Official Journal
of the European Union
EN
L series
|
|
Official Journal |
EN L series |
|
2025/1455 |
29.10.2025 |
COMMISSION DELEGATED REGULATION (EU) 2025/1455
of 23 July 2025
amending Delegated Regulation (EU) No 44/2014 as regards laying down technical requirements and testing procedures regarding the protection of L-category vehicles against cyberattacks
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (1), and in particular Article 18(3) thereof,
Whereas:
|
(1) |
The scope of UN Regulation No 155 (2) on cyber security and cyber security management system has been extended to include rules on cybersecurity for L-category vehicles (two- and three-wheel vehicles and quadricycles). To make UN Regulation No 155 applicable to L-category vehicles within the Union, it is necessary to include a reference to it in Commission Delegated Regulation (EU) No 44/2014 (3). |
|
(2) |
L1e category vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation (EU) No 168/2013 and pedal cycles with pedal assistance exempted from the application of Regulation (EU) No 168/2013 under its Article 2(2), point (h), are not technically different from a cybersecurity perspective. The latter cycles, representing the vast majority (97 % on average) of the product offer of the majority of bicycle manufacturers, would be subject to the cybersecurity requirements laid down in Regulation (EU) 2024/2847 of the European Parliament and of the Council (4), whereas the former cycles, representing only a minority (3 % on average) of the product offer of most bicycle manufacturers, would be subject to the cybersecurity requirements of the UN Regulation No 155. Bicycle manufacturers producing electrically assisted bicycles with digital elements are often involved in the production of both pedal cycles with pedal assistance as defined under the exception clause of Article 2(2), point (h), of Regulation (EU) No 168/2013 and L1e category vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation (EU) No 168/2013. Developing the compliance with a different set of cybersecurity requirements for only a minority segment of the total production would create a disproportionate administrative burden for bicycle manufacturers. For those reasons, it is appropriate to exclude L1e category vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation (EU) No 168/2013 from the scope of Delegated Regulation (EU) No 44/2014 as regards cyber security requirements set out therein. |
|
(3) |
As L1e category vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation (EU) No 168/2013 are subject to the requirements of Regulation (EU) 2024/2847 under Commission Delegated Regulation (EU) 2025/1535 (5), it is appropriate to align the applicability of the requirements of UN Regulation No 155 with the date of application of Regulation (EU) 2024/2847. |
|
(4) |
Besides ensuring the compliance of new vehicle types, national authorities and manufacturers need additional time sufficient to ensure that also all existing vehicle types become compliant with the cybersecurity rules under UN Regulation No 155. |
|
(5) |
Delegated Regulation (EU) No 44/2014 should therefore be amended accordingly, |
HAS ADOPTED THIS REGULATION:
Article 1
Amendments to Delegated Regulation (EU) No 44/2014
Delegated Regulation (EU) No 44/2014 is amended as follows:
|
(1) |
Annex I is amended in accordance with Annex I to this Regulation; |
|
(2) |
the text set out in Annex II to this Regulation is added as Annex XVIII. |
Article 2
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in the Member States.
Done at Brussels, 23 July 2025.
For the Commission
The President
Ursula VON DER LEYEN
(1) OJ L 60, 2.3.2013, p. 52, ELI: http://data.europa.eu/eli/reg/2013/168/oj.
(2) UN Regulation No 155 – Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system [2025/5] (OJ L, 2025/5, 10.1.2025, ELI: http://data.europa.eu/eli/reg/2025/5/oj).
(3) Commission Delegated Regulation (EU) No 44/2014 of 21 November 2013 supplementing Regulation (EU) No 168/2013 of the European Parliament and of the Council with regard to the vehicle construction and general requirements for the approval of two- or three-wheel vehicles and quadricycles (OJ L 25, 28.1.2014, p. 1, ELI: http://data.europa.eu/eli/reg_del/2014/44/oj).
(4) Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (OJ L, 2024/2847, 20.11.2024, ELI: http://data.europa.eu/eli/reg/2024/2847/oj).
(5) Commission Delegated Regulation (EU) 2025/1535 of 29 July 2025 supplementing Regulation (EU) 2024/2847 of the European Parliament and of the Council with regard to an exclusion from the application of that Regulation for certain products with digital elements falling within the scope of Regulation (EU) No 168/2013 of the European Parliament and of the Council (OJ L, 2025/1535, 29.10.2025, ELI: http://data.europa.eu/eli/reg_del/2025/1535/oj).
ANNEX I
In Annex I to Delegated Regulation (EU) No 44/2014, in the table, the following row is added:
|
‘155 |
Cyber security and cyber security management system |
Supplement 3 to the 00 series of amendments |
OJ L, 2025/5, 10.1.2025, ELI: http://data.europa.eu/eli/reg/2025/5/oj |
L1e, L2e, L3e, L4e, L5e, L6e and L7e, except L1e category vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation (EU) No 168/2013’ |
ANNEX II
‘ANNEX XVIII
Requirements applying to the protection of vehicles against cyberattacks
1. Requirements
|
1.1. |
“Type of vehicle with regard to cybersecurity” means a category of vehicles which do not differ in the following respects:
|
|
1.2. |
Vehicles of categories L1e, L2e, L3e, L4e, L5e, L6e and L7e, except L1e vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation (EU) No 168/2013, shall meet all the relevant requirements of UN regulation No 155. |
|
1.3. |
Points 1.1 and 1.2 shall apply as follows:
|
ELI: http://data.europa.eu/eli/reg_del/2025/1455/oj
ISSN 1977-0677 (electronic edition)