Gerhard Menzel:
We cannot relax, things are changing very fast in cybersecurity

Published November 9, 2023

One hundred years ago this year, radio communication between cars, the ancestor of V2X, was patented for the first time. To mark the occasion, we asked industry experts how they see the present and what they expect from the future of V2X. In this episode, Gerhard Menzel answers our questions, who has been responsible for building up the European security framework of C-ITS at the European Commission and now the Head of Intelligent Transport Systems at the Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology in Austria.

Europe is very much at the forefront of C-ITS. How did the EU get here?

When I was first involved with C-ITS it wasn’t even called C-ITS yet. That was in 2007, when the first EU funded research projects in Europe, CVIS and COOPERS aimed to develop safety services based on on-board units that would enable communication with the infrastructure and between vehicles. The use cases that we developed back then were very similar to what we have now. A lot of research activity was going on, and by 2013-2014, when the terms like C-ITS, V2X, V2I and V2V and other similar acronyms were created, we had very good results. The industry wanted to start deploying, but the European Commission saw that a couple of things were not quite ready yet, a lot of things were missing.

The department for mobility and transport (DG MOVE) wanted to create a new form of cooperation between private and public stakeholders to sort out and lay down what needs to be done to make C-ITS a reality.

You’ve been working on the development of security. Were you building on existing solutions?

I had a bit of an idea what the security system was about, how it should work. We didn’t invent anything, the ingredients were already there: the ETSI standards, the communication stack, the PKI concept of having trusted messages, and how it would be done. But it wasn’t the part we focused on. Although the technology was available, it became clear quite quickly that nowhere in the world had a trust model been defined for how to make this really work from an organizational and governance point of view. Any car brand in any country should have been able to communicate with each other and the infrastructure, but there wasn’t any agreement between the car manufacturers and between the member states on how to make C-ITS interoperable.


It turned out that this wasn’t a task that took one or two months, but more than six years to bring this forward.

What was the most difficult challenge?

Defining a commonly agreed policy on certificates was one of the most difficult tasks. The Commission took on the role of leading the process, but some stakeholders came in with very strong and diverging positions, for instance on security algorithm requirements. In every PKI, the certificate policy must be clearly defined and agreed by all: how many roots there are, who is responsible for them, what the terms are. It didn’t exist yet. We needed a public-private cooperation on this, because otherwise we would have had separate systems in country A and country B, at one car manufacturer and another and so on. This alone took us two years to agree on the certificate policy and write the first version.

This was published by the Commission as results of an expert group and then also in its famous Delegated Regulation on C-ITS, which did not enter into force, but was a very important signal for anyone who would use C-ITS. Regardless of the communications technology debates, it gave certainty on how security works, what the central roles are and that there will be a European PKI maintained. It became clear that we will have more than one root Certificate Authority (CA) in Europe. As a consequence of that, we designed a trust system that ensures that there’s guaranteed interoperability by design between those multiple root CAs. Other regions of the world still don’t have this commitment on how different root CAs will work together.


This certainty was one of the big drivers for the first real C-Roads deployments, and for VW to start using V2X.

These six years also include the scaleup phase, the implementation of these rules. The ECTL, the European Certificate Trust List is published, and more and more stakeholders join. We’re on a consistent path: designing the policy, implementing it, and now scaling it up. Everybody wants to be on the list, be trusted and communicate with the fleet of already V2X equipped cars and deployed road infrastructure units, and hopefully soon with even more other V2X entities.

What challenges still lie ahead for Europe?

Although certainty was there in the trust model, legal certainty was not, but this is about to change. Now the big news is that at the end of October the Council adopted the new ITS Directive, which will come into force in a few weeks. It’s all in there: a very clear legal definition of what C-ITS really is, namely a service based on exchanging secured and trusted messages, who’s the C-ITS certificate policy authority, who’s the trust list manager, who’s the C-ITS point of contact, in fact laying it all down in legislation how trust, interoperability and backward compatibility is guaranteed for all C-ITS deployment in the EU.

As for the challenges: we need to stay up to date, we need to keep reviewing the C-ITS certificate and security policy. We cannot relax, because things are changing very fast in cybersecurity. So, the challenge is not to think that everything is already done, but to keep on maintaining and shaping this now established trusted V2X eco-system.