European Union: NIS Cooperation Group adopted risk assessment concerning connected and automated vehicles and their supply chains

On 13 February 2026, the Network and Information Systems (NIS) Cooperation Group, in cooperation with the European Commission and the European Union Agency for Cybersecurity (ENISA), adopted a coordinated security risk assessment of connected and automated vehicles (CAVs) and their supply chains. The assessment, issued in line with Article 22 of the NIS2 Directive, provides an overview of cybersecurity risks and mitigating measures to address them. The assessment identifies 107 unique risks associated with CAVs, with 14 classified as top risks. Critical asset groups include vehicle control systems, cloud and backend systems, processing and decision-making systems, and communication and connectivity systems. The assessment highlights that while existing vehicle type-approval regulations address several technical risks, they do not cover all threats, especially concerning vehicles from high-risk suppliers who may be subject to external government or military pressure. In particular, the Group highlights a concern that suppliers could implement hidden hardware or software updates to bypass established controls. The Cooperation Group recommends that the European Commission identify measures to de-risk supply chains from high-risk suppliers, particularly regarding systems capable of receiving remote updates. Additional recommendations include developing guidelines for the localisation of sensitive non-personal data and conducting further research into the cybersecurity of charging infrastructure and its impact on the energy grid. For Member States, the assessment suggests establishing frameworks to restrict or exclude high-risk suppliers from critical supply chains and increasing information sharing regarding vulnerabilities. It encourages manufacturers to harden cloud infrastructures and improve communication to consumers regarding data processing. Finally, the assessment advises operators of charging infrastructure to implement risk management measures as set out in Article 21 of the NIS2 Directive. The document remains non-binding and serves as an advisory framework to enhance collective cybersecurity posture within the automotive sector.