This document is an excerpt from the EUR-Lex website
Document 32021R1244
Commission Delegated Regulation (EU) 2021/1244 of 20 May 2021 amending Annex X to Regulation (EU) 2018/858 of the European Parliament and of the Council as regards the standardised access to vehicle on-board diagnostics information and repair and maintenance information, and the requirements and procedures for access to vehicle security information
Commission Delegated Regulation (EU) 2021/1244 of 20 May 2021 amending Annex X to Regulation (EU) 2018/858 of the European Parliament and of the Council as regards the standardised access to vehicle on-board diagnostics information and repair and maintenance information, and the requirements and procedures for access to vehicle security information
Commission Delegated Regulation (EU) 2021/1244 of 20 May 2021 amending Annex X to Regulation (EU) 2018/858 of the European Parliament and of the Council as regards the standardised access to vehicle on-board diagnostics information and repair and maintenance information, and the requirements and procedures for access to vehicle security information
C/2021/3377
OJ L 272, 30.7.2021, p. 16–28
(BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
In force
30.7.2021 |
EN |
Official Journal of the European Union |
L 272/16 |
COMMISSION DELEGATED REGULATION (EU) 2021/1244
of 20 May 2021
amending Annex X to Regulation (EU) 2018/858 of the European Parliament and of the Council as regards the standardised access to vehicle on-board diagnostics information and repair and maintenance information, and the requirements and procedures for access to vehicle security information
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (1), and in particular Article 61(11) thereof,
Whereas:
(1) |
Article 61(2) of Regulation (EU) 2018/858 requires vehicle manufacturers to make vehicle on-board diagnostics (OBD) information and vehicle repair and maintenance information (RMI) available on their own websites. There are, however, no harmonised criteria as to the manner in which that information is to be made available, which requires independent operators to adapt to numerous and different Web services and terminology. |
(2) |
The Report from the Commission to the European Parliament and the Council of 9 December 2016 (2) on the operation of the system of access to vehicle repair and maintenance information concluded that by standardising those websites and the corresponding terminology the burden on independent operators could be alleviated. |
(3) |
Since access to vehicle OBD information and vehicle RMI should be possible regardless of the type of powertrain of a vehicle, it is necessary to clarify that such access is not only compulsory for emission related requirements. |
(4) |
On 15 September 2014, the European Committee for Standardisation (CEN) published Parts 1 to 5 of standard EN ISO 18541 ‘Road vehicles – Standardized access to automotive repair and maintenance information (RMI)’. Those parts aim at facilitating the exchange between manufacturers and independent operators of vehicle OBD information and vehicle RMI by establishing the technical requirements and procedures for facilitating access to that information. It is therefore appropriate to refer in Annex X to Regulation (EU) 2018/858 to the requirements of Parts 1 to 5 of standard EN ISO 18541-2014. |
(5) |
Given that vehicle OBD information and vehicle RMI include information which is important for ensuring the security of the vehicle, access to certain vehicle security features should only be provided to independent operators complying with the requirements laid down in this Annex. |
(6) |
According to the recommendations of the Forum on Access to Vehicle Information, referred to in Article 66(1) of Regulation (EU) 2018/858, those requirements should include the approval of the independent operators concerned and the authorisation of their employees engaged in the relevant activities by accredited entities. It is therefore necessary to lay down the procedure for the approval and authorisation of independent operators to access vehicle security features, which should be based on the ‘Scheme for accreditation, approval and authorization to Access Security-related Repair and Maintenance Information (RMI)’, which was validated on 19 May 2016 by the European cooperation for Accreditation. It is also necessary to assess whether such operators are not involved in illegitimate business activities. |
(7) |
In addition, it is necessary to lay down the role and responsibilities of the bodies involved in the approval and authorisation of independent operators and their employees to be granted access to security-related vehicle repair and maintenance information. |
(8) |
In order to enable Member States and national authorities as well as economic operators to prepare for the application of the new rules introduced by this Regulation, the date of application should be deferred. |
(9) |
Annex X to Regulation (EU) 2018/858 should therefore be amended accordingly, |
HAS ADOPTED THIS REGULATION:
Article 1
Annex X to Regulation (EU) 2018/858 is amended in accordance with the Annex to this Regulation.
Article 2
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 30 July 2023.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 20 May 2021.
For the Commission
The President
Ursula VON DER LEYEN
(1) OJ L 151, 14.6.2018, p. 1.
(2) Report from the Commission to the European Parliament and the Council on the operation of the system of access to vehicle repair and maintenance information established by Regulation (EC) No 715/2007 on type approval of motor vehicles with respect to emissions from light passenger and commercial vehicles (Euro 5 and Euro 6) and on access to vehicle repair and maintenance information, COM(2016) 0782 final.
ANNEX
Annex X to Regulation (EU) 2018/858 is amended as follows:
(1) |
point 2.1 is replaced by the following:
|
(2) |
point 2.5.2 is replaced by the following:
|
(3) |
in point 2.9, the first paragraph is replaced by the following: ‘For the purpose of vehicle OBD, diagnostics, repair and maintenance, monitoring and inspection, the direct vehicle data stream, including fault codes and diagnostic functions, shall be made available through the serial data port on the standardised data link connector specified in paragraph 6.5.1.4 and in accordance with the specifications set out in section 6.5.3 of Appendix 1 of Annex 11 to Regulation No 83 of the Economic Commission for Europe of the United Nations (UN/ECE) (*1) and in accordance with paragraph 4.7.3 of Annex 9B and the reference standard documents set out in Appendix 6 to that Annex to Regulation No 49 of the Economic Commission for Europe of the United Nations (UN/ECE) (*2). (*1) Regulation No 83 of the Economic Commission for Europe of the United Nations (UN/ECE) – Uniform provisions concerning the approval of vehicles with regard to the emission of pollutants according to engine fuel requirements (OJ L 42, 15.2.2012, p. 1)." (*2) Regulation No 49 of the Economic Commission for Europe of the United Nations (UN/ECE) – Uniform provisions concerning the measures to be taken against the emission of gaseous and particulate pollutants from compression-ignition engines for use in vehicles, and the emission of gaseous pollutants from positive-ignition engines fuelled with natural gas or liquefied petroleum gas for use in vehicles (OJ L 180, 8.7.2011, p. 53).’;" |
(4) |
in point 6.1, the first paragraph is replaced by the following: ‘Compliance with the obligation for manufacturers to provide OBD information and vehicle repair and maintenance information on their websites through a standardised format shall be presumed by conforming with the Parts of standard EN ISO 18541 referred to in point 2.1.’; |
(5) |
point 6.2 is replaced by the following: ‘Access to vehicle security features shall be made available to independent operators under protection of security technology in accordance with the following requirements:’; |
(6) |
point 6.3 is amended as follows:
|
(7) |
the following Appendix 3 is added: ‘ Appendix 3 Procedure for the approval and authorisation of independent operators to access vehicle security features (*5) 1. Scope This Appendix contains the requirements for the purposes of approval and authorisation of independent operators requiring access to security-related vehicle repair and maintenance information (RMI). It specifies in detail the process and the bodies required to approve and authorise independent operators to be granted access to security-related vehicle repair and maintenance information for light passenger and commercial vehicles and heavy duty vehicles. 2. Definitions and abbreviated terms 2.1. Definitions For the purposes of this Appendix, the following definitions shall apply: 2.1.1. ‘Accreditation’ ‘accreditation’ shall mean accreditation as defined in Article 2, point 10 of Regulation (EC) No 765/2008 2.1.2. ‘IO employee’ ‘IO employee’ shall mean the employee of an approved independent operator (IO) who, upon authorisation from his or her conformity assessment body (CAB), will have access to security-related RMI 2.1.3. ‘Security-related repair and maintenance information’ or ‘security-related RMI’ ‘security-related repair and maintenance information’ or ‘security-related RMI’ shall mean the information, software, functions and services required to repair and maintain the features that are included in a vehicle by the manufacturer to prevent the vehicle from being stolen or driven away and to enable the vehicle to be tracked and recovered. 2.1.4. ‘Approval inspection certificate’ ‘approval inspection certificate’ shall mean the certificate issued by the CAB to IOs complying with the approval criteria set out in this Appendix and which confirms that those IOs are approved and that IO employees can request the authorisation to access security-related RMI. 2.1.5. ‘Authorisation inspection certificate’ ‘authorisation inspection certificate’ shall mean the certificate issued by the CAB to IO employees complying with the authorisation criteria set out in this Appendix and which confirms that those employees are authorised to access security-related RMI on the website of a vehicle manufacturer. 2.1.6. ‘Trust centre’ or ‘TC’ ‘trust centre’ or ‘TC’ shall mean the body designated by SERMI and approved by the Commission and that is responsible for:
2.1.7. ‘Security token’ ‘security token’ shall mean a device that allows a secure authentication of an IO. 2.1.8. ‘Digital certificate’ ‘digital certificate’ shall mean a digital certificate which requires a digital signature of the issuing trust centre to bind a public key to the identity of the IO employee in accordance with the standard ISO 9594. 2.1.9. ‘Authorisation database’ ‘authorisation database’ shall mean a database held by the trust centre and which contains the authorisation details of the anonymised authorised IO employees and the registration of approved IOs. 2.1.10. ‘Certification database’ ‘certification database’ shall mean a database held by the trust centre to manage the digital certificate validity and the identifiers of authorised IO employees. 2.1.11. ‘European cooperation for Accreditation’ or ‘EA’ ‘European cooperation for Accreditation’ or ‘EA’ shall mean the body recognised by the Commission in accordance with Article 14 of Regulation (EC) No 765/2008 and which is responsible for the development, maintenance and implementation of accreditation in the Union. 2.1.12. ‘Forum for Access to Security-Related Vehicle RMI’ or ‘SERMI’ The ‘Forum for Access to Security-Related Vehicle RMI’ or ‘SERMI’ means the entity that is in charge of coordinating and advising the Commission on the implementation of the procedures of accreditation, approval and authorisation for the purpose of accessing security-related RMI. 2.1.13. ‘Relevant authorities’ ‘relevant authorities’ shall mean those public authorities that have a legal mandate to act in the area of vehicle security crime protection, investigation and prosecution. 3. Accreditation of CABs, approval of IOs and authorisation of IO employees Only CABs that are accredited by the national accreditation body (‘NAB’), as defined in Article 2, point 11 of Regulation (EC) No 765/2008, of the Member State in which they are established shall issue approval inspection certificates certifying that an IO has been approved and authorisation inspection certificates certifying that an IO employee is to access security-related RMI. The approval of the IO and the authorisation of the IO employee shall be granted for a period of 60 months starting from the date of issuance of the relevant inspection certificates. IOs wishing to receive security-related RMI shall obtain an approval inspection certificate from a CAB accredited by the NAB of the Member State where the IO is established. IO employees who are to handle security-related RMI shall obtain an authorisation inspection certificate from a CAB accredited by the NAB of the Member State where the IO employee resides. CABs shall inform TCs of any approval inspection certificates or authorisation inspection certificates issued, upon which TCs shall create an authorisation record and issue a security token and a digital certificate containing details that allow IO employees to be uniquely identifiable to the vehicle manufacturer RMI website. CABs shall provide individual IO employees with a security token and the digital certificate. Vehicle manufacturers may demand a fee for the registration of IO employees on those vehicle manufacturers’ RMI websites and for access to security-related RMI. Such fee shall be proportionate to the cost for such registration and provision of access. The fees due shall be specified on the vehicle manufacturers’ RMI websites. All digital data transfers between IOs, TCs and CABs shall be carried out via business to business (B2B) transactions using secure protocols and in a timely manner.
A declaration that certifies that the IO pursues a legitimate business activity as referred to in point 6.3 of this Annex shall be signed by the IO requesting to be authorised by the CAB. An IO shall only be approved after an inspection by the CAB that shall verify that this declaration has been signed and that shall assess whether the IO and its individual employees comply with the requirements laid down in this Appendix. Individual IO employees shall only be authorised after an inspection by a CAB. CABs shall check the documents submitted and shall verify whether the IO employee concerned made a previous request for authorisation that has been rejected by the CAB concerned or any other CAB at Union level. CABs shall send all data to the TC that are necessary for the TC to produce the digital certificate and the security token, which the CAB shall send to the IO employees.. IO employees that have been authorised shall receive from their CABs the PIN associated with the digital certificate.
3.1. Overview of the access to security-related RMI Vehicle manufacturers shall provide access to security-related RMI through their RMI website, provided that the IO employees are authorised and are able to produce the authorisation inspection certificate, and that the IO on whose behalf the IO employees are working has an approval inspection certificate. Manufacturers may offer access to an on-line ordering facility for security-related parts using a specialised application linked to the RMI website to authorised IO employees that work for approved IOs. Upon receipt of a request for access to an RMI website, the vehicle manufacturers’ websites shall require identification through the IO employee unique identifier and request authentication. Authentication of IO employees shall be carried out exclusively using digital certificates. Upon receipt of a digital certificate, vehicle manufacturer RMI websites shall verify the IO employee unique identifier and the current status of the digital certificate and authorisation, by communicating with the TC identified in the digital certificate. All digital data transfers between IOs, vehicle manufacturers, TCs and CABs shall be carried out via business to business (B2B) transactions, using secure protocols and in a timely manner. Once the IO employee unique identifier and authorisation status of the IO employee have been verified, access to the required security-related RMI shall be provided by the vehicle manufacturer through its website.
4. Detailed rules concerning access to security-related RMI 4.1. The role of SERMI 4.1.1. Responsibilities and obligations SERMI shall monitor the implementation of the accreditation process across the Member States and inform the Commission accordingly. SERMI shall advise the Commission on requests for changes to the accreditation process.
4.1.2. Trust centre selection The TC shall be selected by SERMI and be notified to the Commission for approval. Selected TC shall comply with standard ETSI TS 319 411-3, fulfil the requirements on electronic signatures laid down in Regulation (EU) No 910/2014 of the European Parliament and of the Council (*6) and the requirements laid down in point 4.6 of this Appendix. In addition, the TC shall:
4.2. The role of NABs The NAB shall be responsible for the accreditation of CABs for the purposes of approving IOs and authorising IO employees for access to security-related RMI. 4.2.1. Responsibilities and requirements The responsibilities and requirements of the NAB are set out in Articles 8 to 12 of Regulation (EC) No 765/2008. 4.2.2. Criteria for CAB accreditation CABs shall be accredited as type A inspection bodies in accordance with ISO/IEC 17020:2012. CABs shall comply with the requirements concerning the highest level of independence. Additionally, the NAB shall assess CABs’ capability to comply with the requirements laid down in points 4.3.1 to 4.3.4. The personnel in charge of IO inspections shall have a level of knowledge in the automotive vehicle repair and maintenance business and of the automotive aftermarket specifics that is appropriate for the tasks they are performing. 4.3. The role of CABs The CAB shall be responsible for the inspection of IOs and their respective IO employees and for issuing approval and authorisation inspection certificates in accordance with this Appendix, and for revoking such certificates. 4.3.1. Responsibilities and requirements
4.3.2. Renewal of the approval CABs shall, upon request by an IO or 6 months prior to the expiry of validity of the approval, make an on-site inspection, and in case of a positive inspection result, renew the approval. CABs shall issue a new approval inspection certificate for IO that fulfils the approval criteria. CABs shall assess applications for renewals of authorisations and issue an authorisation inspection certificate to IO employees fulfilling the authorisation criteria. 4.3.3. Criteria for IO approval by the CAB Before approving an IO and during any on-site inspection during the approval validity period, CABs shall check the following:
4.3.4. Criteria for IO employee authorisation by the CAB Before authorising an employee as an IO employee, and during any on-site inspection during the approval validity period, CABs shall verify the following:
4.4. Role of the IOs 4.4.1. Responsibilities and requirements
4.5. Role of IO employees 4.5.1. Responsibilities and requirements
4.6. Role of the trust centre TCs shall create and send the digital certificates to the IOs via the respective CABs to the IOs and the IO employees. TCs shall maintain a database of issued authorisation inspection certificates. TCs shall provide vehicle manufacturers access to an interface to verify the status of the digital certificates and the authorisation inspection certificates. TCs shall keep the information regarding IO employees in the authorisation database for an additional period of maximum 60 months. That period shall not be longer than the remaining validity period of the approval granted to the IO where the IO employee is working. 4.6.1. Responsibilities and requirements
4.7. Role of vehicle manufacturers Vehicle manufacturers shall provide to all approved IOs and authorised IO employees access to security-related repair and maintenance information. Vehicle manufacturers shall communicate with TCs to verify the authorisation and authentication status of IO employees seeking access to such information. 4.7.1. Responsibilities and requirements
4.7.2. Procedural requirements for vehicle manufacturers Vehicle manufacturers shall not grant access to security-related RMI, unless all of the following procedural requirements have been complied with:
(*5) The requirements set out in this Appendix are based on those laid down in the ‘Scheme for accreditation, approval and authorization to Access Security-related Repair and Maintenance Information (RMI)’ validated on 19 May 2016 by the European cooperation for Accreditation (https://www.vehiclesermi.eu/)." (*6) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73)." |
(*1) Regulation No 83 of the Economic Commission for Europe of the United Nations (UN/ECE) – Uniform provisions concerning the approval of vehicles with regard to the emission of pollutants according to engine fuel requirements (OJ L 42, 15.2.2012, p. 1).
(*2) Regulation No 49 of the Economic Commission for Europe of the United Nations (UN/ECE) – Uniform provisions concerning the measures to be taken against the emission of gaseous and particulate pollutants from compression-ignition engines for use in vehicles, and the emission of gaseous pollutants from positive-ignition engines fuelled with natural gas or liquefied petroleum gas for use in vehicles (OJ L 180, 8.7.2011, p. 53).’;
(*3) As defined in Article 3(10) of Regulation (EC) No 715/2007.
(*4) As defined in Article 3(8) of Regulation (EC) No 595/2009.’;
(*5) The requirements set out in this Appendix are based on those laid down in the ‘Scheme for accreditation, approval and authorization to Access Security-related Repair and Maintenance Information (RMI)’ validated on 19 May 2016 by the European cooperation for Accreditation (https://www.vehiclesermi.eu/).
(*6) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).’