Several European countries are investigating potential cybersecurity vulnerabilities in electric buses manufactured by China’s Yutong Group, commonly referred to as Chinese electric buses, following concerns that the vehicles could be remotely disabled. The probes, led by Norway, Denmark, and the United Kingdom, aim to determine whether the buses’ networked systems pose operational or security risks to public transport infrastructure.
Yutong, based in Zhengzhou, is one of the world’s largest electric bus manufacturers and a major supplier of Chinese electric buses to European transit networks. The investigations reflect growing scrutiny over connected transportation systems and their reliance on foreign-built software and telematics.
Concerns Over Remote Access and System Control
The cybersecurity concern surfaced when Ruter, a Norwegian public transport operator, tested one of Yutong’s new electric buses alongside a model from Dutch manufacturer VDL. During the test, conducted in a controlled underground facility, Ruter discovered that Yutong retained direct digital access to its vehicles for software updates and diagnostics, something that raised additional questions about Chinese electric buses connectivity.
The VDL bus, in contrast, did not provide its manufacturer with the same level of remote connectivity. According to Ruter’s internal report cited by NBC News, this capability theoretically allows the manufacturer to “stop or render the bus inoperable” remotely.
While no evidence of malicious activity or unauthorized control was found, the discovery prompted immediate reviews by transport authorities in neighboring countries. The Norwegian findings have since been shared with officials across Europe to assess potential implications for critical public transport systems that include Chinese electric buses.
Broader European Review Underway
In Denmark, the transit operator Movia has launched its own inquiry into the Yutong vehicles currently operating in its fleet. Chief operating officer Jeppe Gaard said the concern is not limited to Chinese-built buses but applies to all connected electric vehicles that rely on online software systems, including Chinese electric buses.
“Electric buses, like electric cars, in principle can be remotely deactivated if their software systems have online access,” Gaard explained, noting that such functionality is common across the industry for maintenance and monitoring purposes.
The United Kingdom has also opened an investigation, working with the National Cyber Security Centre (NCSC) to understand the technical findings from Norway and Denmark. A spokesperson for the Department for Transport confirmed that the government is coordinating with cybersecurity experts to evaluate whether Yutong’s system architecture presents any operational risks, especially as many cities operate Chinese electric buses as part of their fleets.
These investigations come amid wider European efforts to strengthen cybersecurity standards for connected infrastructure, particularly in transport, where digital systems are increasingly critical for safety, communication, and fleet management.
Yutong Responds to Security Questions
Yutong issued a statement acknowledging public concern and reaffirming its commitment to data privacy and vehicle safety. The company said that all customer data is securely stored in Amazon Web Services (AWS) data centers, protected by encryption, and cannot be accessed without authorization. This assurance also applies to all Chinese electric buses operating in Europe.
“Yutong understands and highly values the public’s concerns regarding vehicle safety and data privacy protection,” the company stated. “We strictly comply with applicable laws, regulations, and industry standards.”
Industry experts note that remote connectivity is a standard feature in most modern electric and autonomous vehicles, allowing for over-the-air updates, predictive maintenance, and diagnostic monitoring. However, the same technology introduces potential cybersecurity risks if not properly safeguarded.
A Push for Stronger Cyber Oversight
The investigations by Norway, Denmark, and the U.K. highlight a growing trend among European authorities to scrutinize digital access controls in foreign-built technologies used in public infrastructure. The reviews are not limited to a single manufacturer but part of a broader effort to ensure that networked transportation systems, including Chinese electric buses, cannot be manipulated or disrupted from afar.
While no countries have suspended operations of the Yutong buses, officials continue to analyze whether remote access permissions should be reconfigured to enhance cybersecurity resilience. The findings are expected to inform future policy discussions on data transparency, system access, and operational control in connected mobility platforms.
As electric and autonomous transport expands across Europe, ensuring secure connectivity will remain a top priority for both public operators and manufacturers. The ongoing Yutong investigations mark one of the first major cross-border cybersecurity reviews in the electric vehicle sector, setting a precedent for how governments approach digital safety in critical transportation systems.
Also Read: Manassas City Public Schools Cyberattack Forces Temporary Closure
