Driving Digital: What Vehicle Manufacturers Need to Know About Europe’s Telecom Regulations

Digital services are becoming a core part of the vehicle offering. Screens and applications are now standard in modern vehicles, and passengers increasingly expect access to digital content for entertainment, communication, and productivity.

These in-car services rely on stable mobile data, typically provided through a SIM card installed in the vehicle. This connection enables streaming, browsing, and app use, often through the vehicle’s built-in infotainment system.

For vehicle manufacturers, the opportunity is clear. But the regulatory reality is complex. Across Europe, national telecom rules and related legal frameworks can affect how In-Car Connectivity Services are designed, launched, and operated.

This white paper explains why digital services offered in the car may trigger obligations under the European Electronic Communications Code, and how national differences around SIM registration, lawful interception, data retention, and consumer rights can affect connected vehicle services.

Automotive Regulatory White Paper

The white paper draws on Telenor IoT’s operational experience across more than 30 jurisdictions and includes practical examples of how legal requirements affect service design, compliance responsibilities, and time to market.

Why In-Car Connectivity Services Create Regulatory Complexity

Connected services are reshaping the car industry. Features like in-car Wi-Fi, streaming, real-time navigation, and remote software updates are no longer just optional. They influence how cars are built, marketed, and experienced.

For vehicle manufacturers, these services create new revenue opportunities, enhance brand loyalty, and extend the customer relationship beyond the initial sale.

All of this depends on In-Car Connectivity Services. These are digital services for drivers and passengers that rely on mobile data, stable connectivity, and legal compliance in every country in which a vehicle is sold or used.

Although Europe promotes cross-border digital services, national rules still vary widely. Mobile network operators and car makers face inconsistent requirements around SIM registration, permanent roaming, lawful access, and user consent. These differences make it difficult to scale connected services across the continent.

What Are In-Car Connectivity Services?

In-Car Connectivity Services are digital services accessed by drivers or passengers during private use of a passenger car, which require mobile data to function.

These services may include streaming, browsing, and app use through the vehicle’s built-in infotainment system. They rely on a stable mobile data connection, typically provided via a SIM card installed in the vehicle.

The technical setup may look straightforward. But when services are offered across European markets, the regulatory requirements can differ from country to country.

The Connectivity Vision vs Regulatory Reality

Consumers expect consistent and high-quality digital experiences wherever they drive. Vehicle manufacturers have the ambition to deliver such services at scale.

The challenge is that Europe’s legal frameworks make this difficult. Many offerings fall within the scope of national telecoms legislation, where inconsistent interpretations and obligations can create barriers to scale.

These rules do not only affect legal compliance. They can also influence product design, data flow management, platform architecture, service onboarding, and business models.

Expert View

For vehicle manufacturers, regulatory requirements are not only legal details. They can affect service design, launch timelines, data handling, and the user experience. Addressing compliance early helps create a stronger foundation for scalable in-car connectivity services.

Marie Högberg Head of Automotive at Telenor IoT

When Digital Services in the Car May Trigger EECC Obligations

Europe’s telecom rules were not designed with connected cars in mind. The current legal framework still draws a line between traditional human-to-human communications and machine-to-machine connections.

Modern vehicle services often fall somewhere in between. They can combine automated systems with direct user interaction, creating a regulatory grey zone.

Most connected vehicles today come with embedded SIM cards that support services such as internet access, over-the-air updates, and in-car entertainment. Some functions, such as remote diagnostics, may qualify as machine-to-machine communication. Others clearly involve the user.

If a driver streams music or browses the web using the car’s interface, this is no longer an automated data exchange with no or only limited human involvement. Instead, it actively engages the driver or passengers.

As a result, such use cases may no longer qualify as typical machine-to-machine communications. Due to their availability to a broad group of end users, they are more likely to fall under the definition of a publicly available electronic communications service under EU law.

That classification can bring enhanced and broader legal obligations for providers of these services, especially where they target consumers.

Human-to-Human Communications, M2M, and Connected Vehicle Services

The distinction between machine-to-machine communication and publicly available services is not always clear-cut.

Some regulators focus on whether the end user actively interacts with the service. Others assess who technically enables the connection, how the service is activated, or what kind of content is being offered.

As a result, identical technical setups may be treated very differently depending on where the car is sold or used.

Streaming, Browsing, App Use, and In-Car Wi-Fi

Services such as streaming, browsing, app use, and in-car Wi-Fi can move connected vehicle services beyond traditional automated data exchange.

If the provision involves services such as in-car Wi-Fi, BEREC has made clear that these services must be treated as Internet Access Services under the Open Internet Regulation. They must therefore comply with an extended range of requirements, such as net neutrality and transparency obligations.

Publicly Available Electronic Communications Services

The European Electronic Communications Code provides the core legal framework, but as a directive, it must be implemented into national law by each Member State.

Each country has taken its own approach. This creates inconsistency for companies building cross-border connectivity solutions and can lead to delays, compliance complexity, and additional cost.

One Vehicle, Many Rules: The Layers of Telecom Laws

If In-Car Connectivity Services fall into a specific regulatory category, they may be subject to rules on SIM card registration, user identification, lawful interception, data retention, and consumer protection.

As BEREC, the body of European telecom regulators, has observed, there is no unified approach to how these rules are applied across markets.

What appears to be a harmonized EU framework is, in practice, applied very differently. This affects not just legal compliance, but also product design, data flow management, and business models.

Until more legal certainty is achieved, companies operating in this space must navigate a complex and fragmented regulatory landscape, one country at a time.

General Authorization and Notification Rules

One of the first regulatory hurdles for providers is the general authorization framework under the European Electronic Communications Code.

This framework is intended to simplify market entry by replacing individual licenses with a lighter, notification-based regime. However, notification is not mandatory across all Member States. Each country decides whether notification is required, as well as the requirements for a valid notification.

For example, France and Denmark do not require notification to the national telecom authority. Others, such as Germany, Spain, and Austria, mandate it before service provision begins.

This distinction is often misunderstood. If no notification is required, that does not mean no other telecom obligations apply. The European Electronic Communications Code applies to all providers of electronic communications services, regardless of notification. Consumer protection, data security, and cooperation with public authorities remain binding obligations.

Even where notification is required, the process is rarely simple. Requirements can include registration on national telecom portals, official company documents, identification of authorized representatives, tax registration or local fiscal identifiers, police clearance or criminal record certificates, inconsistent formats and guidance, and payment for the notification of services.

For car makers, these regulatory nuances can affect how quickly and reliably digital services are launched in new markets.

Data Retention for In-Car Connectivity Services

Data retention refers to the requirement to store certain metadata about users and their communication sessions so that it can be accessed by law enforcement when legally requested.

While the European Court of Justice has ruled that general and untargeted data retention is not permitted, Member States may still impose national retention obligations under specific conditions. The result is a fragmented and fast-moving regulatory landscape.

The complexity begins with the types of data that may need to be retained. This often includes subscriber data, traffic data, and location data.

Each country defines these categories differently and sets its own rules for how long data must be stored. In some Member States, there is no legal obligation to retain any data. In other Member States, providers are required to store specific datasets with retention periods that vary by type.

These differences have a direct impact on system design, requiring providers to adapt storage, security, and access control processes for each jurisdiction.

Subscriber Data, Traffic Data, and Location Data

The white paper identifies three categories that are often relevant to data retention.

Subscriber data identifies who is using the service. Traffic data can include IP addresses, source and destination of communication, and timestamps. Location data indicates where a device was at a given time.

Different countries define and apply these categories differently. This can require providers to configure separate retention windows, maintain country-specific consent procedures, or make it possible to access data locally.

Traffic Data: The Most Divergent Category

Among all categories, traffic data is one of the most inconsistently regulated.

A central question is whether a provider must retain information about the destination of communication, for example websites accessed.

Some countries, such as Germany and Belgium, prohibit storing destination data unless certain legal criteria are met. Others, including Poland and Romania, mandate that such data be retained.

Even within a single country, retention periods can differ depending on the type of traffic data.

Subscriber Verification and SIM Registration

Data retention is often confused with subscriber verification, but the two are distinct legal obligations.

Some Member States require SIM card registration. This means the provider must collect and verify the user’s identity using a valid passport or national ID.

Austria goes further by requiring that every SIM card, including prepaid or machine-to-machine subscriptions, be linked to a verified user identity.

Most of these verification laws were designed for traditional mobile phone subscriptions. They are not well suited to connected vehicle use cases, where the user is not always the account holder.

In many cases, the mobile subscription is held by the car manufacturer, leasing provider, or a dealership.

Why Traditional SIM Registration Rules Are Challenging for Connected Vehicles

Subscriber verification affects how useful retained data is for law enforcement. If anonymous or pseudonymous use is permitted, it becomes harder to connect a communication session to a specific person.

Connected vehicles create a challenge because the account holder and the user may not be the same. This makes traditional subscriber verification harder to apply to In-Car Connectivity Services.

Linking SIM Cards to a Vehicle Identification Number

Recognizing this gap, some regulators have proposed alternative mechanisms.

The Belgian regulator BIPT and the UK’s Ofcom have pointed out that linking SIM cards to a vehicle identification number offers an effective traceability method. This allows law enforcement to cross-reference SIM use with national vehicle databases.

The white paper describes this as a practical solution, particularly in scenarios where the vehicle’s end user may change frequently.

Lawful Access and Interception: What Car Makers Must Prepare For

If vehicles integrate services such as streaming, gaming, or voice assistants, these offerings might be classified as publicly available electronic communications services.

As a result, they may be subject to telecom obligations, including requirements to support lawful access.

Lawful access means providing law enforcement with information about users or their sessions when legally requested. While the connectivity partner typically handles this, the responsibility and reputational risk can still impact the vehicle manufacturer’s brand.

Subscriber verification and data retention both serve the same purpose: enabling lawful access. Often referred to as lawful interception, this allows police or intelligence agencies to request data as part of an investigation.

Although EU law provides a general framework, the rules are applied very differently across Member States.

Some countries require real-time interception systems. Others accept secure handovers upon request.

From August 2026, the EU e-Evidence Regulation will allow law enforcement in one country to send binding orders directly to service providers in another, without involving local authorities.

For pan-European services, the lack of a harmonized framework can create legal uncertainty and delays. Even basic terms like “valid request” or “required data” are interpreted differently from one country to another.

Many providers underestimate the scale of the issue. Between 2020 and 2022, EU law enforcement issued over 172,000 cross-border data access requests. In 2022 alone, there were more than 4,500 emergency requests, often with less than 24 hours to respond.

To manage this, providers need clear internal procedures for receiving and verifying requests, retrieving the correct data, documenting what is shared, and transmitting information securely.

Consumer Protection Obligations for In-Car Connectivity

Beyond registration and data rules, In-Car Connectivity Services also include a wide set of consumer protection obligations under the European Electronic Communications Code.

These rules are well established for traditional telecom services, but they are often challenging to match for in-car connectivity, especially when the connectivity is embedded, seamless, and offered at no visible cost to the user.

If a car maker or its partner is classified as a regulated provider, requirements generally apply around clear and accessible contracts, standardized contract summaries, transparency on speeds and quality, complaint handling, switching operator, bundled services, and contract duration rules.

These rules are not abstract. If a car manufacturer is classified as the provider, it may become subject to the full range of consumer protection obligations under the European Electronic Communications Code.

Each country interprets and enforces these rules differently. A service launched in five Member States could require five sets of documents, five languages, and five processes.

Contracts, Contract Summaries, and Transparency

Customers must receive clear and accessible contracts in a durable format, including terms in a comprehensible way.

A concise, EU-wide contract summary is mandatory before agreement.

Providers must also disclose typical upload and download speeds and how deviations are handled.

Complaint Handling, Switching, Bundled Services, and Contract Duration

Providers must offer user-friendly complaint procedures with set timeframes for responses.

If the car allows SIM changes or switching between connectivity providers, user rights around continuity and number portability may apply.

Limitations on lock-in periods and contract extensions may also apply if the connectivity is part of a broader vehicle offering.

Connectivity at Scale Requires Clarity at the Core

The ambition is clear: create seamless, branded, and scalable digital experiences in connected vehicles across Europe.

But the regulatory path is anything but simple. Every feature, from Wi-Fi hotspots to streaming, brings a web of legal obligations that differ by country, evolve over time, and often reflect outdated assumptions about how internet services are delivered.

This white paper touches on authorization regimes, data retention, subscriber verification, lawful access, and consumer protection. Questions around numbering resources, VAT treatment, emergency call compliance, and spectrum use remain equally complex and are under active discussion in many Member States.

These challenges can be addressed by integrating legal compliance into the service design from the beginning.

Becoming a Service Provider or Partnering With a Regulated Connectivity Provider

Vehicle manufacturers can manage regulatory complexity by becoming a service provider themselves or by partnering with a regulated connectivity provider.

Where vehicle manufacturers consider becoming a registered service provider themselves, they should be prepared for a more complex and time-consuming process than it may appear on paper. Each notification must be tailored to national requirements, and the initial setup often involves coordination across legal, technical, and compliance teams.

By working with a regulated connectivity provider, vehicle manufacturers can retain control over the user experience while relying on the provider’s regulatory expertise and compliance infrastructure.

Where Telenor IoT is the regulated provider, Telenor IoT takes ownership of consumer protection compliance, including documentation, national implementation differences, and regulatory interaction.

How IoT Drive and Consumer Connect Support In-Car Connectivity

Telenor IoT has been shaping connected mobility for over 20 years, powering millions of connected cars worldwide.

Consumer Connect, part of the IoT Drive solution, is built on Telenor IoT’s Managed Connectivity service. It helps automakers deliver seamless user experiences while meeting regulatory requirements and supporting new business models.

Modern cars are now software-defined devices on wheels. From telematics and eCall to over-the-air updates, ADAS, infotainment, and energy management, every function relies on secure, always-on connectivity.

Consumer Connect supports:

Dual data plan support, including OEM-sponsored and end user-paid options
API-based integration for a fully branded OEM user experience
Local IP allocation aligned with the driver’s home country for localized services
End-user KYC and consent management
Telenor IoT acting as the ISP toward end users to support regulatory alignment

With global scale and decades of expertise, Telenor IoT helps automakers accelerate launches, remain compliant across markets, and deliver the reliable digital services today’s drivers expect.

Frequently Asked Questions

What Are In-Car Connectivity Services?

In-Car Connectivity Services are digital services accessed by drivers or passengers during private use of a passenger car, which require mobile data to function.

They may include services such as streaming, browsing, and app use, often through the vehicle’s built-in infotainment system.

Why May Digital Services Offered in the Car Trigger EECC Obligations?

Digital services offered in the car may trigger obligations under the European Electronic Communications Code when they move beyond automated machine-to-machine communication and actively involve drivers or passengers.

If a driver streams music or browses the web using the car’s interface, the service may no longer qualify as typical machine-to-machine communication. It may instead fall under the definition of a publicly available electronic communications service under EU law.

How Do M2M Communications Differ From Consumer-Facing In-Car Services?

Machine-to-machine communications usually involve automated data exchange with no or only limited human involvement.

Consumer-facing in-car services involve drivers or passengers actively using the connection, for example to stream music or browse the web through the car’s interface.

This distinction matters because consumer-facing services may bring enhanced and broader legal obligations for providers, especially where they target consumers.

What Authorization or Notification Rules May Apply?

The European Electronic Communications Code includes a general authorization framework intended to simplify market entry. However, notification is not mandatory across all Member States.

Some countries do not require notification to the national telecom authority. Others mandate it before service provision begins.

Even when no notification is required, other telecom obligations may still apply, including consumer protection, data security, and cooperation with public authorities.

What Is the Difference Between Data Retention and Subscriber Verification?

Data retention refers to storing certain metadata about users and communication sessions so that it can be accessed by law enforcement when legally requested.

Subscriber verification is a separate obligation. Some Member States require SIM card registration, which means the provider must collect and verify the user’s identity using a valid passport or national ID.

What Lawful Access Obligations Should Car Makers Prepare For?

Lawful access means providing law enforcement with information about users or their sessions when legally requested.

The connectivity partner typically handles this, but responsibility and reputational risk can still impact the vehicle manufacturer’s brand.

Providers need clear internal procedures for receiving and verifying requests, retrieving the correct data, documenting what is shared, and transmitting information securely.

What Consumer Protection Obligations May Apply to In-Car Connectivity?

If a car maker or its partner is classified as a regulated provider, consumer protection requirements generally apply.

These may include clear and accessible contracts, standardized contract summaries, transparency on speeds and quality, complaint handling, switching operator, bundled services, and contract duration rules.

How Can Vehicle Manufacturers Manage Regulatory Complexity?

Vehicle manufacturers can manage regulatory complexity by becoming a service provider themselves or by partnering with a regulated connectivity provider.

If they consider becoming a registered service provider themselves, they should be prepared for a more complex and time-consuming process than it may appear on paper.

By partnering with a regulated connectivity provider, vehicle manufacturers can retain control over the user experience while relying on the provider’s regulatory expertise and compliance infrastructure.

Download the Automotive Regulatory White Paper

Connected vehicle services can create new opportunities for vehicle manufacturers, but they also bring regulatory complexity across European markets.

Download the white paper Driving Digital: What Vehicle Manufacturers Need to Know About Europe’s Telecom Regulations to explore the telecom rules, national differences, and operational implications affecting In-Car Connectivity Services.

Telenor IoT's Automotive Offering

IoT Drive

Global vehicle connectivity with built-in compliance and support for software-defined vehicles, helping car manufacturers deliver connected services at scale.

Consumer Connect: In-Car Service Platform for OEMs

Consumer Connect is part of Telenor IoT Drive, giving automakers full control of in-car services. OEMs can create new revenue streams, keep every touchpoint inside their brand, and rely on Telenor IoT to handle compliance and connectivity complexity across markets.