A soft revolution in vehicle security is underway, led not by Silicon Valley or Brussels, but by Beijing and New Delhi. As WP.29 regulations mature in Europe, India and China are quietly adapting and expanding their own frameworks to govern the full lifecycle of connected vehicles. Yet few investors appreciate the full extent of how these markets are influencing engineering priorities, supply chains and regulatory alignment on a global scale.
India has taken WP.29 as a base and is crafting its own AIS‑189/SUMS regime due for full implementation by 2027. OEMs and tier‑1 suppliers now face parallel compliance requirements, managing cybersecurity under both global best practice and domestic scrutiny, forcing new investments in software update systems and organisational controls. That dual pressure is already reshaping certification roadmaps and vendor relationships.
China has moved even faster. Its 2024 GB‑44495 regulation closely mirrors Europe’s R‑155 demands yet embeds stronger technical mandates, requiring anomaly detection systems as enforced by GB/T‑45181 since April 2025. On top of that, draft MIIT rules set to be finalised around mid‑June 2025 impose new data export restrictions on key vehicle functionalities, ADAS and autonomy modules included. The result is a push for built‑in threat monitoring, logging, and geo‑localisation controls at the chip and ECU level.
For international OEMs, this isn’t just compliance noise. China’s GB regulations stipulate certification pathways and technical testing unmatched by Europe’s more hands‑off, process‑centric approvals. That is driving demand for secure key injection systems, hardware‑backed trust anchors and automated consent frameworks across multiple jurisdictions. India’s pending AIS rules and China’s evolving technical demands are rapidly becoming boardroom issues affecting production planning, supplier eligibility, and aftermarket support provisioning.
Moreover, these developments dovetail with global supply chain imperatives. OEMs are extending CSMS/SUMS obligations beyond Tier 1 into electronics, software vendors and post‑market service channels. That creates a strategic window for specialist cybersecurity providers, especially those offering unified PKI, OTA, logging and anomaly detection services. Software‑defined vehicle architectures now require evolving trust models and key lifecycles that were unaffordable or unthought‑of a few years ago.
The opportunity lies in scale and longevity. Cars built under today’s standards will remain on the road through 2040, meaning long‑tail cybersecurity demand is baked into every VIN. OEMs are therefore driven to embed flexible security architecture from the start—whether through HSM‑integrated ECUs, secure boot flows, OTA signing, or continuous firmware trust verification.
Yet the result is far more than defensive cost centres. These imperatives reshape competitive positioning. OEMs that demonstrate seamless cross‑border compliance, balancing India’s AIS, China’s GB and Europe’s WP.29—all while streamlining updates and anomaly detection, will wield a tangible edge in volume and trust. Suppliers embedding modular CSMS toolsets and anomaly‑aware ECUs become easier integration partners, unlocking access to emerging markets sooner.
The convergence of regulatory frameworks creates a compelling narrative: geopolitical policy is accelerating technical transformation in the automotive industry, with power and trust shifting toward hardware‑centric, identity‑first architectures. The question for investors isn’t whether cybersecurity matters—it’s who will own that compliance stack, and how it transforms vehicle software economics over the next two decades.
To summarise plainly: India is extending WP.29 into AIS, China has built a parallel yet more technical GB standard and data‑transfer mandate, and Europe remains the standard bearer. OEMs must navigate all three now. But this multi‑regime environment is doing more than adding administrative friction, it’s forcing a fundamental upgrade in cybersecurity architecture, embedding long‑term revenue channels in PKI, OTA, HSM and threat‑monitoring across vehicle lifespans.
Device Authority offers an embedded PKI and identity‑lifecycle platform, complete with hardware key management, secure OTA updates, and continuous certificate renewal, designed to satisfy WP.29, AIS, GB and ISO/SAE 21434 requirements globally. It positions itself as a cross‑jurisdictional enabler for OEMs and suppliers navigating accelerating cybersecurity mandates.
Tern plc (LON:TERN) backs exciting, high growth IoT innovators in Europe. They provide support and create a genuinely collaborative environment for talented, well-motivated teams.
