With coronavirus taking centre stage, it’s worth reminding ourselves of everything else that has been going on behind the scenes. Away from the main headlines, Neil Pattemore highlights the aftermarket issues during 2020 that should have received considerable attention, but perhaps didn’t.
A lot happened last year (and in some cases is still happening) that have had a dramatic impact on the UK aftermarket. We are now at a pivotal point for the future of our sector, and what has happened in the last 12 months, together with what will happen in the next 12 months, will be critically important – even ignoring the impact of COVID-19!
The aftermarket exists to provide consumer choice in relation to where, how, whom and at what cost their vehicle is serviced and repaired. The sector has evolved for well over a century to be the vibrant, innovative and competitive market that we know today. As it stands, maintenance operations on vehicles requires use of a standardised interface (the OBD port) in order to access vehicle generated data. To ensure this is the case, there is legislation that supports these technical requirements, that in turn, allows effective competition within the aftermarket.
However, as I have written about before, vehicle technology – and in particular the access to the in-vehicle data interface – is changing. The main drivers behind these changes are the ability to remotely communicate with the vehicle (telematics for a ‘connected car’) and the cybersecurity risks that this introduces. A lot is happening around these key points which will have a fundamental impact on the sector – so let me explain where we are as a sort of ‘end of term report’ for the last 12 months.
Cybersecurity
Cybersecurity and remote data access are two separate elements that are having a major impact on aftermarket processes. In relation to the first, a new ‘cybersecurity management system’ (CSMS) being developed in Geneva as part of the UNECE (worldwide) vehicle type approval requirements must now be implemented by vehicle manufacturers selling their vehicles in Europe as part of their vehicle type approvals from mid 2022. Subsequently, this must align with the European ‘General Safety Regulation’ that requires all products (including vehicles) to be safe to use. This regulation will not only mandate new vehicle systems that enhance vehicle safety, but will also link to cybersecurity.
The UK Government is already referencing this vehicle type approval legislation and, therefore, it will be used as part of the ongoing UK requirements. The UK is a signatory to the UNECE in Geneva, which means all of this will be part of the UK’s post-Brexit legislation.
The second element is what the legislator will do to address these new requirements and ensure that the aftermarket retains access to this technical information, so that healthy competition within the sector can continue. With this in mind, what has happened over the last 12 months?
Behind the scenes
During this year, the UNECE cybersecurity discussions have reached the stage where a draft document is close to being finalised. This will mandate a vehicle manufacturer to develop a cybersecurity strategy that can be described and demonstrated to a vehicle type approval authority when approving a new vehicle type. This means that the vehicle manufacturer can design whatever it wants as a ‘system administrator’ and ‘gatekeeper’ within a vehicle to minimise the threat to security and submit this as part of its type approval application. Once accepted by the type approval authority, vehicle manufacturers will have a ‘legitimised’ control of who can access a vehicle and under what conditions.
This has created a problem for the European/UK legislator, as the vehicle manufacturers’ cybersecurity strategy could threaten effective competition – a clear conflict with type approval legislation and a major threat to the aftermarket. It is a question of which is more important – vehicle security or competition – or perhaps there is a way to support both?
The timeline
In mid 2019, in an effort to better understand this potential conflict, the European Commission created an expert group of vehicle manufacturers and aftermarket representatives to discuss how new draft legislative requirements could support competition in this new ‘digital’ and ‘cybersecurity’ environment. The group met five times between October 2019 and March 2020, but after much debate amongst the experts, they concluded that legislation was necessary to define the ‘rights and roles’ of whomever has a legitimate need to access a vehicle’s data.
Following on from these expert group discussions, the Commission appointed an external consultancy to assess the various key points and to report back on ‘policy guidance’ for future legislation regarding remote access to vehicle data (in reality, this would need to be ‘the vehicle, its data, information, functions and resources’). To be more specific, access to data as the basis for new in-vehicle (embedded) applications for diagnostic and repair services, which now start remotely in the vehicle. The consultancy has started to discuss with the various stakeholders involved and is due to report back to the Commission by Spring 2021.
In September, the Commission issued a new draft ‘Annex X’ (annex 10) that starts to address some of the outstanding requirements from existing legislation (EU 2018/858) that had yet to be implemented. This proposed a definition of what data/information needs to be made available via the OBD port, however, the wording is already being challenged by the aftermarket associations as being inadequate. The draft Annex also detailed the access to anti-theft functions for repair and maintenance (the ‘SERMI’ scheme), but this also includes new criteria to stop ‘illegitimate business activities’ related to the modification or removal of emission related components (e.g. catalysts, DPFs, EGR valves, etc.). Again, the draft includes text that is being challenged by the aftermarket associations.
In October last year, the Commission launched a public consultation on the renewal of the ‘Block Exemption Regulation’ (BER), as the current legislation expires at the end of May 2023. As this regulation forms the basis of the legislation for the aftermarket’s access to the vehicle manufacturers’ technical information, equipment, parts, training, etc., it is an important issue.
What can we conclude?
2020 was both a busy year and a pivotal one. The industry is at a crossroads and requires the legislator to decide whether the future will be controlled by the vehicle manufacturers, or whether the aftermarket can continue to provide competitive consumer choice. Even if the legislator does support the aftermarket, the future will be very different in terms of how access to vehicle data is controlled via electronic certificates, and, subsequently, the details of what these certificates will allow. Inevitably, whoever controls the certificates will control the market, which means one thing is certain – tomorrow’s aftermarket will be very different from what we see today.