Automotive cybersecurity is maturing. But not where many think!

Insights from an industry wide survey into cyber technology adoption in automotive.

A few years ago, the question product cyber teams asked was simply: “What should we actually deploy to meet R155 expectations?”

Today, the question has changed; and that shift matters.

Most OEMs and Tier‑1s now have cybersecurity controls in place, but far fewer have clarity on whether they are investing in the right technologies, at the right depth, and for the right reasons. Even fewer have good visibility into what their peers are doing – or struggling with!

That lack of shared market insight is exactly what prompted SBD Automotive to lead a global, pre‑competitive survey on automotive cybersecurity technology adoption, with direct input from OEMs and suppliers. The results offer a grounded view of where the industry is truly progressing; and where expectations and reality are diverging.

But first, a sincere thank you to everyone who shaped and participated in this survey. 

Several participants went beyond completing the questionnaire and invested additional time in in‑depth interviews, which added valuable context and practical nuance to the findings. In total, 26 organizations participated, with a balanced split between OEMs and suppliers and broad geographic representation across Europe, North America, Japan/Korea, and China. This level of engagement and willingness to share candid, organization‑level perspectives is what makes the results both credible and genuinely useful to the industry.

Below are the key messages that stood out most clearly.

Foundational security is no longer the debate; it’s the baseline. 

The industry has decisively crossed a threshold: secure boot, hardware roots of trust, and secured vehicle‑to‑cloud communications are now hygiene factors.

Across regions and vehicle platforms, these technologies are widely deployed, well understood, and rarely challenged internally anymore. That’s a real achievement. It reflects years of work translating abstract cybersecurity risk into concrete engineering decisions that deliver clear value.

What’s interesting is not that these controls are adopted, but why. They offer predictable ROI, align with regulatory expectations, and scale reasonably well across platforms. In other words, they are controllable investments.

From our perspective, this explains why we now see fewer internal debates about whether to implement these technologies, and far more discussion about how consistently they are deployed across ECUs, suppliers, and vehicle generations.

Diagnostic security remains the most underestimated risk

If there is one area where optimism still outpaces adoption, it is authenticated diagnostics.

UDS 0x27 is broadly implemented and treated as mandatory. UDS 0x29, which enables certificate‑based, authenticated diagnostic access, is not. Despite years of discussion, adoption remains fragmented and heavily skewed toward long-term roadmaps.

This is not because OEMs don’t understand the risk. In projects we’ve supported, diagnostic misuse consistently appears among the highest-impact threat scenarios; especially when connected access, OTA, and remote servicing come into play.

The blockers are structural: legacy tooling, supplier readiness, perceived integration complexity, and legal concerns. As a result, many programs defer the problem instead of addressing it incrementally.

EV charging security has become a strategic concern, not just a compliance one

EV charging security stood out as one of the few areas where technology urgency is being redefined by real‑world incidents, not regulation alone.

ISO 15118 Plug‑and‑Charge is now mainstream in the US and Europe, with hardware‑backed credential storage increasingly treated as non‑negotiable. At the same time, implementation details vary significantly – from PKI choices to certificate lifecycles – and regional differences remain pronounced.

This tells us something important: EV charging security is no longer a niche domain. It sits at the intersection of brand trust, customer experience, infrastructure dependency, and cyber risk.

OEMs that treat it purely as a standards‑compliance exercise risk discovering its weaknesses in the field, not in design reviews.

Digital keys and secondary immobilization are driven by strategy, not cybersecurity maturity

One of the most polarizing findings in the survey was vehicle access technology adoption.

Bluetooth, UWB, NFC, secondary immobilizers: adoption varies widely, even among technologically mature OEMs. The reason is simple, these decisions are governed less by threat models and more by brand positioning, theft patterns, and customer experience strategy.

In practice, I’ve seen highly capable cybersecurity teams overruled, in both directions, by commercial strategy. Some OEMs aggressively adopt smartphone‑centric access models; others intentionally avoid them, citing cost, operational complexity, or unclear insurance benefits.

The key insight is not that one approach is “right,” but that security teams must engage earlier with product strategy conversations if they want influence. Waiting to be consulted “for cyber review” is often too late.

IDS, crypto‑agility, and PQC highlight a hard truth about ROI

Several technologies expected to surge by now have not, and the reasons are instructive.

Intrusion detection systems (IDS) are deployed more often, but many organizations struggle to make the outputs actionable. False positives, difficult to assess and action dilute perceived value.

Crypto‑agility is gaining traction, yet remains inconsistently implemented. Post‑quantum cryptography is almost universally acknowledged, and almost universally postponed.

The pattern is consistent: technologies with hard‑to‑demonstrate near‑term value are being deprioritized, especially under cost pressure. That doesn’t mean they’re unimportant, but it does mean their business case needs to evolve beyond “future risk.”

A look back, and a look to the future

Looking back over the past 5 years and comparing the results of this 2026 survey with the results of the ACIC survey conducted by SBD in 2021, it’s clear that progress has been made, but there are gaps and new focus areas. 

This means for vehicle platform launching in the late 2020s:

• Secure boot and TLS are in place, confidently.

• Diagnostics rely on 0x27, with 0x29 pencilled in for a future refresh.

• OTA works, but crypto agility is limited.

• IDS generates alerts, but ability to act on those alerts is very limited.

• EV charging is secure, but certificate ownership isn’t fully understood beyond launch.

  
  

On paper, this platform is “R155‑aligned.” In reality, its long‑term resilience depends on decisions already being deferred.

That gap between compliance and robustness is where many OEMs now operate.

What this means for OEM and Tier‑1 leaders

A few practical implications stand out:

• Benchmarking matters. Without industry perspective, teams risk over‑investing in some areas while under‑addressing others.

• Suppliers play a critical role. Many advanced controls stall not due to OEM resistance, but because suppliers wait for explicit requirements. That dynamic slows progress for everyone.

• Pre‑competitive collaboration pays off. No OEM benefits from solving identical cybersecurity questions in isolation.

  
  

That’s precisely why SBD Automotive continues to invest in pre‑competitive cybersecurity research, to replace intuition and rumour with evidence‑based insight the industry can actually act on.

A closing question for the industry

If most automotive cybersecurity investment is now driven by ROI and execution confidence, how many critical risks remain under‑addressed simply because we don’t yet know how peers are solving them?

If you’re an OEM or Tier‑1 wrestling with these trade‑offs, or if you believe pre‑competitive insight deserves a bigger role in product security decisions, I’d welcome the conversation.

“Regulations have shaped cyber technology adoption over the past few years – for better or worse. But from experience working with OEM and supplier teams, one thing is clear: progress accelerates when cybersecurity conversations shift from ‘what might go wrong’ to ‘what actually works in practice’. Shared insights change behaviours faster than regulations.”  

David Abdulmasih

Senior Manager- C-AMS

SBD Automotive