perspective.
Personal enablement and needs-based skills development can provide leverage here.
9. The courage to embrace change in Automotive as a constant companion
Despite the developments outlined above, the transformation of the entire industry will continue. Be it electromobility, the strengthening of autonomous systems or the advancing digitalization – what OEMs and their suppliers around the world have in store at various stages of development will sooner or later give the industry a new lease of life.
The investments initiated in the development of technologies and innovative further developments of series and platforms will be continued. After all, long development cycles, which even today still take many years from the initial idea to production, are still the rule.
But yes, the industry will (have to) continue to change in parallel.
This includes obligations, such as the modernization of the entire development and production processes, but also opportunities, such as the further development of new business areas and new business models.
Efficiency and cost pressure are currently acting as key drivers of these changes, while at the same time there is a need for innovation. This need to be innovative and remain competitive in the market will give rise to new topics, fields of action and projects.
The players in automotive cybersecurity continue to face the task of positioning security not just as “somehow necessary protection” but as a central quality dimension of the future in the constant balance between security and efficiency. (Especially as it cannot be assumed that cybersecurity threats (in the IT and automotive world) will decrease, as current trend reports and reports elsewhere should clearly show).
Today, cybersecurity managers can play a key role by providing the impetus to reconcile the achievement of security with business efficiency. After all, the economically sustainable design of security has always been a well-known requirement. Sometimes more, sometimes less in the foreground.
Probably more in 2025.
