European Commission ·

EU amends vehicle OBD and repair-information access rules (Delegated Regulation 2026/699)

Vehicle manufacturers must implement the Appendix X procedures for secure, standardised OBD and RMI access (authentication, pseudonymised traceability, API provision, server availability and cybersecurity checks) so independent operators obtain non-discriminatory, machine-readable diagnostic and repair data

Change
Commission Delegated Regulation (EU) 2026/699, published 3 June 2026, amends Regulation (EU) 2018/858 to require standardised, machine-readable access to vehicle on-board diagnostics (OBD) and repair-and-maintenance information (RMI) and to impose detailed authentication, traceability, API, server-availability and cybersecurity procedures, with entry into force 20 days after publication and phased compliance dates through 23 June 2028.
Why it matters
Creates procedural boundaries for access to vehicle data: manufacturers must publish standardised, machine-readable RMI and provide information packages and APIs under defined terms and timing, including VIN-specific API access from 23 June 2027 and staged software-update operations through 23 June 2028. Diagnostic tools and their manufacturers must meet specified cybersecurity attestations (e.g., TISAX or ISO 27001 when required), support authentication and traceability requirements, and supply access-related logs; manufacturers can require online connections and limit credential validity for software-changing operations but may suspend access only under the Appendix's procedures and subject to approval-authority review.
Implications
  • Vehicle manufacturers' type-approval and compliance teams must publish standardised, machine-readable RMI packages, maintain required server availability, and provide mandated APIs and software/information by the Regulation's phased dates — failing to implement the Appendix X procedures removes the basis for the approval authority's presumption of satisfactory access arrangements.
  • Diagnostic tool manufacturers' product and security teams must obtain and document compliance with the specified cybersecurity requirements (e.g., TISAX level or ISO 27001) and provide attestation and integration information to vehicle manufacturers — absent such attestations vehicle manufacturers may refuse to issue access credentials, blocking tool access to OBD/RMI.
  • Independent repairers' operations and remote service suppliers must hold an accredited CAB approval inspection certificate and authorised-employee inspection certificates and meet the authorisation criteria (including the mandatory liability insurance amounts) to obtain security-related RMI access — without those certificates manufacturers can refuse credentials and deny access.
Who is affected
  • Vehicle manufacturers' type-approval and compliance teams
  • Diagnostic tool manufacturers' product and security teams
  • Independent repairers' operations teams and remote service suppliers
What to watch
  • 23 June 2027 — manufacturers must provide VIN-specific API access and allow viewing/updating of electronic maintenance history under the specified conditions; integration information deadlines for software-update operations also apply on this date.

This is the part most alerts miss — who's affected, what moves first, what to watch. Create a free account to keep your decision trail and get the next relevant change in your inbox.

View on European Commission
Got Questions?

Ask what this change means — grounded in this brief. Source linked for final checks.

Clarify™ · Grounded, not generic

Why not a general AI assistant?

A general assistant will answer almost anything — including beyond what it actually knows, which is where drift and hallucination come from. Ask it the same question twice and you can get two different answers — no good when you need a record you can stand behind.

Clarify™ works differently. It answers only from the specific brief in front of you and its cited primary source. Ask something the brief doesn’t cover and it says so, rather than inventing an answer — and the same question returns a consistent, grounded answer every time. The trade-off is deliberate: narrower, but defensible enough to act on.

Clarify with AI — Pro only

You asked:

Clarify turns any brief into answers specific to your role and exposure.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month · Founding rate, locked for life. Cancel anytime.

Create a free account to keep clarifying

You asked:

You've used your free guest questions for now. A free account gives you more every month and saves your history — or start a Pro trial for unlimited Clarify and real-time alerts.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

Free account: no card, ever. Pro trial: $29/month after 14 days, no card to start, cancel anytime.

Awareness was never the problem. Translation is.

Your team doesn't miss the change — it loses hours turning a 60-page regulator notice into “what do we actually do.” OwlBrief delivers that as a sourced, decision-ready brief the moment a change publishes.

Get the next brief free →
Similar briefs