Automotive programs are moving faster than many engineering teams planned for. Regulatory pressure — from UN R155/R156 (WP.29) and ISO/SAE 21434 to the forthcoming EU Cyber Resilience Act — is reshaping expectations for how identity, signing, and software integrity are managed across the entire ECU and OTA lifecycle. At the same time, SERMI is redefining workshop and diagnostic access, introducing strong authentication into processes that were previously loosely governed.

Yet the most telling shift is coming from inside the engineering function itself.

Across OEMs and manufacturing partners, we’re seeing the same systemic challenges repeat:

• Certificates and key material expiring in-fleet, leading to preventable update failures.
• Rollback and OTA validation gaps caused by inconsistent signing chains across ECU generations.
• Workshop and diagnostic tools being rejected as SERMI-driven identity enforcement increases.
• Provisioning differences between regions and suppliers, only discovered during OTA or service events.
• Identity drift across ECU variants, fragmenting trust models as platforms scale and evolve.

These are not isolated defects — they’re symptoms of structural identity complexity. As OEMs introduce new ECU platforms, modernise OTA pipelines, or transition toward zonal and service-oriented architectures, even small inconsistencies in identity and provisioning practices create downstream friction.

The result is a growing recognition across engineering teams:

“Identity is becoming the bottleneck in our vehicle programmes.”

This micro-brief is part of our Automotive Engineering Series.

If these patterns look familiar across your ECU, OTA, or manufacturing workflows, the extended breakdown below provides examples and insights drawn from real-world automotive programs.

Read the full Automotive Engineering Insight

A deeper exploration of the identity, OTA, and provisioning trends emerging across global OEM engineering teams — and what it means for securing and scaling modern vehicle platforms