Automotive Cybersecurity

Cybersecurity Tests

Essential for the Automotive Industry

VDA Position Paper on Legal Certainty for

Cybersecurity Tests

Sept 18 2024 –  The VDA (German Association of the Automotive Industry) recently published a position paper highlighting the need for legal certainty in cybersecurity tests. As vehicles become increasingly digital and connected, cybersecurity has become a critical concern for automakers. The VDA’s position paper addresses the complex regulatory landscape surrounding cybersecurity testing and calls for a clearer legal framework to ensure that such tests can be conducted effectively and safely.

While the automotive industry is obliged to identify and eliminate cybersecurity gaps in their products through testing, the current German law puts specialists commissioned with this task and self-motivated security researchers at risk of making themselves liable to prosecution. The primary goal of this paper is to revise the respective regulatory requirements in German criminal law – the Hacker Paragraph - to ensure the legal certainty of everyone involved in ensuring the security of products. This is especially true for testers with a good intention who test systems to identify potential weaknesses to increase overall resilience.

Continental strives to achieve high quality of products where cybersecurity-resilience is a major pillar in our hyper-connected world. Consequently, we strongly support the efforts of the VDA position paper towards the crucial update of regulatory conditions.  

Recommendations from the Automotive Industry

The German automotive industry is calling for an adjustment of the relevant regulations to ensure product cybersecurity. Commissioned internal and external testers as well as non-commissioned external security researchers must be able to carry out inversive cybersecurity tests like penetration tests without criminal risk. However, they must be obliged to disclose their findings about security vulnerabilities responsibly and confidentially (“Coordinated Vulnerability Disclosure”) to the affected companies.

Criteria for Positive and Negative Intention

The Position Paper identifies several key criteria as evidence of positive intention of the testers, including responsible handling of identified vulnerabilities, contribution to the cybersecurity of the system in question, and contribution to the protection of manufacturers and users.

On the other hand, negative intent would arise if a tester tries to gain unauthorized monetary benefits beyond any publicly offered ‘bug bounty’ program.

Existing Regulatory Cybersecurity Requirements in German Law

The current regulatory cybersecurity requirements present manufacturers with the dilemma already mentioned - risks of legal uncertainty, especially in the form of penetration tests according to the following German legal regulations:

  • § 202a StGB: Unauthorized data access  
  • § 202b StGB: Unauthorized interception of data  
  • § 202c StGB: Preparation of an unauthorized act under § 202a or § 202b StGB  
  • § 303a ff. StGB: Unauthorized modification of data  
  • § 23 GeschGehG: Violation of trade secrets
  • §§ 106 108b UrhG: Unauthorized reproduction and exploitation

Related Topics

Woman inside a car with icons about cybersecurity

Cybersecurity / PlaxidityX

With the acquisition of PlaxidityX, one of the technology leaders in automotive cybersecurity solutions, Continental is boosting its competence in this area.

Learn more
Concept car on a road with Argus and Elektrobit Continentals partners for cybersecurity

Securely Networked Together

When it comes to cybersecurity, Continental relies on 35 years of in-house experience and support.

Learn more
~ai-adc98bc6-01a0-4a56-ba21-0b6a00bde4c4_

Automotive Cyber Security Tightened

Continental Automotive is certified for cybersecurity; Scope covering engineering, manufacturing, supply chain management, and maintenance

Learn more