Connected Vehicles: emerging business models and their key legal aspects
In the mid‑90s, Elastica captured a restless cultural moment with Connection—a song pulsing with the irresistible pull toward something new. Thirty years later, automotive and transportation companies are chasing the same energy through the rise of connected vehicles and new AI enabled features. Connected vehicles are becoming software-defined, sensor‑rich, and permanently online. This evolution expands both legal exposure across sectors and legal frameworks that were traditionally unfamiliar for the automotive and transportation industry: (i) telecoms licensing and cross‑border connectivity, (ii) data protection and data-sharing (e.g. with insurers/ad-tech), (iii) cybersecurity and safe Over-The-Air (OTA) governance, (iv) product liability for automated/ Advanced Driver Assistance Systems (ADAS) features, (v) eCall obligations amid 2G/3G mobile network sunsets, (vi) national‑security supply‑chain controls, and (vii) IP disputes, just to name a few.
In this new issue of At a Crossroads, our Automotive & Transportation Industry Group distils the main emerging business models and integrates recent legal developments to ground the advice in reality.
1) Connectivity as a Regulated Service: Licensing, Models & Cross‑Border Operation
Connected car stacks (machine-to-machine (M2M)/eSIM, Wi‑Fi hotspots, voice/SMS, infotainment, OTA) can trigger a number of communications law-related obligations, including regulatory authorisations/licenses, the need for regular filings, lawful‑interception, readiness to respond to law enforcement agencies’ order for the disclosure of in-vehicle generated data, SIM/KYC rules, and open‑internet transparency—especially in the EMEA and APAC.
The business model adopted by each automotive and transportation company determines where the regulatory liability lies, i.e. who will be responsible for complying with these communications law-related obligations. The main emerging business models can be grouped in three categories:
- Reseller: The automotive and transportation company resells connectivity procured from a connectivity supplier (e.g. a mobile network operator or mobile virtual network operator) to the user of the vehicle. In this model, the automotive and transportation company will be likely to be considered the entity responsible for complying with the communications law related obligations. Often under this model, the automotive and transportation company decides to isolate the communications law-related liability from the rest of the main business by creating a separate entity that will hold all the relevant regulatory authorisations/licenses and will be responsible to the competent communications and law enforcement agencies for complying with licensing/authorisation, regular reporting requirements and ad hoc requests for lawful interception orders. The advantage of this business model is that the automotive and transportation company retains full control of the user’s connected experience and in-vehicle data transfers.
- Agency: The automotive and transportation company acts as agent of, and outsources all regulatory liability to, the connectivity supplier. In this model, the automotive and transportation company would still retain full control of the user’s connected experience by interfacing with the user with regard to all contractual terms including the provision of connectivity, but there is added contractual complexity arising from having to embed the connectivity supplier’s (as the principal) terms and conditions for the provision of connectivity into the terms and conditions of the automotive and transportation company (as the agent). However, the advantage of this model is that all communications law-related obligations and related liability stay with the connectivity supplier.
- B2B2C: Finally, there is a third model which creates through legal construct a clear separation between, on one hand, the relationship between the automotive and transportation company and the connectivity supplier (B2B), and, on the other hand, between the automotive and transportation company and the user of the connected vehicle (B2C). The legal construct is anchored on a legal interpretation of the private use of connectivity (similar to a corporate network). In this model, all regulatory liability stays with the connectivity supplier while the automotive and transportation company retains full control of the user’s connected experience without becoming a telecom provider itself. B2B2C can therefore provide a perfect trade off. However, this legal interpretation is untested by the courts to date. A prudent approach would be to foresee agency clauses in contractual documentation as a possible fall-back option.
Of course, to ensure that connectivity is possible across different countries, cross‑border continuity must be ensured through international roaming agreements, which are largely standardized although subject to commercial negotiations. In addition, the EU coordinates 5G corridors(for example, Europe’s first cross-border 5G highway corridor linking Metz, France with Saarbrücken, Germany is anticipated to be completed by late 2027), C‑ITS pilots, and standards to keep vehicles connected as they roam between Member States—implicating privacy, liability, and spectrum.
2) Data Protection, Portability & Retention: Treating Vehicle Telemetry as Personal Data
Modern vehicles capture precise location, driver behaviour, biometrics, cabin signals, and pedestrian data—most of which is personal data under data protection laws, such as GDPR. Automotive and transportation companies must ensure lawful bases, clear notices/consent, minimisation, portability, and retention limits. The European Data Protection Board’s guidelines make clear that Vehicle Identification Numbers should be treated as personal data in the vehicle context. Therefore, automotive and transportation companies are often taking a conservative stance in design and contracts, particularly in those jurisdictions with more developed class or individual action litigation systems.
Relatively recent litigation examples illustrate the need for certain practical must‑haves for automotive and transportation companies to mitigate the potential risk of litigation: comprehensive data maps, layered in‑vehicle/in‑app notices, granular opt‑ins (and where required by applicable state laws, compliant do not sale/share/target, withdrawal of consent and limit or opt-out of processing of sensitive personal data), robust data protection agreements that reflect processor and/or controller relationships and meet the requirements of different jurisdictional privacy regimes, portability APIs, and realistic retention schedules with defensible deletion.
In addition to personal data protection, the EU has recently introduced a new regulation (directly applicable in all EU Member States) on non-personal data created by connected products. The EU Data Act, which came into effect on 11 January 2024, with most obligations entering into force from 12 September 2025, grants users’ greater control over vehicle-generated data. Vehicle users have acquired the right to access, reuse and share certain data generated by connected vehicles. Additionally, third parties authorised by users may request direct access to the data from the data holder (e.g. the automotive and transportation company). However, there are certain limitations, such the protection of trade secrets and competition (i.e. you cannot reuse the data to create a me-too product).
The European Commission has published guidance relating to EU Data Act’s data sharing obligations specifically in the automotive industry. This guidance sets out an extensive list of data generated from the use of connected vehicles and related services that are intended to be in and out of scope of the regulation.
Examples of in-scope data include (amongst many others):
- Vehicle speed and acceleration;
- Battery level;
- Sensor signals (e.g. the wheel speed, tyre pressure, brake pressure and steering wheel angle); and
- Raw image data.
Examples of out-of-scope data include (amongst others):
- Analysis of crash severity;
- Certain advances driver-assistance systems data; and
- Data generated by dynamic rerouting and optimal route planning algorithms.
Automotive and transportation companies will need to assess whether their internal systems enable data to be retrievable, and update their terms of use to reflect data portability rights, otherwise they risk being challenged for non-compliance with the EU Data Act. They will also need to consider how to reconcile preservation of their technological assets with the new access rights.
3) Cybersecurity & Safe OTA: From Paper to Practice
For type approval in many markets, automotive and transportation companies must operate a Cybersecurity Management System (CSMS) and a Software Update Management System (SUMS)—covering secure development, firmware signing, SBOMs, vulnerability management, incident response, and safe OTA rollback. The EU’s General Safety Regulation (2019/2144) embeds cybersecurity and event data recording requirements that now apply to new vehicle types and, progressively, to all new sales. However, the practical application is far from straightforward as old and recent examples regarding defects in the infotainment system which made certain vehicles vulnerable to hacking illustrate.
Industry reality is complex: no single framework covers all threat vectors. Regulators rely on UNECE R155/R156 (for cybersecurity and software updates, respectively), while industry applies ISO/SAE 21434 (for engineering security) and ISO 24089 (for managing software updates), but supplier enforcement remains contractual as automotive and transportation companies must ensure their entire supply chain is compliant. This puts a premium on audits and hard security Service Level Agreements.
4) Automated Features & Product Liability: Align Capability, User Experience, and Marketing
Courts and juries now scrutinise human‑machine interfaces, driver monitoring, geofencing/Operational Design Domain (ODD) limits, and marketing claims for ADAS Level 2 (partial automation) and Level 3 (conditional automation) features.
Recent examples of litigation regarding alleged misrepresentation of safety of vehicles and the capabilities of the driver-assistance features illustrate that getting this wrong can be expensive and result in multi-million dollars lawsuits.
To avoid product liability claims, automotive and transportation companies should consider risk controls, such as: constrained ODDs with hard geofencing, conservative HMI copy, robust driver‑monitoring (infrared/camera), field performance monitoring, and post‑incident analytics capable of evidencing diligence. If litigation cannot be avoided, persuading a jury will require robust evidence through robust discovery procedures. Our firm has invested in a global discovery hub (based in Germany) aimed at building robust defence strategies in multi-jurisdictional product liability claims. Thanks to this hub, we successfully won a major victory for one of our largest automotive clients in one of the largest product liability claims in the US resulting in a full acquittal of our client.
5) eCall: Upgrading to NG‑eCall as 2G/3G Sunsets Bite
EU law mandates eCall in vehicles since 2018. With 2G/3G mobile networks’ sunsets, the EU updated the framework to require 4G/5G‑capable eCall, refresh standards (e.g., EN 17184:2024; EN 17240:2024; EN 16072:2025), and strengthen self‑test, backup power, and roadworthiness verification. Critical phase‑in dates start in 2026/2027 for new types/all new vehicles.
However, there is practical “technology dilemma” that this updated framework has not yet been able to resolve. Mobile network operators would like to switch off 2G/3G networks in favour of 4G/5G networks as soon as possible to re-farm valuable spectrum for more lucrative and advanced services. While most of the eCall functionality exists in IMS Emergency Call and IMS Multimedia Emergency Service specifications, if all 2G/3G networks are switched off, automotive and transportation companies would have to upgrade or refit current eCall devices in their legacy vehicles with 4G/5G interoperable functionality, in order to be able to guarantee that an eCall is transmitted to emergency services in case of a car accident. But retrofitting would be very expensive and difficult to orchestrate given the very large number of vehicles still in circulation with legacy 2G-only eCall modems.
Others face the same dilemma: M2M applications using 2G/3G networks, such as smart meters, gating and alarm systems, will also need to transition to 4G/5G when 2G/3G networks are no longer available. An adequate transition solution is, thus, desirable at pan-EU level for both the automotive and transportation industry and mobile network operators.
There are divided views among operators about 2G and 3G. Clearly, for reasons of spectrum efficiency, as well as customer experience, it makes sense to move as many customers as possible onto 4G and 5G. However, retaining a narrow 2G band has been considered (including by major European operators) for a variety of reasons, including the following:
- There is likely to be a tail of voice-only customers with quite antiquated handsets for some time to come. Getting them all to upgrade could be time consuming and expensive.
- There are a number of narrow-band IoT applications that work really well on a 2G network, and 2G is typically in low-spectrum bands that are well suited to wide coverage for narrow-band communications.
While some European operators seem to be looking to switch off 3G before 2G, other operators are looking to switch off 2G and keep a 3G coverage layer. Providing coverage for eCall could be influential in operator choices, particularly if OEMs were willing to contribute towards the cost of maintaining 2G narrow-band coverage (in order to avoid the cost of swapping out eCall modules in existing vehicles).
The European Commission considers that, in principle, it is the role of industry to adapt to the evolution of network technology. However, it also acknowledges the need to take into account the lifetime of existing vehicles equipped with 2G/3G eCall systems and the need to upgrade these vehicles, as well as the Public Safety Answering Point (PSAP) infrastructure in Member States. Old technologies can take a long time to die. Pager networks are still running in some European countries, not least to support emergency services.
It is in the interest of all automotive and transportation companies to understand the regulatory and commercial implications of a 2G/3G network switch-off on their obligation to provide passengers with eCall access in vehicles across the EU and to engage in a public policy debate aimed at facilitating a smooth pan-EU transition strategy to solve this technology dilemma.
6) National‑Security Controls: Supplier Vetting Is Now Market‑Access
Connected vehicles are also the heart of national security control interventions.
For example, the U.S. Department of Commerce issued a Final Rule restricting connected vehicle hardware/software linked to China/Russia and requiring declarations of conformity, with phased prohibitions (software from Model Year 2027, hardware around Model Year 2030). Automotive and transportation companies must trace firmware origin and remote‑access capabilities across the stack.
On the other side of the Atlantic Ocean, in Europe, connected vehicles require alignment with the NIS2 Directive 2022/2025 which mandates strict cybersecurity measures, incident reporting and supply chain security for essential and important entities across the EU, UNECE cybersecurity, and broader non‑technical risk assessments (e.g., “high‑risk vendor” considerations) when planning procurement and type approval pathways. Conversely, while the UK explicitly excluded connected vehicles from the scope of the Product Security and Telecommunications Infrastructure Act 2022, a case-by-case analysis is required to determine its application to connected vehicles’ components and supply chain.
7) C‑ITS Standards & Interoperability: Keeping Options Open
The EU is advancing harmonised C‑ITS standards and cross‑border interoperability, while the U.S. is tightening connected‑vehicle rules with national‑security‑driven restrictions on vehicles and components linked to China or Russia. Member States rejected a draft that would have effectively locked in 802.11p, leaving room for C‑V2X and alignment with 5G roadmaps. This is important for future ADAS, platooning, and road‑safety services. Spectrum/standard choices will affect interoperability, roaming, and upgrade paths.
8) IP in Connectivity & Analytics
Patent holders increasingly target telematics stacks, OTA analytics, and Vehicle-to-Everything. For example, Intellectual Ventures sued various automotive companies over connected‑car technologies—highlighting the need for freedom‑to‑operate analysis early in product planning. Patents and IP protection for connected vehicle technologies could also give rise to antitrust liability. For example, EU antitrust case law on patent ambush centered on the Rambus decision means that intentionally hiding relevant patents during standard‑setting and later demanding royalties could constitute an illegal abuse of dominant position.
9) Implications of the EU/UK Motor Vehicles Vertical Restraints Guidelines on the repair market
Staying with the theme of antitrust, the EU Motor Vehicle Block Exemption Regulation (MVBER) is applicable until 31 May 2028, having been prolonged by the European Commission for five years. The extension is intended to allow the Commission to react in a timely manner to possible market changes (e.g. vehicle digitalisation, electrification and new mobility patterns). It seems likely that the Commission will review the MVBER again at the end of the five-year period to re-assess whether it is still applicable or require any updates or amendments.
In the meantime, the Commission’s updated Supplementary Guidelines for the sector clarify that:
- Data generated by vehicle sensors may be an essential input for the provision of repair and maintenance services. Therefore, to comply with the prohibition of cartels and anti-competitive agreements, authorised and independent repairers should have access to such data on an equal footing. The existing principles for the provision of technical information, tools and training necessary for the repair and maintenance services have been extended to explicitly cover vehicle-generated data.
- Vehicle suppliers must apply the proportionality principlewhen considering whether to withhold inputs, such as vehicle-generated data, on the basis of potential cybersecurity concerns.
- The prohibition of abuse of dominant positions may be applicable where a supplier unilaterally withholds from independent operators an essential input, such as vehicle-generated data.
Given the growing importance of data for the proper functioning of connected vehicles, automotive companies will need to refresh their antitrust compliance choices for the aftermarket for maintenance and repair of their vehicles, balancing potentially opposing security and market-contestability drivers.
10. Conclusion
The legal issues arising from connected vehicles are cross‑functional as this short summary of the main issues illustrates, ranging from antitrust, privacy, security, type approval, procurement, product, marketing. To address these issues effectively, therefore, you really need a fully connected legal team. Our Automotive and Transportation Industry Group provides just that…as Elastica used to sing: “the vital connection is made”!
