Last year in autumn, we informed you about the ECJ ruling against FCA Italy (since 2023: Stellantis Europe) and its “Secure Gateway”. Last week, this ruling has also been confirmed by the Regional Court of Cologne in Germany, which asked the ECJ for clarification last year.
Read on to find out if we can be happy about it.

Who will be the last to laugh?

A short intro so that everyone has an idea of what it is about.

What is the Secure Gateway?

The Secure Gateway is an electronic control unit or hardware in the vehicle. Its purpose is to control and protect communication and data exchange between various parts of the vehicle and external devices. In particular, it regulates access to data and information via the OBD interface. In the case of repair and maintenance, the Secure Gateway is important because it is needed to carry out diagnostics, recalibrations and other maintenance and repair work and to clear the fault memory.

However, the Secure Gateway was used to restrict access to the OBD interface for independent repairers: this starts with compulsory registration with Stellantis and logging on to a server specified by Stellantis and extends to a paid subscription to be able to use a diagnostic device that connects to the Stellantis server via the Internet.

Unhindered access for independent repairers confirmed by German Court

In the ECJ’s view, however, this goes way too far: independent repairers have the right to unhindered access to vehicle data that is necessary for the maintenance and repair of vehicles. This judgment has now also been confirmed by the Regional Court of Cologne, which asked the ECJ for clarification last year.

Time to celebrate?

Yes, but only a little. Because there is no reason for excessive celebration.

In itself, such a ruling is suitable to remove the digital obstacles on the way to fair competition between VM networks and independent repairers. Even if the ruling is directed against Stellantis, the established principle that independent repairers have the right to unrestricted access to data applies to all VMs whose vehicles are approved for use on European roads in accordance with the requirements of EU Type Approval Regulations.

However, vehicle manufacturers are lobbying hard in Brussels for a change to relevant regulations in the current Type Approval under the buzzword of cybersecurity.

They are referring to the UN Reg. 155. To summarize it simple, the rapid technological development in the vehicle sector – connectivity and the increasing importance of software – is forcing manufacturers to keep an eye on digital security against unauthorized access in new generations of vehicles. Customers who opt for a technologically advanced (and necessarily connected) car, whose functions, features and equipment are primarily defined by software, must be able to rely on their car being “hacker-proof”. So far, so good.

However, the ECJ has stated that such security requirements and the reference to the UN regulation are no reason to deny independent workshops unrestricted access to data. For the ECJ, the applicable Type Approval Regulation is the basis for the decision.

What we are therefore observing is that vehicle manufacturers are constantly using the cybersecurity argument – currently in the EU Type Approval Regulation – to try and get access restrictions against independent repairers “rubber-stamped”. For the aftermarket associations in Europe, this means demonstrating again and again that such access restrictions are dangerous from a competitive perspective and pose an existential threat to the independent aftermarket.

In the EU election campaign, there is a lot of talk about reducing bureaucracy and better regulation. We agree! A sector-specific legislation would be enormously useful and efficient. After all, it would save not only the associations but also the EU Commission a lot of time and effort if we did not have to discuss the same topic so many times on different occasions, but instead had a solid and reliable set of reference regulations.