Autonomous vehicles: the EU legal framework

The regulatory landscape around the use, development and manufacture of autonomous vehicles in the EU remains relatively patchwork across Member States. The framework still draws from underlying international frameworks (Vienna Convention, UNECE) and EU instruments (AI Act, General Safety Regulation, type‑approval rules), rather than any harmonized EU legislation. Additionally, there remains some divergence at national EU member state level. For example, at a high-level, national laws in Germany and France enable sophisticated "Level 4" operation of autonomous vehicles, whereas  Italy remains focused on controlled testing under the Smart Road Decree. This article examines emerging legal challenges in the automated vehicle space around cybersecurity, supply‑chain risk and the evidentiary role of EDR data. Overall, it notes that liability frameworks remain rooted in human‑driver assumptions, signalling the need for future increased EU‑level harmonisation as automation advances in this fast-moving technology.

International background: Vienna Convention and UNECE framework

At the international level, the regulatory landscape for autonomous vehicles is significantly influenced by instruments such as the Vienna Convention on Road Traffic, amended in 2016 to allow the use of automated driving systems provided that a human driver can intervene and take control if necessary. Further developments at the international level have facilitated the legalisation of Level 3 automated driving systems. Notably, UNECE Regulation No. 157 on Automated Lane Keeping Systems (ALKS) establishes detailed technical requirements for certain Level 3 automated driving systems and represents one of the first international regulatory frameworks specifically addressing automated vehicle functionality.

1. EU's legal framework

At EU level, the legal framework for autonomous vehicles is shaped by a combination of sector-specific regulations. Rather than a single comprehensive statute on self-driving vehicles, the European approach relies on several complementary instruments that together regulate the development, approval and operation of automated driving technologies.

A central element of this framework is the EU AI Act, which establishes harmonised rules for artificial intelligence systems within the EU. Because autonomous vehicles rely heavily on AI-based decision-making systems, the regulation introduces requirements aimed at ensuring transparency, accountability and safety in the development and deployment of such technologies.

Vehicle safety requirements were shaped by the Regulation (EU) 2019/2144, commonly referred to as the General Safety Regulation. This regulation has required newly registered vehicles in the EU to be equipped with advanced driver-assistance systems (ADAS), such as emergency braking systems and lane-keeping technologies. Although these measures do not yet amount to full automation, they represent a key step toward the gradual integration of automated driving technologies onto European roads.

In addition, the EU vehicle type-approval framework established by Regulation (EU) 2018/858 governs the approval and market surveillance of motor vehicles within the Union and provides the regulatory basis for the certification of new vehicle technologies, including automated driving systems.

The development and deployment of autonomous vehicles in Europe is also assessed using the automation scale defined by the SAE International - J3016 (the globally accepted reference framework) which classifies driving automation into six levels (0-5) based on who performs the Dynamic Driving Task (DDT) and who monitors the driving environment.

Level 0 - No Driving Automation

• The human driver performs all aspects of the DDT.

• Systems may provide warnings or momentary assistance (e.g. emergency braking).

Level 1 - Driver Assistance

• The system can control either steering or acceleration/braking, but not both simultaneously.

• The driver monitors the environment at all times.

Level 2 - Partial Driving Automation

• The system controls both steering and acceleration/braking at the same time.

• The driver remains fully responsible and must continuously supervise the vehicle.

Level 3 - Conditional Driving Automation

• The system performs the entire DDT within specific conditions (Operational Design Domain - ODD).

• Environmental monitoring is done by the system, not by the driver.

• The driver must be ready to intervene after a takeover request.

Level 4 - High Driving Automation

• The system performs the entire DDT and fallback within its ODD.

• No driver intervention is required, even if the system fails.

• Operation is limited to defined environments (e.g. geo‑fenced areas).

Level 5 - Full Driving Automation

• The system performs the entire DDT under all conditions.

• No human driver is needed at any time.

• No operational or geographic limitations.

 At present, the use of autonomous vehicles within the EU generally remains limited to Level 3 automation, where human supervision is still required.

2. Relevant national frameworks in Europe

Several Member States have adopted more advanced and specific national frameworks, resulting in a patchwork of regulatory approaches and innovation hubs across Europe:

A focus on:

a. Cybersecurity and supply chain risks in autonomous vehicles

The increasing connectivity and automation of vehicles introduce new and significant cybersecurity risks, as highlighted by the recent "EU Coordinated Risk Assessment of Connected and Automated Vehicles"  conducted by the NIS Cooperation Group and the European Commission (EU Coordinated Risk Assessment of Connected and Automated Vehicles). Autonomous vehicles process large volumes of personal and sensitive data and are exposed to threats that can compromise physical safety, user privacy, and the resilience of critical infrastructure.

The EU-level risk assessment identified 107 specific risks for CAVs, with 14 considered "critical," including:

• attacks on vehicle control and automated decision-making systems (e.g., manipulation of AI algorithms, sensor attacks, LiDAR and GPS spoofing);
• vulnerabilities in communication and connectivity infrastructure (e.g., V2X, cloud, backend, OTA updates);
• risks related to "high-risk" suppliers, subject to government or military pressure, who could introduce backdoors or malicious functionalities into systems;
• security gaps in electric vehicle charging infrastructure, with potential impacts on the wider energy grid.

These findings are fully aligned with the broader approach to ICT supply chain security set out in the EU ICT Supply Chain Security Toolbox (Toolbox to improve ICT supply chain security | Shaping Europe's digital future), which emphasises that the protection of ICT supply chains is paramount for the EU's security and the resilience of critical sectors, including transport and mobility. The Toolbox identifies a range of risk scenarios relevant to connected and automated vehicles, such as attacks on cloud computing providers, the insertion of counterfeit or malicious components via suppliers, and vulnerabilities in software updates or system dependencies. It also highlights the potential for cascading effects and spill-over impacts across sectors due to the interconnected nature of modern supply chains.

The Toolbox further stresses the importance of managing risks associated with high-risk suppliers, particularly those exposed to interference from third countries or lacking robust cybersecurity practices. It recommends that Member States establish robust frameworks for supply chain risk management, including:

• conducting regular risk assessments and mapping critical dependencies;
• promoting multi-vendor strategies to avoid single points of failure and reduce strategic dependencies;
• managing and, where necessary, restricting or excluding high-risk suppliers at the national level;
• ensuring the cybersecurity of all phases of the ICT product and service lifecycle, from design and development to maintenance and decommissioning;
• enhancing situational awareness, information exchange, and training among all stakeholders.

While the European regulatory framework (Regulation (EU) 2019/2144, Regulation (EU) 2018/858, UN R155 and R156, NIS2 Directive) already imposes obligations for cyber risk management and security by design, the NIS Cooperation Group recommends further measures, including:

• strengthening supply chain policies to exclude high-risk suppliers;
• improving the cybersecurity of charging infrastructure, which is increasingly recognised as a critical node in the supply chain;
• adopting multi-vendor strategies and localising sensitive data to enhance resilience;
• promoting transparency and providing consumers with clear information regarding the processing of vehicle-generated data.

In summary, the safe and effective deployment of autonomous vehicles in Europe hinges on robust cybersecurity and supply chain management, which must be addressed through close coordination between legislators, industry stakeholders, and supervisory authorities. The EU ICT Supply Chain Security Toolbox stands as a key reference, offering a comprehensive and non-binding framework to guide Member States and industry in mitigating these complex risks and enhancing the resilience of the entire digital ecosystem underpinning autonomous mobility.

b. Data and accident reconstruction: EDR and the growing "technical" character of liability disputes

Another important development affecting liability and litigation in the context of autonomous and highly automated vehicles concerns the increasing availability of vehicle-generated data.

Under Regulation (EU) 2019/2144, new vehicles placed on the EU market must be equipped with several advanced safety systems, including Event Data Recorders (EDRs). These devices, often compared to aviation "black boxes", record a range of parameters immediately before, during and shortly after a collision. The recorded information may include elements such as vehicle speed, braking activity, the activation status of safety systems, and other inputs generated by the vehicle's onboard sensors and control systems.

The regulatory framework has been further specified through implementing and delegated acts, including Commission Delegated Regulation (EU) 2022/545 and more recent measures extending similar requirements to heavy vehicles. These instruments define technical standards for the recording, storage, integrity and retrieval of accident-related data, while also requiring safeguards to protect the privacy and anonymity of vehicle users.

In practice, the increasing availability of vehicle data is likely to change the way road accidents are analysed and litigated. Traditionally, accident reconstruction relied primarily on witness statements, police reports and physical evidence from the crash site. With the introduction of EDR systems and other digital logging tools, evidentiary analysis may increasingly focus on technical data, such as system logs, sensor readings, software status and alerts issued to the human driver or operator.

This evolution is particularly relevant for automated driving systems. Determining liability may require establishing whether the vehicle was operating within its operational design domain (ODD), whether the automated system issued appropriate warnings, and whether the human driver responded correctly to a takeover request. The availability of reliable data can therefore play a crucial role in clarifying whether an accident resulted from human conduct, system malfunction, or a potential product defect.

Conclusion: what's next  ?

The regulatory framework governing autonomous vehicles in the EU remains in a phase of gradual development. Rather than relying on a single comprehensive legal regime specifically designed for driverless mobility, current regulation is characterised by a layered approach combining vehicle safety rules, artificial intelligence governance, international technical standards and traditional road traffic law.

Within this framework, European legislation has primarily focused on ensuring the safety and certification of new vehicle technologies through instruments such as the General Safety Regulation, the EU type-approval regime and international standards developed within the UNECE system. At the same time, national legal systems, including Italy, continue to rely largely on traditional liability regimes based on the presence of a human driver, which may become increasingly difficult to apply as higher levels of automation are deployed.

Recent developments in the automotive sector illustrate this evolving regulatory landscape. For example, Tesla Full Self-Driving (FSD) systems are currently undergoing regulatory assessment in several European jurisdictions. Even where national authorities authorise the deployment of such technologies, their use may still depend on additional national approvals, safety assessments and insurance considerations.

Overall, the integration of autonomous driving technologies into European transport systems is likely to continue to proceed gradually.