Executive Summary

On February 11, 2026, automotive cybersecurity firm VicOne released its 2026 Automotive Cybersecurity Report, revealing a fundamental shift in the threat landscape for the automotive industry. The report, titled "Crossroads: Automotive Cybersecurity in the Overlap Era," concludes that cyber incidents are no longer siloed within vehicle components but have become systemic, enterprise-wide challenges that impact entire organizations. The research shows a tripling of cross-organizational incidents in 2025, driven by the convergence of enterprise IT, cloud services, and in-vehicle systems. The report introduces the concept of the "Overlap Era," a period defined by the complex interplay of legacy hardware, software-defined vehicles (SDVs), and AI, which creates new and amplified risks. A critical finding is that a significant portion of automotive risk, including 174 zero-days, exists outside of traditional vulnerability tracking systems like CVE, creating a dangerous blind spot for the industry.

Regulatory Details

While not a regulatory document itself, the report's findings have significant implications for compliance with automotive cybersecurity regulations like UN R155 and ISO/SAE 21434. These regulations mandate a risk-based approach to cybersecurity throughout the vehicle lifecycle. The report's key findings suggest that current risk assessments may be inadequate:

• Systemic Risk: The tripling of cross-organizational incidents (161 out of 610 cases in 2025) demonstrates that a narrow, component-focused risk assessment is no longer sufficient. Regulations require OEMs to consider the entire ecosystem, and this report provides evidence that the attack surface is expanding across business units.
• The "Overlap Era": This concept describes the new reality where traditional vehicle platforms, SDVs, and AI-driven features are deeply intertwined. This technological convergence, combined with fragmented security ownership within large automotive corporations, weakens overall resilience and complicates compliance efforts.
• AI as a New Risk Vector: The report identifies compromised AI training data as a novel supply chain risk. This could lead to persistent, unpredictable vehicle behavior and presents a new challenge for regulatory compliance, which traditionally focuses on software and hardware components.

Affected Organizations

The report's findings are relevant to the entire automotive ecosystem, including:

• Vehicle Manufacturers (OEMs): Directly responsible for the security of their vehicles and compliance with regulations.
• Tier 1 and Tier 2 Suppliers: Provide the software and hardware components that make up modern vehicles.
• EV Charging Infrastructure Providers: The report explicitly mentions zero-day vulnerabilities found in EV charging systems.
• Fleet Operators and Consumers: Ultimately bear the safety and privacy risks of insecure vehicles.

Compliance Requirements

Based on the report's findings, automotive organizations must re-evaluate their compliance with key cybersecurity requirements:

1. Holistic Risk Management: Organizations must expand their Threat Analysis and Risk Assessment (TARA) processes beyond the vehicle itself to include the entire corporate IT network, cloud-based OTA update infrastructure, and AI development pipelines.
2. Vulnerability Management Beyond CVE: The discovery of 174 zero-days outside the CVE system implies that relying solely on public vulnerability databases is insufficient. OEMs need proactive vulnerability discovery programs, such as bug bounties and internal penetration testing, as championed by VicOne's partnership with the Zero Day Initiative.
3. Secure OTA Processes: With OTA updates becoming a central point of failure, the security of the end-to-end update process—from code development to cloud distribution to in-vehicle installation—is paramount.
4. AI Security Governance: Organizations must develop new governance frameworks to secure their AI/ML pipelines, including verifying the integrity of training data and securing AI models against tampering.

Impact Assessment

The business impact of ignoring these evolving threats is significant. A single cyber incident can now cascade across an entire organization, causing not just vehicle recalls but also factory shutdowns, data breaches, and massive brand damage. The report notes that 33% of observed risks now directly affect driver-facing systems, making incidents more visible and damaging to consumer trust. The financial and legal penalties for non-compliance with regulations like UN R155 can include being barred from selling vehicles in key markets.

Compliance Guidance

1. Establish Centralized Cybersecurity Governance: Create a cross-functional cybersecurity management team with authority over vehicle engineering, IT, cloud operations, and supply chain management to break down internal silos.
2. Invest in Proactive Vulnerability Discovery: Do not wait for CVEs. Establish a Vehicle Security Operations Center (VSOC) and partner with security researchers to proactively identify and remediate vulnerabilities in your products and infrastructure.
3. Secure the Software Supply Chain: Implement rigorous security checks for all third-party software, including open-source libraries and AI models. Use Software Bill of Materials (SBOM) to maintain visibility into all software components.
4. Adopt a "Security by Design" Approach for AI: Integrate security into the entire lifecycle of AI development. This includes securing data pipelines, testing models for adversarial attacks, and implementing monitoring to detect anomalous AI behavior in deployed vehicles.