Chinese Buses, European Fears, and the Truth About Connected Fleets

Support CleanTechnica’s work through a Substack subscription or on Stripe.

A small test in Norway triggered a European debate about connected vehicles and national security. Engineers at Ruter, Oslo’s public transit agency, ran an inspection on new Chinese-made Yutong electric buses before accepting them into service. During controlled testing, they found that the buses’ remote diagnostics system allowed the manufacturer to connect directly for maintenance and software updates. The engineers concluded that this same pathway, in theory, could be used to stop a bus. No one suggested that it had been.

No data had been stolen, no bus had been disabled, and the connection appeared to be used only for legitimate updates. Still, the finding moved quickly through the press and across borders. Danish authorities launched an investigation into Yutong buses operating in Copenhagen. The UK Department for Transport and the National Cyber Security Centre began similar reviews. Yutong responded that the data were encrypted, stored on servers in Frankfurt, and compliant with European privacy and cybersecurity rules.

What the Norwegian engineers found was not an isolated design feature. It was a normal element of how modern vehicles are built. Buses, trucks, and cars from almost every manufacturer now carry telematics modules that record and transmit data for diagnostics, predictive maintenance, and energy management. These systems send operational data like speed, power demand, and battery health to cloud servers. They also allow over-the-air software updates, which replace manual servicing with wireless patches and performance improvements. This architecture is common to Volvo, Daimler, MAN, BYD, and others. It is a result of the global shift from mechanical vehicles to what the industry calls software-defined vehicles.

Europe has already written regulations that assume remote connectivity is part of the baseline. Two United Nations standards, UN R155 and R156, set cybersecurity and software-update requirements for all new vehicle types. These became mandatory for new models in 2022 and for all new registrations in 2024. They require manufacturers to document access pathways, authentication methods, and the processes used to control updates. In other words, Europe expected vehicles to be online and built a framework to manage the risk. What Ruter’s engineers demonstrated was not a loophole unique to Chinese manufacturers, but the natural result of connected design before those standards fully took hold.

There is a real technical risk embedded in this evolution. Any remote access channel can become a vulnerability if not properly governed. If a manufacturer or contractor retains control over live systems, a compromised account or server could in theory interrupt service or safety-critical functions. The same applies to weak encryption or poor network segmentation. These are the kinds of weaknesses that regulators are now addressing through certification and third-party testing. They are problems of engineering and governance, not nationality. It was responsible for Ruter to raise the issue, and for other operators to verify their own fleets. What followed in public discourse, however, drifted away from that technical focus.

When the story reached international media, the framing changed. Headlines warned that Chinese-made electric buses could be stopped remotely, or that Chinese manufacturers had access to data across European cities. The distinction between potential and actual risk disappeared. The details that Yutong’s data were hosted in the European Union, or that remote updates are common practice across the industry, appeared deep in the articles or not at all. The story followed a pattern that has become familiar: a narrow technical finding turned into a geopolitical warning. The coverage encouraged readers to view this as an example of Chinese technology posing a hidden national-security threat.

This is not to say that those concerns are groundless. Governments have every reason to protect critical infrastructure. Yet the framing of this story reveals how easily a security review becomes a proxy for economic competition. China produces the vast majority of the world’s electric buses and has been expanding its share of European markets. European manufacturers have been slower to electrify heavy vehicles and face cost disadvantages. A story that singles out a Chinese manufacturer for practices that are in fact industry standard fits neatly into an industrial policy narrative. Security and competition can coexist, but when they blur, it is easy to overstate one in service of the other.

The communications pattern behind the story followed predictable biases. The availability bias made the image of a remote-controlled bus more vivid than the reality of routine diagnostics. Confirmation bias reinforced existing suspicion of Chinese digital systems. The national attribution bias made one example representative of an entire category. These are the same patterns that shaped early debates about telecommunications networks and surveillance equipment. The consequence is that the public perceives the technology itself as dangerous, when the real issue lies in its governance.

Fleet operators across Europe now face a practical question. How do they maintain connected vehicles securely without cutting off the features that make them efficient? The responsible approach is to manage risk through design and contract, not nationality. Operators can require disclosure of all remote-access points, retain control over update schedules, and keep local copies of firmware. They can specify European data residency, require independent penetration testing, and insist on logs and audits that track every remote connection. None of these measures single out a particular supplier. They are standard security hygiene for any connected system.

The communications challenge is different but just as important. When stories like this are framed as foreign-influence risks, they can harden public attitudes against technologies that are essential to decarbonization. Europe’s shift to electric fleets depends on competition, scale, and supply diversity. Overstating a vendor’s nationality risk can slow fleet renewal and raise costs, without actually improving security. The better narrative is one of transparency and control: connected vehicles are a new class of infrastructure, and their security should be measured by standards, not flags.

Electric buses are part of a broader transformation where vehicles, grids, and data networks intersect. Each layer introduces digital dependencies that must be managed carefully. The Norwegian test should be remembered as a useful early warning, not as evidence of malign intent. It highlighted the need for clearer oversight and contractual control of connected fleets. It also exposed how easily legitimate engineering concerns can be amplified into geopolitical drama. The task now is to build trustable systems, not to turn technology into another arena for suspicion.

The bus episode is only one instance of a broader pattern. Similar narratives have surfaced around power transformers, solar inverters, and wind turbines whenever foreign-made equipment connects to monitoring or update networks. In each case, normal remote-access systems that allow manufacturers to track performance or push firmware updates are described as potential control risks. Large transformers from South Korea or China have been accused of containing “backdoors,” and offshore wind systems have faced warnings about foreign data collection. Yet investigations repeatedly find the same thing: these devices operate under long-established cybersecurity and grid-protection protocols, with vendor access logged, segmented, and audited by operators and regulators, and operations centers hosted locally in the country or region, not in China. The messaging often ignores that managed connectivity is essential to reliability and maintenance across every OEM. The problem is not that remote access exists, but that it is easy to cast a routine engineering feature as a geopolitical threat.

I dealt with this in Europe in October, pointing out to an energy minister I was sharing the stage with that from my background of engineering major technical solutions that included extensive cybersecurity components Chinese wind turbine SCADA controls weren’t a threat and any concerns were easily managed. I recommended they speak to an expert on the subject.

Every modern bus, truck, and car now carries both energy and information. Treating one as a national security issue and the other as a commercial feature is inconsistent. Europe’s energy and transport transition will depend on reconciling these dimensions. The focus should be on resilient design, independent testing, and open standards that apply to all manufacturers equally. The story that began in a Norwegian garage should end not with bans or fear, but with better engineering and better communication about what connected transportation really means.