Why is cybersecurity a critical factor in the automotive/mobility industry in the Basque Country
By Azucena Hernández
September 2025 has become a ‘black month’ for Jaguar-Land Rover, its suppliers and even the British Government, just as the Jaguar brand celebrates its 90th anniversary. The reason: several factories in the United Kingdom have suffered one of the largest cyberattacks ever launched against the automotive industry worldwide… The consequences of this cyberattack? a 100% halt in both production and sales of its vehicles, with estimated daily losses of €80 million. In total, the cyberattack is estimated to have caused €2.3 billion in losses, leading the British government to grant the manufacturer a loan worth €1.8 billion…
After analysing what happened in the United Kingdom, perhaps it is time to reflect on the consequences that a similar cyberattack could have in the Basque Country against an industry in which 300 Basque companies operate, employing 40,000 people and generating an annual turnover of €25 billion… This is enough to realise that a cyberattack similar to the one suffered by Jaguar-Land Rover would jeopardise one of the industrial hubs of the Basque Country. It is therefore essential that all of us who work in this industry are aware of the importance of correctly applying the cybersecurity measures that, since June 2020, have been set out in the European cybersecurity regulations for vehicles: UNECE/R155.
Cybersecurity measures
This European regulation was created with the aim of protecting drivers and passengers from the consequences that a cyberattack can have on a vehicle. However, this regulation also recognised the importance of implementing cybersecurity measures in all processes that affect the life cycle of vehicles and that must be applied by manufacturers, converters, suppliers of products and services in the automotive industry, dealerships and repair shops. In fact, UNECE/R155 stipulated that, in order to sell and manufacture vehicles in Europe, all manufacturers and converters must have their vehicles and their Cybersecurity Management System (CSMS) approved, anticipating the CyberResilience Act or CRA—a regulation that will apply to all manufacturers of IoT devices in Europe from December 2027, and which excludes automotive manufacturers and converters because they have their own cybersecurity regulations.
It is essential that all of us working in this industry are aware of the importance of correctly implementing cybersecurity measures
To ensure that brands could not claim ignorance of how to apply this CSMS, ISO 21434 was created in parallel with the regulations. It sets out the engineering requirements for cybersecurity risk management: concept, product development, production, operation, maintenance and decommissioning, particularly for the electrical and electronic systems incorporated into vehicles.
Therefore, from July 2024, any factory in Europe must have its CSMS approved in order to manufacture cars, lorries, vans, buses, motorhomes, etc. And from 2029, this same obligation will be extended to manufacturers of motorcycles, mopeds and electric bicycles that exceed 25 km/h. Non-European manufacturers and converters should take note, as they will have to comply with the same requirement if they want to sell their vehicles in Europe.
Four years after its publication
Perhaps the most important aspect of the UNECE/R155 regulation is that legislators have always been aware of the importance of implementing cybersecurity measures in vehicle factories. For this reason, the regulation has been implemented quickly—four years after its publication—without any delays in its entry into force.
Therefore, aware of the importance of establishing cybersecurity measures in vehicle factories, as indicated by UNECE/R155, at EUROCYBCAR we have developed a new technology: CATWAM (Cybersecurity Assessment Test for WEBs & Apps for Mobility) which, after running a standardised and automated battery of tests, issues an assessment of the security level of WEB platforms, mobile apps and port scanning for vehicle manufacturers, indicating the possible mitigations that should be implemented, based on all the risks detected and their respective degrees of severity, in accordance with the requirements set out in UNECE/R155… So, once again, EUROCYBCAR has positioned itself as an international benchmark when it comes to improving CyberMobility in the Basque Country and around the world…
This new technology complements EUROCYBCAR’s flagship product: the ESTP modular platform, which allows for the standardised, objective and automated assessment and certification of the ‘real’ level of cybersecurity of a vehicle—car, lorry, bus, van, motorhome, motorbike, electric bicycle, etc.—in accordance with the requirements set out in the UNECE/R155 regulation.
I believe it is necessary for all of us who work in the Basque automotive industry and public institutions to pool our capabilities and expertise—in EUROCYBCAR’s case, cybersecurity applied to mobility—to ensure that our industry is not affected by an attack similar to the one against Jaguar-Land Rover… because the consequences would be disastrous for the economy of many Basque companies… The good news is that we still have time to do our homework and prevent this from happening, but we must not forget that, in order to achieve this, we all – manufacturers, bodybuilders/converters, public institutions, private companies and users – must work together.
Azucena Hernández is the Chief Executive Officer and Founder of EUROCYBCAR and Grupo CYBENTIA.
