Rust in the VehicleWhy the Language Issue Has Become A Regulatory Issue
From
Daniel Frassinelli * | Translated by AI
6 min Reading Time
The choice of programming language for vehicle control units was long considered to be purely a question of development. Since a UN regulation has become mandatory for all newly registered vehicles in the EU and European manufacturers are delivering the first Rust-based ECU software in series vehicles, this has become a decision that affects architecture, approval and purchasing.
Which programming language is used to write vehicle software? This question is now moving into areas where decisions are made about architecture, risk and approval.
(Image: freely licensed at Pexels)
As a co-founder of a company that develops and delivers software for vehicle control units, I am observing a shift that is now also affecting product liability and strategy. The question of which programming language is used to write vehicle software is leaving the development offices and moving into areas where decisions are made about architecture, risk and approval. In 2026, European manufacturers will deliver Rust-based software in production vehicles for the first time. This is not an experiment, but a reaction to requirements that have been in force since mid-2024.
What the UN Regulation Has Triggered
UNECE R155 is the UN regulation on vehicle cyber safety. It has been mandatory for all new vehicles registered in the EU since July 2024. Since then, manufacturers and suppliers have had to prove that their vehicle software can be monitored for cyberattacks, evaluated and updated if necessary. The focus is on cryptographic functions, update mechanisms for wireless software updates and all components that process external data. This is precisely where the most dangerous software errors are located.
What is changing as a result of the regulation is not so much a new feature, but the obligation to provide evidence. Anyone who wants to register a new vehicle today must demonstrate how the software is monitored and safeguarded over the entire life cycle. This changes the evaluation of programming languages. What was purely a development decision yesterday is now part of a dossier that has to stand up to the authorities and certification bodies.
Why Memory Errors Are Becoming A Key Issue
A study by the Microsoft Security Response Center and the Google Chrome Security Program shows that 60 to 70 percent of security vulnerabilities in embedded systems can be traced back to memory problems. This refers to errors in which software accesses memory that it should not access or memory that has already been released. The problem with this error class is that it is often not visible in the vehicle.
On a desktop operating system, a protection mechanism usually intercepts a memory corruption and generates a visible crash. On a microcontroller in a vehicle, this protection is missing in many cases. A corrupted state can go unnoticed and lead to unreliable sensor data or malfunctions in safety-critical systems. In production, this is the class of error that is the most difficult to reproduce and the most expensive to rectify.
Rust addresses this problem at language level. The ownership model, the language's core mechanism for memory management, determines at the time of compilation which program parts may access which memory area and when. Illegal accesses are not intercepted at runtime, but rejected by the compiler. Code that cannot be built cannot cause any damage in the field.
What European Manufacturers Deliver Today
Anyone who has so far rejected Rust in the automotive sector with the argument that it lacks series references will have fewer arguments in 2026. Every Volvo EX90 and Polestar 3 that rolls off the production line today has a low-power control unit whose firmware is written entirely in Rust. Ampere, the electric mobility brand of the Renault Group, has trained over 200 developers in Rust and uses the language specifically in safety-relevant components. This includes cryptographic operations and the processes for firmware updates. Ampere is planning to use Rust at ASIL B level for the next generation of driver assistance systems. In order to be able to use Rust at level B in series production today, qualified compilers and certified parts of the standard library are required. This infrastructure has visibly grown since Embedded World 2026.
Not A Language Debate, But An Architectural Issue
Rust does not replace C. Anyone who claims this does not know the reality of industrial embedded development with product life cycles of 15 years. The question that development management and purchasing must answer today is different. Where does the change reduce the overall risk, and where does it increase it?
AUTOSAR Classic is implemented in C and has been validated in the field for decades. Rewriting hardware-related drivers that have already been certified at the highest safety level under existing tool chains makes no economic sense. The C ecosystem for these layers is mature, audited and its error behavior is well understood. The pragmatic answer is provided by the AUTOSAR runtime environment, i.e. the interface between the application and basic software. A number of automotive software providers now enable Rust components on this layer. Existing C code and new Rust code coexist in the same ECU project. This is not a compromise, but an engineering reality.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
Even within the Rust ecosystem, safety certification is not a binary switch. Ferrocene, the certified Rust tool chain for safety-critical applications, is qualified to ASIL D for the compiler and currently to ASIL B for parts of the core library. The ecosystem is continuously closing these gaps, but anyone working at the highest safety levels today must factor this into the architecture decision.
Where Rust Has the Greatest Leverage in the Vehicle Today
From the perspective of a company that develops and supplies Rust-based software for control units ranging from the Infineon Aurix TriCore to Linux-based high-performance systems, three fields of application have crystallized.
The software layer between hardware abstraction and the actual vehicle function is growing in complexity the most. Parallel processes, asynchronous communication between components and a state model that can be corrupted globally if the memory management is faulty. The mechanism that Rust uses to prevent parallel write accesses at compile time is the most direct way of dealing with this and eliminates an error class that is one of the most complex debugging cases in C code bases.
The second group comprises components with an attack surface. Cryptographic functions, update handlers and parsers for external messages are the places where memory errors do not lead to malfunctions, but to exploitable security vulnerabilities. Here, structural memory security is not a technical virtue, but a regulatory expectation. If you want to demonstrably fulfill UNECE R155, you will have to justify for these components why you are foregoing the security guarantees that Rust provides at language level.
The third group are new platforms without old stock. Anyone developing a new control unit from scratch today does not have any
There is no longer any objective reason to insist exclusively on C. In greenfield projects, migration costs are completely eliminated, the choice of tools is free, and the team can work with the language's security guarantees from the outset instead of having to create them later using external analysis tools.
The List of Excuses is Getting Shorter
For technical decision-makers, the more productive question is no longer "Rust or C?", but rather: Which components carry the least overall risk, technically, regulatory and economically, with which language? This is an architectural decision, not a language debate.
What has changed in 2026 is concrete. Vehicle manufacturers deliver series vehicles with Rust components. Regulatory requirements are becoming more concrete. Certification infrastructure is growing. Anyone setting up a new ECU platform today will have to justify why they are not using Rust, and no longer the other way around.
So the question is no longer whether Rust belongs in the vehicle. Rather, which components should be migrated first and with what technical and regulatory justification. (se)
Daniel Frassinelli is co-founder and CTO at Veecle GmbH.
:quality(80)/p7i.vogel.de/wcms/d8/f3/d8f30db5600432833565a4677c6f31be/screenshot-202026-03-03-20151742v1.png "Bridge components require the highest quality: The Easy Grinder fulfills this requirement. (Source: Teqram)")
:quality(80)/p7i.vogel.de/wcms/aa/fe/aafed03faf2d2a8643fbe2fa7d53a299/0130883828v1.jpeg "Stable material flow: OHT systems automatically transport sensitive wafers through production in protected FOUP containers. (Image:ALEX_GRETTER)")
:quality(80)/p7i.vogel.de/wcms/5e/73/5e73f5bc660738c0baeb8190cf894590/0130898283v1.jpeg "React immediately! Monometals already have useful properties, but alloys are even more useful. Researchers at KIT therefore want to use metallic nanopowders (symbolic image) to try and develop alloys that were previously impossible. (Image:Metal Heart)")
:quality(80)/p7i.vogel.de/wcms/57/f1/57f19b159f5491725e59c114ddd16331/0113143253v1.jpeg "In our China Market Insider, we regularly provide you with relevant information directly from China. (Image:© Eisenhans - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/66/b6/66b68f3adb3fa100b4338e0d6c83b9ba/0130920321v1.jpeg "Trumpf has found a more productive way of welding copper conductors to busbars very quickly and reliably using a laser. This makes the time-consuming screw connection obsolete ... (Picture:Trump)")
:quality(80)/p7i.vogel.de/wcms/87/b4/87b4eee1466def5499e8147f19744016/0130876930v1.jpeg "The market for cobots is set to grow rapidly over the next few years. ABB is taking advantage of this prospect and is launching the ultra-fast-acting cobot family called Powa ... (Image:ABB)")
:quality(80)/p7i.vogel.de/wcms/c3/8a/c38a10479e5bc6748f5be24a5fb46890/0130879174v1.jpeg "According to Savills' calculations, Europe's growing market for data centers will increase demand for logistics space by a whopping 8.5 million square feet. (Picture: ©DKPhoto - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/1f/46/1f46342b2f0dd64f7e8a1d1c6190948c/0130857572v1.jpeg "Hexagon, the Swiss expert for humanoid robot systems, such as the Aeon here, has know-how that Schaeffler now also wants to use as part of a cooperation. Read here what this is all about ... (Image:Hexagon Robotics)")
:quality(80)/p7i.vogel.de/wcms/42/f0/42f05894fe2f2c56ed34ab84fa3e7e4f/pm1826-1-3500x1968v1v1.jpeg "With the material Iglidur A351, Igus has developed a new bisphenol-free and FDA-compliant material that is approved for contact with food and is particularly resistant to cleaning chemicals and high temperatures of up to 356°F. (Image:Igus)")
:quality(80)/p7i.vogel.de/wcms/64/f6/64f6843ae30267c5c3f8e930d9b4d28a/iap-teaser-gross-1000px-x-800px-1000x563v1v1.jpeg "The newly developed biomimetic tissue substitute opens up new approaches for high-performance implants - demonstrated here on a printed pericardium. (Image:Fraunhofer IAP)")
:quality(80)/p7i.vogel.de/wcms/78/4e/784e2e52da701049408ebf90a497198f/0130734639v1.jpeg "The combination of smart sensors and intuitive software such as the Baumer Sensor Suite makes it extremely easy for users to use IO-Link. (Image:Baumer)")
:quality(80)/p7i.vogel.de/wcms/fd/25/fd2542c4abb445427a3044120703e917/0130799156v1.jpeg "Supply chains: Not only external, but also internal company weaknesses have a negative impact on the ability to deliver. (Image:freely licensed)")
:quality(80)/p7i.vogel.de/wcms/63/65/63658d1f2e2f6d9d82c4d748b76089b9/0130919056v1.jpeg "Which programming language is used to write vehicle software? This question is now moving into areas where decisions are made about architecture, risk and approval. (Image:freely licensed at Pexels)")
:quality(80)/p7i.vogel.de/wcms/8e/c9/8ec975064f4a4cbe027aa15166acb9bf/0130922769v1.jpeg "The OM M-Series marks a structural change in the architecture of charging infrastructure. (Image:ABB E-Mobility)")
:quality(80)/p7i.vogel.de/wcms/93/41/93413edb6f97cb435bad8da22f4f7d8a/0130816946v1.jpeg "The yoke steering wheel in the Lexus not only ensures comfortable steering, but also a better view (Image:Lexus)")
:quality(80)/p7i.vogel.de/wcms/2a/ac/2aac0d28ac5cb0a1c7bee37ce4b9576f/0130910559v1.jpeg "Porsche sells its shares in Bugatti Rimac and the Rimac Group. (Image:Porsche)")
:quality(80)/p7i.vogel.de/wcms/15/3f/153fa58cfd3e8238f0975376fbd4b64f/0130834955v1.jpeg "A gap between two material layers of molybdenum sulphide (MoS₂) and hafnium oxide (HfO₂), which are only bound together by van der Waal forces. As studies by TU Wien show, this tiny gap can have drastic effects for semiconductors based on such 2D materials. (Image:TU Vienna)")
:quality(80)/p7i.vogel.de/wcms/e9/51/e9519f6f6e2aedcf896e1306e37d7642/0130872105v1.jpeg "Figure 1: Principle of a sidecar solution for supplying power to AI data centers. (Image:TI)")
:quality(80)/p7i.vogel.de/wcms/4b/97/4b974b018c76a1e54ed5a624a213ce2f/0130907348v1.jpeg "During material and surface inspection, sources of error in the nm range must be reliably detected. Accordingly, the interaction between the positioning system and 3D measurement technology must be perfect. Even highly reflective or transparent surfaces must not lead to errors. (Picture:LMI and PEAK Metrology)")
:quality(80)/p7i.vogel.de/wcms/d7/dc/d7dcb6a8e3fbefbf1db738f128108aa6/0130804280v1.jpeg "Zone trigger: When conventional edge or pattern triggers reach their limits, the time has come for the zone trigger. By simply drawing zones on the oscilloscope display, rare anomalies can be isolated with pinpoint accuracy. (Picture:Rohde & Schwarz)")
:quality(80):fill(efefef,0)/p7i.vogel.de/wcms/68/a7/68a7075266a4a/shining-wp-titelbild-396054.png "Shining WP Titelbild 396054")
:quality(80)/p7i.vogel.de/wcms/05/5c/055c523a3be81da64c15c017bbd25348/0129529705v1.jpeg "Memory errors such as buffer overflows or use-after-free jeopardize the stability of vehicle software. Formal verification helps to turn tested software into verifiably safe systems. (Image:Dall-E / AI-generated)")
:quality(80)/p7i.vogel.de/wcms/88/c0/88c0efef674e9a92a9438c4ca87232b4/0127890201v1.jpeg "A large number of different programming languages are used in the development of software for the automotive sector. But which language is best suited to meet the stringent requirements of cybersecurity? (Image:freely licensed)")