European Commission amends vehicle OBD and repair-information access rules (Delegated Regulation 2026/699)
Vehicle manufacturers must implement the Appendix X procedures for secure, standardised OBD and RMI access (authentication, pseudonymised traceability, API provision, server availability and cybersecurity checks) so independent operators obtain non‑discriminatory, machine‑readable diagnostic and repair data
EUR-Lex
·
Change
Commission Delegated Regulation (EU) 2026/699, published 3 June 2026, amends Regulation (EU) 2018/858 to require standardised, machine‑readable access to vehicle on‑board diagnostics (OBD) and repair-and-maintenance information (RMI) and to impose detailed authentication, traceability, API, server‑availability and cybersecurity procedures, with entry into force 20 days after publication and phased compliance dates through 23 June 2028.
Why it matters
Creates procedural boundaries for access to vehicle data: manufacturers must publish standardised, machine‑readable RMI and provide information packages and APIs under defined terms and timing, including VIN‑specific API access from 23 June 2027 and staged software‑update operations through 23 June 2028. Diagnostic tools and their manufacturers must meet specified cybersecurity attestations (e.g., TISAX or ISO 27001 when required), support authentication and traceability requirements, and supply access‑related logs; manufacturers can require online connections and limit credential validity for software‑changing operations but may suspend access only under the Appendix’s procedures and subject to approval‑authority review.
Implications
- — Vehicle manufacturers’ type‑approval and compliance teams must publish standardised, machine‑readable RMI packages, maintain required server availability, and provide mandated APIs and software/information by the Regulation’s phased dates — failing to implement the Appendix X procedures removes the basis for the approval authority’s presumption of satisfactory access arrangements.
- — Diagnostic tool manufacturers’ product and security teams must obtain and document compliance with the specified cybersecurity requirements (e.g., TISAX level or ISO 27001) and provide attestation and integration information to vehicle manufacturers — absent such attestations vehicle manufacturers may refuse to issue access credentials, blocking tool access to OBD/RMI.
- — Independent repairers’ operations and remote service suppliers must hold an accredited CAB approval inspection certificate and authorised‑employee inspection certificates and meet the authorisation criteria (including the mandatory liability insurance amounts) to obtain security‑related RMI access — without those certificates manufacturers can refuse credentials and deny access.
See full brief
Use 1 free preview to unlock implications, who’s affected, what to watch, and Clarify for this brief.
2 free previews left this month · Resets 1 Jul
Source