The strategic question for OEMs has shifted. It's no longer whether connected features can be added safely, but whether organizations can run a secure, auditable lifecycle for vehicles that are always online, always updated, and increasingly dependent on cooperative communications. Cybersecurity management systems now sit alongside quality and functional safety programs, and V2X security is being treated as a systems-engineering problem that spans infrastructure, telecom, and vehicle platforms.
The data behind the urgency is compelling. Upstream's public-incident research documented 295 publicly reported automotive cybersecurity incidents in 2023, over 400 newly reported incidents analyzed for 2024, and 494 publicly reported incidents analyzed for 2025. In that same 2025 reporting cycle, 92 percent of attacks were executed remotely and 85 percent were long-range, requiring no physical proximity—exactly the kind of scale that turns cybersecurity into an enterprise risk rather than a workshop problem.
Five implications follow from those numbers and are reshaping automotive security programs today: Remote access is the primary threat model, so physical-access-required assumptions no longer provide comfort. Backend and identity systems are now part of vehicle safety, not just IT hygiene. V2X trust hinges on certificate and key governance as much as RF performance. Software update pipelines are security boundaries, not just delivery mechanisms. And compliance is converging globally, with audit evidence becoming as important as technical controls.
Regulation has already moved from principle to enforcement. UNECE WP.29 UN Regulation No. 155 for cybersecurity and UN Regulation No. 156 for software update management created a formal framework that many global OEMs treat as the baseline even outside UNECE markets. In the European Union, the cybersecurity regulation is mandatory for all new vehicle types from July 2022 and becomes mandatory for all new vehicles produced from July 2024.
Those dates turned best practice into a deliverable: a documented Cybersecurity Management System, governance for risk assessment and mitigation, and demonstrable control over software updates through a Software Update Management System. Standards fill in the engineering details. ISO/SAE 21434, issued on August 31, 2021, provides the lifecycle language—item definition, threat analysis and risk assessment, cybersecurity goals, verification and validation, production, operation, maintenance, and end-of-life.
In the United States, NHTSA's Cybersecurity Best Practices for the Safety of Modern Vehicles was updated in September 2022 as nonbinding guidance, but it functions as a practical checklist for risk-based programs and, increasingly, for supplier expectations. The real-world effect is that cybersecurity evidence is becoming a procurement artifact: security cases, test reports, key-management documentation, and incident-handling procedures now move through the same channels as safety-case material.
V2X connectivity adds a unique dimension: it is designed to make vehicles listen to their environment. In its road-safety form, V2X is about low-latency, machine-readable intent—warnings about hard-braking vehicles ahead, pedestrian phases at the next intersection, or roadside hazards. Done well, V2X connectivity for road safety reduces the time between sensing and reacting, especially in line-of-sight-limited scenarios that cameras and radar struggle to anticipate.
In North America, this conversation often references SAE J2735 message sets, including the Basic Safety Message concept used in connected-vehicle communications, while in Europe the C-ITS stack aligns with ETSI standards. The nomenclature differs by region, but the security premise is universal: if a vehicle is going to act on external messages, those messages must be trustworthy, timely, and resilient against manipulation.