Published on 17 Jun 2025
min read
A summary review of the global auto sector reveals that it is has, since inception, successfully navigated complex and geographically varied regulatory landscapes. However, the current industry trend toward Software-Defined Vehicles (SDVs) could be an altogether different scenario.
As software increasingly becomes the key source of differentiation for automakers, it will also turn into the biggest regulatory hurdle for them. And this is not for the wrong reasons. With multi-tonnage vehicles connecting to wide-area networks and shifting their control logic to complex software, the risk environment will evolve.
However, automakers have a powerful strategy at their disposal to navigate this increasingly complex regulatory landscape – standardization.
And the good news is that the industry is cognizant of the power of standardization in the SDV ecosystem. Early proponents are already witnessing major wins as they encounter regulatory hurdles while building new software platforms for their upcoming fleet of products.
Regulatory Hurdles for Software-Defined Vehicles
With the emergence of SDVs, regulatory bodies worldwide are being called upon to conceive new safety measures for addressing emerging risks and scenarios. The implications for the auto industry are evident:
- Jurisdictional fragmentation: From the EU’s UN Regulation 155 to Japan’s sidewalk robot laws, countries are devising SDV rules faster than OEMs can update the firmware. The lack of harmonized standards makes global scalability a major challenge.
- Geopolitical hurdles: Geopolitical tensions inevitably creep into regulatory requirements. For instance, the U.S. appears set on banning Chinese-origin vehicle software and hardware – leveraging IEEPA and 100% tariffs to keep potential rolling Trojan horses off its roads.
- Liability decisioning: Who is at fault when an SDV crashes – a human, an algorithm, or a phantom update server? State legislations of the US are rewriting driver liability playbooks to keep up.
- Data sovereignty considerations: Cross-border vehicle data flows are now under scrutiny. With OEMs collecting everything from speed logs to selfies, regulators are clutching the wheel on privacy as it can cause national security issues.
- Update, but do no harm: UNECE’s software update mandates (Reg. 156) mean a car’s next OTA patch might need a legal audit before it goes live. This sort of accountability is crucial to ensure safety but adds a new layer of compliance for OEMs.
Emerging Industry Standards to Address SDV Compliance
To navigate the increasingly intricate SDV compliance landscape, the automotive industry is turning to an array of well-defined and evolving standards. These frameworks provide structure, predictability, and auditability, which are critical traits for succeeding in a fast-changing regulatory environment.
Some of the standards deserve a special mention here. For instance, ISO 26262 offers a comprehensive approach to functional safety for electrical and electronic systems. It defines safety lifecycle phases, risk classification through ASILs, and traceability requirements that help OEMs build and certify systems that are designed to prevent failures with profound consequences.
ASPICE complements this by focusing on the maturity and consistency of development processes. Based on the V-Model, it helps teams improve system and software quality through disciplined project and configuration management, verification methods, and supplier oversight.
Similarly, ISO 21434 introduces structured cybersecurity governance across the entire vehicle lifecycle. It addresses threat modelling, secure design, and post-deployment risk monitoring, which are essential for connected vehicles operating in a dynamic threat landscape.
These standards align closely with UNECE WP.29 regulations, which operationalize cybersecurity and update compliance through type approvals. Collectively, these frameworks reduce compliance ambiguity and support cross-market acceptance, making them fundamental to global SDV strategy.
Compliance-ready SDVs Call for Open Source Stacks
As the automotive industry reorients itself around software, open source is emerging as a powerful enabler of both compliance and standardization.
Platforms like Red Hat In-Vehicle Operating System are demonstrating how enterprise-grade Linux can meet ISO 26262 requirements, thanks to advancements in mixed-criticality safety certification and proven freedom from interference between safety-critical and non-critical workloads. This builds confidence among OEMs looking to adopt Linux while still satisfying functional safety expectations. Similarly, OP-TEE, an open-source Trusted Execution Environment, plays a significant role in ensuring secure boot and data isolation in compliance with cybersecurity regulations like ISO/SAE 21434 and UNECE WP.29
Meanwhile, Automotive Grade Linux (AGL) is rapidly being applied to standardize infotainment and instrument cluster systems. Its shared codebase and transparent governance accelerate regulatory documentation and enable audit readiness and cross-vendor interoperability.
At the architectural level, the SOAFEE initiative is laying the foundation for cloud-native development with built-in support for real-time workloads, virtualization, and safety-certifiable components. By providing standardized, openly developed reference implementations, SOAFEE helps bridge the gap between compliance goals and scalable SDV deployment.
Summing up
As the auto industry embraces a software-first future, regulatory interventions will be inevitable. As SDVs evolve to support autonomous decision-making, V2X communication, user experience with AI-driven personalization, compliance frameworks will expand further, both in scope and sophistication.
The industry's best response lies in adopting open, standardized, and audit-friendly platforms. By building transparency and safety into the stack today, automakers can future-proof their fleets and steer confidently into the next generation of mobility.
