Home Economy IVECO’s Strategic Asset: From Golden Power to the TATA Acquisition and the...

IVECO’s Strategic Asset: From Golden Power to the TATA Acquisition and the European Implications for Vehicle Data

Novembre 29, 2025

240

ABSTRACT

Europe ‘s industrial and strategic architecture underwent a profound reshaping in the autumn of 2025 , when the process of divesting control of the commercial and industrial vehicle giant, Iveco Group NV , reached its peak. The plan notified on 18 August 2025 envisaged the indirect acquisition of the entire share capital of Iveco by Tata Motors Ltd. (through the special purpose vehicle TML CV Holdings Pte. Ltd. ), via a Public Purchase Offer ( PTO ), with the explicit exclusion of the Defence Business Unit (the unit dedicated to defence and civil protection vehicles managed under the IDV and ASTRA brands ) ¹ . In parallel, the Defence Business Unit itself was the subject of a separate acquisition process, notified on 11 September 2025 , by Leonardo Spa ² . This dual operation immediately triggered a complex investigation in Italy , culminating in the exercise of special powers by the Italian Government , known as the Golden Power legislation , pursuant to Legislative Decree no. 21 of 15 March 2012 ³ . The overall value of the operation, limited to the acquisition of the civil branch by the Tata Group , was estimated at approximately 3.8 billion euros ⁴ , highlighting the systemic relevance of the structure at stake.

The primary interest of the Italian Government was not only focused on the protection of defence activities, the segregation of which and the transfer under the control of Leonardo Spa were deemed essential for national security ⁵ . Attention was focused on the strategic and technological implications arising from the transfer of control of Iveco ‘s core civil business to a non- European Union group such as Tata Motors Ltd. , an Indian giant active globally in the automotive sector ⁶ . The findings of the investigation, conducted by the Ministry of Enterprise and Made in Italy with the involvement of the Coordination Group and the opinion of the Ministry of Defence ⁷ , revealed that the Italian companies controlled by Iveco hold assets of strategic importance ⁸ , particularly in the sectors of Research and Development ( R&D ) and dual-use technologies ⁹ . The concerns raised concerned the risk that the overlapping of production and R&D activities between the Tata Group and the Iveco Group could result in a delocalisation of activities or a transfer of know-how and technologies from the Italian Targets ¹⁰ . This dynamic was identified as a potential cause of a downsizing of the national manufacturing hub , with direct negative repercussions on the related production chain and on the Italian academic research ecosystem , in particular on historical collaborations with bodies such as the National Research Council ( CNR ), the Polytechnic University of Turin , the Polytechnic University of Milan , the University of Turin and the University of Tor Vergata in Rome ¹¹ . The hypothesis of a decentralisation of the decision-making role was seen as a factor capable of compromising the autonomy of Italy and Europe in the development of critical technologies necessary for the achievement of the environmental standards imposed by the European Union on the sector .automotive¹².

The most critical and innovative aspect of the technical-legal analysis lies in the management of the data assets generated by the Iveco Group ‘s connected vehicles . With approximately 100,000 connected vehicles circulating in Italy ¹³ , the Iveco Group manages a significant volume of data relating to vehicle parameters and personal information of Italian customers ¹⁴ . These systems include the “Customer Uptime Center” for predictive diagnosis based on “digital twins” , applications for remote driving style and comfort, and the Artificial Intelligence ( AI )-based voice assistant “Driver Pal” ¹⁵ . This portfolio of digital and telematics solutions represents a strategic asset not only for optimizing the customer experience and vehicle efficiency, but also for preventing cybersecurity risks ¹⁶ . The transfer of these systems and related databases to a non-EU operator requires the application of an exceptionally high level of scrutiny in terms of digital sovereignty and personal data protection .

The reference legislation for this scenario is Regulation (EU) 2019/452 of the European Parliament and of the Council , which establishes a framework for the screening of foreign direct investments into the Union ¹⁷ , and, crucially, the newly created European Data Act , officially Regulation (EU) 2023/2854 of the European Parliament and of the Council , which entered into force on 12 January 2024 and applies from 12 September 2025 Regulation (EU) 2023/2854, 12 January 2024 . The timing of the operation is particularly sensitive, falling at a time of full implementation of the Data Act , whose official guidelines to support implementation in the automotive sector were published by the European Commission on 12 September 2025 Data Act Guidelines Automotive Sector, 12 September 2025 . These guidelines clarify, in particular for Chapter II of the Data Act , how original equipment manufacturers ( OEMs ), service providers and insurance companies must manage vehicle data ( Business-to-Consumer – B2C and Business-to-Business – B2B ) Data Act Guidelines for the Automotive Sector, 12 September 2025. The most stringent imposition, in this context, is contained in the government requirement to ensure that the data collected by the European companies of the Iveco Group are stored in technological infrastructures located in European Union Member States ^{18 . Furthermore, the}sharing of such data with entities subject to the jurisdiction of a non- European Union Member State has been prohibited , except for specific strategic inter-group exceptions ¹⁹ . This move is a direct application of the principle of data sovereignty and aims to prevent extraterritorial access or unregulated use of critical information, especially in relation to the provisions of the Data Act which aim to facilitate access to data generated by connected products for their users, while ensuring fairness and protection. European Data Strategy, November 2025.

The final decision of the Prime Minister , adopted at the meeting of 28 October 2025 , exercised the special powers not by veto, but through the imposition of specific conditions and requirements ²⁰ . The conditions imposed on TML CV Holdings Pte. Ltd. and Iveco Group NV are a model of strategic risk mitigation in a context of selective globalization . These requirements include the obligation to ensure the maintenance of production plants and Research and Development centers in Italy ²¹ , while guaranteeing an adequate level of future investments in R&D to preserve competitiveness ^{22 . Furthermore, the}inalienability clause of intellectual property was imposed , ensuring that patents and other titles held by Italian companies remain their property ²³ . These measures are aimed at neutralizing the risk of delocalization of know-how and preserving the national innovation ecosystem National Innovation Strategy, 2025 .

On the defense and national security front , the dual nature of the vehicles, where the technologies developed by the Iveco Group for autonomous, connected and green mobility in the civilian sector are the same dual – use technologies that enable critical capabilities in the defense , security and civil protection sectors ²⁴ , required a complex solution. The exclusion of the Defense Business Unit and its transfer to Leonardo Spa creates a security perimeter for military assets ²⁵ . However, the conditions imposed included the stipulation of supply contracts ( transitional services agreement for 18 months and supply contracts for 5 years ) between the newly created Leonardo entity and the civilian Iveco Group (now Tata ) ²⁶ . To monitor this dependency, the Ministry of Defense will monitor compliance with the condition requiring Tata to guarantee the supply of components, products and services necessary for the operational needs of national defense until such needs cease ²⁷ . The interconnection between civil and military vehicle platforms, which often share the same body and the basis of dual-use technology , transforms compliance with the imposed conditions into an element of stability for the entire Italian and European Defence supply chain . European Defence Agency Report on Dual-Use Technologies, 2025 .

The Iveco-Tata deal is, ultimately, a multidimensional case study that intertwines industrial geopolitics , digital sovereignty , and national security . It demonstrates how European Union member states , in response to growing competition for the acquisition of strategic assets (especially in the context of the ecological transition and digitalization ), are refining their foreign investment screening tools , moving from a passive free-market approach to a targeted, law-based protectionist strategy , with the Data Act as a powerful new regulatory instrument. Future monitoring, entrusted to the Ministry of Business and Made in Italy and the Ministry of Defense ^{28 , will be crucial to verify whether the imposed requirements will be sufficient to mitigate the risks of erosion of the Italian industrial and technological base in a sector of}strategic importance for the European Union (Industrial Strategy Update, 2025 ).

Index

Hostile Exploitation and Cyber Warfare Risks – OSINT and Security Analysis of IVECO ON API Interfaces

The Golden Power Exercise: Legal and Strategic Analysis of Foreign Investment in the Automotive Sector
Dual-Use Technology and Strategic Axes: The Transfer of the Defence Business Unit to Leonardo and the Implications for National Security
Digital Sovereignty in the Data Act Era: Managing, Locating, and Protecting Vehicle Data from Nearly 100,000 Connected Vehicles
Industrial and Technological Presidia: The Impact of Government Conditions on Research, Development, Patents, and the Italian Supply Chain
Geopolitical Dynamics and Global Competition: The TATA Group and the Strategic Prospects for Iveco’s Commercial Sector in the European Union
The Centrality of Telemetry Data – Strategic, Commercial, and Technological Analysis of the Acquisition of IVECO’s Intangible Assets
Information Asymmetry and Cybersecurity – The Strategic Risk of TATA Exploiting the IVECO API Ecosystem
Integrated Synoptic Table: Strategic, Legal, and Technological Analysis of the IVECO-TATA Operation

Hostile Exploitation and Cyber Warfare Risks – OSINT and Security Analysis of IVECO ON API Interfaces

The acquisition of the civilian arm of Iveco Group NV by TML CV Holdings Pte. Ltd. (Tata Group), formalized by the Prime Ministerial Decree of October 2025 , has created a situation of technological duality and asymmetry of know-how that requires a government-level Open Source Intelligence ( OSINT ) and cybersecurity analysis. TML ‘s access to the technical documentation, source code , and authentication methods of the IVECO ON API web service (which includes the proprietary API for trucks and the ITxPT TiGR standards- based interface for buses) is not a simple commercial asset , but a critical attack surface and a potential lever for hostile espionage, sabotage, or market manipulation operations. The ultimate purpose of the data use, although declared as commercial, remains inherently not 100% verifiable and must be scrutinized through the lens of national security and critical infrastructure resilience .

The Deep Knowledge Asymmetry

The fundamental danger lies in the shift from security by obscurity , typical of proprietary APIs , to total threat actor knowledge ( TML ). Before the acquisition, IVECO trucks’ proprietary protocol was a black box for external hackers and competitors. Post-acquisition, TML gains a complete map of endpoints , data formats (JSON or XML schema), authentication methods (e.g., OAuth , proprietary API Keys , or JWT ), and, crucially, the internal logic with which the backend server interprets vehicle data (such as diagnostic trouble codes ) and communicates with the on-board telematics ECU ( Electronic Control Unit ).

Competitive Espionage Vector: Knowledge of the API allows TML to surgically optimize its data ingestion systems on IVECO vehicles still in circulation, bypassing protection mechanisms. Even in compliance with the EU data localization imposed by the Golden Power , TML personnel or related entities could use the technical and architectural know-how to conduct advanced analytics on data flows legally passing through the controlled EU hub . The target is not personal data (protected by the GDPR ), but the logistics aggregate : the frequency with which logistics competitors’ vehicles break down ( predictive maintenance for TML ), the profitability of routes based on actual consumption (vital information for commercial strategy), and the wear tolerance of key components.
Zero-Day Exploitation in the Back-End: The intellectual property (IP) of IVECO ON software is now under the control of TML . If the middleware or back-end server source code contains undocumented ( zero-day ) vulnerabilities —such as input validation flaws , SQL injection , or buffer overflows in API processing services — TML is the only entity aware of such flaws. This asymmetry poses a systemic risk because it allows TML to choose whether to patch the vulnerability (a cost) or selectively exploit it for business intelligence or competitive sabotage purposes .

Cyber Attack and Cyber-Physical Manipulation Scenarios

Threats arising from privileged access to the IVECO API may evolve from simple information espionage to full-blown cyber-physical influence or sabotage operations , especially in a tense geopolitical context where automotive companies are considered critical infrastructures under the NIS2 Directive [Directive (EU) 2022/2555 , January 2023 ].

Destructive Denial of Service (DoS) Attack on Data

The IVECO API provides access to essential KPI (Key Performance Indicators) data for fleet management.

Attack Vector: By exploiting knowledge of the proprietary protocol or any weaknesses in the handling of ITxPT TiGR requests , a hostile actor ( TML or a TML proxy ) could saturate or poison the API interface for competitors or IVECO users .
Danger: A DoS attack on the telematics platform doesn’t physically stop trucks, but it paralyzes logistics management . The inability to access real-time geolocation data , vehicle health status , or error codes impedes predictive maintenance and dramatically increases fleet downtime. For a logistics company, a single day of unmanaged downtime can translate into financial losses amounting to tens of thousands of euros per single vehicle.

Data Injection and Insinuation (Data Integrity Attack)

Data integrity is one of the three pillars of cybersecurity ( CIA Triad ). The API is the entry point for many over-the-air services .

Attack Vector: A sophisticated attack could aim to inject falsified (or “poisoned”) data into the diagnostic data stream, simulating non-existent faults or hiding real faults.
Danger: Unleashing operational chaos. If the API is compromised for a competing IVECO fleet manager , the attacker could generate false diagnostic error codes (e.g., “critical oil pressure”) for dozens of vehicles, forcing the manager to prematurely recall the fleet, incurring unnecessary logistics costs and downtime . Conversely, suppressing real EV battery degradation alarms could lead to critical failures and accidents, increasing liability and reputational damage to the IVECO brand (even under TML management ).

Escalation to Physical Control (Remote Code Execution)

The most extreme risk, but theoretically possible with proprietary knowledge, is the use of the API as a vector for remote code execution ( RCE ) on vehicles.

Attack Vector: Any digital access point, including an API designed for read -only functionality , if poorly implemented, can be exploited to attempt to bypass the read functions and gain control of the CAN Bus . Knowledge of the firmware and telematics ECU is essential to orchestrate an attack that goes from the cloud to the physical component (brakes, engine, steering). This scenario falls within the focus of the UNECE Regulation R155 [UNECE Regulation R155, 2021 ] on vehicle cybersecurity , which requires manufacturers ( OEMs ) to implement a Cybersecurity Management System ( CSMS ) that covers the entire lifecycle of the vehicle ATS Europe, 2025 .
Danger: Full understanding of the proprietary architecture by TML (the buyer), if not separated and monitored with extreme rigor by the ACN ( National Cybersecurity Agency ), could undermine the effectiveness of the IVECO CSMS . Knowledge of unfixed bugs ( Zero-Days ) or access keys to the OTA ( Over-The-Air ) update system is a direct threat to road safety and public order in Europe .

Government Mitigation Strategies and the Cyber Due Diligence Imperative

The Golden Power has imposed data localization in the EU , but this measure is insufficient against threats based on the architectural knowledge acquired by TML . Mitigation requires a qualitative leap in technological oversight by the Italian state.

Imposition of Code Escrow (Source Code Deposit): For the critical portion of the proprietary API and telematics firmware , MIMIT should require the source code to be deposited with a neutral entity accredited in the EU (a Code Escrow ). This would allow national authorities, in the event of a crisis or regulatory violation, immediate access to the code for security patches or forensic investigations, bypassing TML control .
UNECE R155 Integrity Verification: MIMIT should require quarterly external certification by an independent testing laboratory, attesting full compliance with UNECE R155 and ISO/SAE 21434 ISO/SAE 21434, 2021 not only for vehicles, but for the entire API infrastructure supporting them, with particular attention to logical separation (air-gapping) between the TML networks in India and the IVECO ON management servers in the EU .
Targeted Audit on the Proprietary API: The ACN should conduct a mandatory and continuous Cyber-Audit (not just document-based) on the authentication and authorization mechanisms of the proprietary API , verifying the absence of hardcoded credentials or known backdoors , as the API represents the most vulnerable and critical access point of the IVECO platform .

The IVECO-Tata acquisition is a key case study for the future of industrial geopolitics , demonstrating that national defense and economic security are no longer just about controlling the body (the metal) but about the governance of the API and the protection of intrusive knowledge (the proprietary code) that an acquirer can exploit to subvert competition and jeopardize the operational stability of an entire industry.

The Golden Power Exercise: Legal and Strategic Analysis of Foreign Investment in the Automotive Sector

The application of special powers by the Italian Government , formalised in the Prime Ministerial Decree ( DPCM ) of 29 October 2025 , represents a turning point in the Golden Power doctrine , extending its relevance beyond the traditional boundaries of defence to embrace the critical intersection between dual-use technology , digital sovereignty and the automotive value chain [Note from the Presidency of the Council of Ministers – Department for Administrative Coordination of 23 October 2025 ] ^1. The notification submitted by the companies TML CV Holdings PTE Ltd. and Iveco Group NV on 18 August 2025 , relating to the indirect acquisition of the share capital of Iveco Group NV by Tata Motors Ltd. , immediately triggered the screening procedure pursuant to Articles 1 and 2 of Legislative Decree no. 15 March 2012. 21 , the regulatory basis that governs government intervention in strategic corporate structures [Legislative Decree 15 March 2012, n. 21 ]. The investigation found that the Italian companies of the Iveco Group involved in the operation fall within the categories of companies that hold assets and relationships of strategic importance , as defined by the Prime Ministerial Decree of 6 June 2014, n. 108 , for the defence and national security sectors , and by the Prime Ministerial Decree of 18 December 2020, n. 179, for the energy , transport and communications sectors ² . This formal framework has transformed the operation, worth approximately 3.8 billion euros , into a fundamental test for Italy ‘s resilience and decision-making capacity with respect to Foreign Direct Investment ( FDI ) in structures that transcend the mere economic dimension ³ .

The core of the legal and strategic analysis concerned the qualification of the technology and know-how owned by Iveco as dual-use , a concept that the European Commission has constantly reinforced in the context of its EU Industrial Strategy Update, 2025. The technologies developed by the Iveco Group for autonomous , connected and green mobility in the civil sector — such as predictive diagnostic systems based on digital twins , remote fleet management platforms and the Driver Pal voice assistant based on Artificial Intelligence ( AI ) — have been explicitly recognised as the same technologies that enable critical capabilities in the defence , security and civil protection sectors ⁴ . The technological overlap between the civil and military sectors, in particular with regard to vehicle bodies and electronic connectivity platforms, has created a strategic vulnerability, despite the separation and sale of the Defence Business Unit to Leonardo Spa ⁵ . Although the Defence Business Unit was spun off before the completion of the takeover bid to ensure national security , its continued dependence, albeit transitory and regulated, on supplies and services provided by other companies of the Iveco Group (the civil branch acquired by Tata ) made regulatory intervention necessary ⁶ . To mitigate this risk, the Prime Ministerial Decree imposed on TML CV Holdings Pte. Ltd. and Iveco Group NV the unavoidable condition of guaranteeing the supply of components, products and services to Leonardo ‘s Defence Business Unit , essential for meeting the operational needs of national defence , for an indefinite period, i.e. until the needs cease ⁷The specificity of this requirement – an intercompany supply agreement that transforms into a service continuity obligation under the aegis of the Golden Power – underlines the Government ‘s concern about the disruption of the defence supply chain , a risk that the European Defence Agency ( EDA ) has identified as a priority in its EDA Capability Development Plan , 2024 .

Another crucial strategic direction that emerged from the investigation is the risk of technological erosion and delocalisation of Italian know-how , a phenomenon that directly impacts the European Union ‘s ability to achieve the open strategic autonomy promoted by the von der Leyen Commission State of the Union Address, September 2025. The Tata Group companies are active in the same production segment as the Iveco Group , which led government analysts to hypothesize scenarios of overlapping design and production activities ⁸ . The investigation report expressed the fear that this overlap could generate conditions in which the Tata Group , through the exploitation of the skills and absorption of know-how and technologies belonging to the Italian Targets , could develop and differentiate its own similar solutions, compromising the future economic viability of the Italian subsidiaries ⁹ . This scenario is not only a competitive concern, but also affects national economic security , which the Organisation for Economic Co-operation and Development ( OECD ) defines as the prevention of outcomes in which transactions could undermine a nation’s ability to meet the basic needs of its population and industry OECD Foreign Direct Investment Report, 2025. To counter the risk of technological exodus and loss of production capacity, the Prime Ministerial Decree introduced two twin requirements of an industrial and R&D nature : the obligation to ensure the maintenance, at national level, of the production plants and research and development centres cited in the notification, and the obligation to ensure the levels of investment in research and development ^{10 . The latter must not only be maintained for the period indicated in the investigation, but}adequate financial resources must also be guaranteed for the subsequent period , with the explicit aim of preserving the competitiveness of the Iveco Group in Italy ¹¹ .

The anchoring of intellectual property ( IP ) in Italy constitutes the third fundamental pillar of the Golden Power intervention . Having noted that the Iveco Group ‘s investments in R&D have generated numerous patents , trade secrets and trademarks12 ^, the Prime Ministerial Decree has imposed the obligation to ensure that patents and other intellectual property titles held by Italian companies (including those in the application phase or obtainable in the future) remain the property of the same companies13 ^. This measure is of vital importance in an era in which intellectual property constitutes the true competitive advantage and strategic asset of a technology-intensive company WIPO World Intellectual Property Report, 2025. Preventing the transfer of IP outside of Italian and European jurisdiction prevents a future decentralization of the Iveco Group ‘s decision-making role from negatively impacting its production strategies and technological development priorities, as clearly indicated in the preliminary investigation ^report14 . The protection of IP is closely linked to the protection of the Italian research ecosystem, made up of the Iveco Group ‘s collaborations with the CNR and prestigious universities such as the Polytechnic University of Milan and the Polytechnic University of Turin ¹⁵ . It has been noted that a significant decrease in production and industrial support in Italy would likely lead to the collapse of the related production sector and the consequent extinction of all activities linked to co-developed projects , shared datasets and the ability to bring a prototype to the demonstrator , dragging the quality of research towards low TRL (Technology Readiness Level) levels ¹⁶ .

The fourth, and perhaps most modern, front of intervention by the Golden Power concerns data sovereignty and cybersecurity , a theme that places the Iveco case at the forefront of industrial law and economic security. The Iveco Group collects, processes and stores data relating to approximately 100,000 connected vehicles in Italy . ¹⁷ This data is not just operational or statistical information, but is the lifeblood of predictive diagnostic platforms and eMobility services , essential for road optimisation and safety. ¹⁸ The access and storage of this mass of data by a non-EU entity such as Tata Motors Ltd. has raised immediate concerns related to the European Union Data Act , Chapter II of which regulates the sharing of Business-to-Consumer ( B2C ) and Business-to-Business ( B2B ) data in the automotive sector (European Data Act, 2023 ). The European Commission has published the guidelines for the implementation of the Data Act on 12 September 2025 , confirming the importance of clarity in the management of vehicle data by OEMs and service providers. Data Act Guidelines Automotive Sector, 12 September 2025. In response to these new regulatory and security challenges , the Prime Ministerial Decree has imposed the most stringent requirement regarding data localization : to ensure that the data collected by the European companies of the Iveco Group through telematics technologies are stored in technological infrastructures located in European Union member states ^19. Furthermore, it has been prohibited for this data to be shared with subjects under the jurisdiction of a non-European Union member state , with the exception of information shared for strategic reasons of production or commercial organization in favor of other companies of the Iveco Group (internally to the new Tata structure ) ^20. This requirement is a defense mechanism against data access requests based on extraterritorial laws (such as the US Cloud Act or similar legislation in other jurisdictions) and serves to strengthen cybersecurity and internal data governance , an aspect that NATO has identified as critical to the resilience of civilian critical infrastructure with military implications in its Strategic Concept 2022 NATO Strategic Concept, 2022 .

The intervention was calibrated with a view to proportionality and adequacy , key principles of administrative law and FDI control ²¹ . Instead of exercising a veto (which could have triggered international disputes and signaled excessive protectionism, in contrast with the EU ‘s free trade policy ), the Government chose to impose specific conditions and requirements , aimed at protecting, in an adequate, sufficient and effective manner, the public interest pursued ²² . This approach is in line with the growing tendency of the European Union to use mitigation tools based on commitments (such as Undertakings in the language of Regulation (EU) 2019/452 ) rather than on the total blocking of transactions EU FDI Screening Regulation, 2019 . The Prime Ministerial Decree has clearly distributed the responsibility for monitoring compliance with these conditions: the Ministry of Business and Made in Italy is charged with supervising most of the requirements relating to IP , R&D , production and data localization , while the Ministry of Defense specifically monitors the obligation of continuity of supply towards Leonardo ‘s Defense Business Unit ²³ . The provision of a detailed annual report by Iveco Group NV on the fulfillment of the conditions and requirements, to be sent after the close of the business year, introduces an ex-post accountability mechanism that strengthens government oversight for the long term ²⁴ .

The Iveco-Tata deal and the application of the Golden Power to the automotive sector have provided a robust regulatory precedent for future investments, demonstrating that the strategic nature of an asset is no longer defined solely by its direct relationship with the military, but by its ability to generate dual-use technology and control massive, critical datasets . The fact that the Tata Group , although operating in a partner country like India , is a non-EU entity fully justified the activation of the special powers . Its shareholding structure, which sees Tata Sons Private Ltd. , attributable to the Tata family , holding 40.15 percent of the capital, did not exempt the operation from the rigorous scrutiny required for a non- ^EUinvestor . In summary, the Prime Ministerial Decree of 29 October 2025 was not an act of simple industrial protection, but an exercise in economic and digital sovereignty that imposed a clear framework : access to the Italian market and its strategic assets is permitted, but only on condition that the investor formally commits to preserving the R&D ecosystem , intellectual property and, critically, to ensuring that data generated in Europe remains under the jurisdictional control of the European Union , in full compliance with the Data Act . The threat of withdrawal of consent or the application of sanctions, pursuant to Legislative Decree no. 21 of 15 March 2012, serves as a final deterrent in the event of non-compliance . ²⁶

Dual-Use Technology and Strategic Axes: The Transfer of the Defence Business Unit to Leonardo and the Implications for National Security

The dual divestment operation involving Iveco Group NV required an exceptionally granular strategic and technical analysis, focused on the segregation and subsequent integration of the Defence Business Unit (the unit known by the IDV brand – Iveco Defence Vehicles and ASTRA ) within the industrial perimeter of Leonardo Spa ¹ . The transfer of the defence branch to Leonardo , notified on 11 September 2025 and which took place in parallel but separately from the Public Purchase Offer ( OPA ) by Tata Motors Ltd. on the civil branch, was the primary mechanism used by the Italian Government to neutralise the direct risk to national security deriving from foreign investment ² . This process, however, was not a mere transfer of assets, but a complex reorganisation aimed at preserving the operational capacity of the Italian and European Defence , which historically depends on the tactical and logistical vehicles produced by the Iveco Defence Vehicles subsidiaries .

The core of the strategic criticality lies in the dual-use nature of the technologies and, more tangibly, in the shared engineering architecture between the civil and military vehicle platforms ³ . Although the Defence Business Unit is formally excluded from the sale to Tata , it benefits and draws lifeblood from a series of services and supply relationships provided by the other companies of the Iveco Group , those destined to end up under Indian control ⁴⁴ . The government investigation report has highlighted that the technologies developed for connected and green autonomous mobility in the civil sector, such as those integrated into IVECO- branded vehicles , are the same dual-use technologies that enable critical capabilities in the defence , security and civil protection sectors ⁵ . This includes the expertise relating to the alternative propulsion systems supplied by FPT Industrial Spa ⁶ , the vehicle electronics sub -systems , the connectivity platforms and the systems for predictive diagnosis (the so-called digital twins ) ⁷ .

The central fear, which justified the exercise of special powers pursuant to Article 1 of Legislative Decree 15 March 2012, no. 21 (specific to defence and national security ) ⁸ , was not only the alienation of the Defence Business Unit itself, but the risk of operational discontinuity or, worse, loss of control over critical civilian components essential for the production and maintenance of military vehicles ⁹ . To ensure operational continuity following the separation, two key contractual instruments ¹⁰ were envisaged : a transitional services agreement lasting 18 months and two long-term supply contracts , estimated at 5 years ¹¹ . The first is intended to cover shared support services (e.g. IT , administration, non-specific logistics); the second concerns the strategic supply of components and sub-systems ¹² .

The Prime Ministerial Decree of October 2025 elevated compliance with these contractual agreements to a State obligation , imposing on TML CV Holdings Pte. Ltd. and Iveco Group NV the categorical condition of guaranteeing the supply of components, products and services to Leonardo ‘s Defence Business Unit ¹³ . The scope of this requirement is exceptional, extending the supply obligation not only for contracts effective from 1 January 2026 but also for future needs, keeping them valid until the national defence needs cease ¹⁴ . This indefinite commitment , mediated by the state power, transforms an inter-group commercial relationship (although now between different entities) into a constraint of national strategic interest monitored by the Ministry of Defence ¹⁵ .

The strategic significance of the supply of components from the civilian arm of Iveco/Tata to Leonardo is amplified by the engineering reality that the modern tactical or logistics vehicle, while intended for defence , is increasingly dependent on commercial platforms (Commercial Off-The-Shelf – COTS ) and civilian technologies ¹⁶ . Military vehicles, such as those produced by IDV , often use engines and transmissions derived directly from the FPT Industrial line ( Iveco ‘s Powertrain Business Unit ) ^{17171717 . Even more critical is the point at which vehicles intended for military use, now under}Leonardo ‘s management , will retain the same bodyshells or direct derivations as civilian vehicles ¹⁸ . This uniformity (or high modularity) is essential for production efficiency and reduced R&D costs , but exposes the final military product to vulnerabilities if control over the design and production specifications of the bodyshells and chassis passes to a non- EU jurisdiction ¹⁹ . The presence of Tata Motors Ltd. , a global player with its vast experience in the automotive sector ²⁰ , creates the strategic hypothesis, as highlighted in the investigation report, that the Tata Group could use the absorption of know-how to develop competing solutions or, worse, alter the R&D priorities on the basic platforms, indirectly influencing the technological evolution of Leonardo ‘s military vehicles ²¹²¹²¹ .

The sale to Leonardo is therefore not only an act of de – risking the ownership, but a strategic re-nationalization operation aimed at integrating key assets into the Country System ^22.Leonardo Spa , as a national champion and European leader in the Aerospace, Defence and Security ( AD&S ) sector, provides the ultimate guarantee of stability and alignment with the Common Security and Defence Policy ( CSDP ) priorities of the European Union European Defence Fund Regulation, 2021. The integration of IDV into the Leonardo Group strengthens the Italian land value chain, complementing existing expertise in combat systems and providing a bridge between land mobility and the most advanced mission management and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance) technologies. Leonardo Annual Report, 2024 .

However, the long-term success of this reorganisation depends on the ability of the Ministry of Defence to exercise effective and continuous monitoring of the quality , reliability and technological updating of the supplies guaranteed by the Iveco/Tata Group ²³ . The imposed obligation guarantees the quantity and availability of supplies, but the speed with which innovation moves in the connected automotive sector (driven by AI and electrification ) raises concerns about technological evolution ²⁴ . If the Tata Group , legitimately, directed R&D investments (including those guaranteed in Italy by the Golden Power ) towards proprietary solutions that are not easily integrated or compatible with the future needs of IDV vehicles , an unsustainable technological gap could be created for Defence ²⁵ .

In this context, the issue of intellectual property ( IP ) takes on the role of a strategic barrier ²⁶ . The obligation imposed by the DPCM to maintain ownership of all patents and intellectual property titles in the hands of the Italian Iveco companies ( even after the Tata acquisition ) is fundamental to ensure that Leonardo and the Defence System can freely access and co-develop core dual-use technologies , especially those related to engines and transmission systems ²⁷ . This measure is crucial to prevent a technological lock-in , resulting from IP held and managed by a non- EU operator , from compromising Leonardo ‘s freedom of strategic action and the autonomy of the Italian Defence in modifying and evolving vehicles NATO Science and Technology Trends Report, 2025 .

Finally, the transaction as a whole reflects the growing awareness that supply chain resilience is no longer just a logistical issue, but a national security imperative. ²⁸ The Iveco/Tata/Leonardo model sets a precedent for how states can use the Golden Power to impose a forced and supervised partnership between the foreign investor and the national defense entity, creating a delicate balance between attracting FDI for economic growth and protecting strategic assets . ²⁹ This model of conditional protectionism is set to become the norm in technology-intensive and dual-use sectors, in line with the European Commission ‘s efforts to map and mitigate critical strategic dependencies in the European Union Critical Raw Materials Act, 2024. The Ministry of Defense will therefore have to operate not only as a buyer and end-user, but as an active regulatory player within the post-acquisition structure.

Digital Sovereignty in the Data Act Era: Managing, Locating, and Protecting Vehicle Data from Nearly 100,000 Connected Vehicles

The announcement of the acquisition of Iveco Group NV by TML CV Holdings Pte. Ltd. has laid bare one of the most pressing challenges in contemporary industrial geopolitics : digital sovereignty , or control over the generation , location , and access to critical data generated within the jurisdiction of the European Union . The heart of the government’s concern lies in the enormous mass of data relating to approximately 100,000 connected vehicles in circulation in Italy alone , an information asset that transcends commercial value to take on a connotation of strategic importance for economic security and national cybersecurity .

The transaction took place at a crucial moment for European digital law : the Data Act , i.e. Regulation (EU) 2023/2854 of the European Parliament and of the Council , is fully applicable from 12 September 2025 Regulation (EU) 2023/2854, 13 December 2023. This timing is not coincidental, but highlights the need for non- EU buyers to immediately integrate stringent European data regulations, which aim to give users of connected devices (both consumers and businesses) greater rights to access and share the data they generate. Diritto.it, 12 September 2025 . The Data Act is a horizontal regulation, applicable to all economic sectors, which introduces specific obligations for data holders such as the new Iveco/Tata Group , ensuring that data users can request from the manufacturer access to and provision of data generated by their vehicle, including to designated third parties (such as independent workshops, aftermarket service providers or insurance companies) CMS , 24 September 2025 .

To strengthen the relevance of the regulatory framework, the European Commission published, in conjunction with the entry into application of the Regulation, the Guidance on Vehicle Data on 12 September 2025 , providing tailored advice to automotive stakeholders on how to implement Chapter II of the Data Act. European Commission, 12 September 2025. These guidelines define the categories of data that fall within the scope of the regulation, distinguishing between raw data (generally shareable) and enriched or derived data (often excluded from sharing, as they are proprietary know-how of the manufacturer). La Tecnocopie, 30 October 2025 . The main obligation for Iveco/Tata is not only to adapt contracts and systems for transparent access to data, but also to ensure the portability and interoperability of systems, a measure designed to reduce the risk of vendor lock-in and increase competition among telematics service providers Paradigma, 2 September 2025 .

Golden Power ‘s intervention used the evolving regulatory framework to impose the most stringent of requirements: data localization . The condition imposed by the Prime Ministerial Decree obliges Iveco Group NV and TML CV Holdings Pte. Ltd. to ensure that the data collected by the European companies of the Iveco Group through telematics technologies are stored in technological infrastructures located in European Union member states [Decree of the President of the Council of Ministers 29 October 2025 , Art. 1, point 1.1, letter f)]. This provision has a twofold strategic purpose . First, it ensures that the data (which includes both personal data subject to Regulation (EU) 2016/679 – GDPR , and non-personal data such as technical and operational data) remains subject to European jurisdiction , preventing access by government authorities of third countries under extraterritorial laws [European Data Protection Board Guidelines 01/2020]. Secondly, the Prime Ministerial Decree explicitly prohibited the sharing of such data with entities subject to the jurisdiction of a non- European Union state , except for exceptions for inter-group sharing for reasons of internal production or commercial organisation [Presidential Decree of 29 October 2025 , Art. 1, point 1.1, letter f)].

Iveco ‘s database in Italy is vast and complex. Its 100,000 connected vehicles generate a continuous flow of information used for advanced systems such as the Customer Uptime Center , which uses digital twin technology for predictive diagnostics and the reduction of unplanned stops, and Driver Pal , an Artificial Intelligence ( AI ) -based voice assistant that improves driving safety and efficiency [fullContent: 280, 283]. The management of these systems and their reliance on historical and real-time datasets positions Iveco (and therefore the new Tata control ) as a custodian of critical digital infrastructure . Access to this data, while not directly military, provides a granular, real-time view of the logistics, energy efficiency, and operational routes of national transport fleets—information of potential interest for economic and geopolitical security .

The imposition of data localization on the new non- EU owner is, in effect, a risk mitigation mechanism that encapsulates digital sovereignty at the heart of foreign investment. For Tata Motors Ltd. , this entails a significant compliance burden and infrastructure investment: the Group will have to demonstrate that it has set up and maintains data centers (or cloud services) physically and legally within EU borders , ensuring that its employees and systems in India do not have direct or unregulated access to the raw or enriched data generated by European vehicles. This requirement is in line with the objectives of the Data Act , which aims to increase transparency and legal certainty regarding the process and conditions under which non-personal data can be accessed or transferred to government bodies in third countries. European Commission, 12 September 2025 . Ultimately, Golden Power ‘s intervention on vehicle data is not limited to protecting individual privacy (already protected by the GDPR ), but protects the strategic autonomy of Italy and Europe in controlling the information that underpins the innovation and resilience of transport and logistics infrastructures .

Industrial and Technological Presidia: The Impact of Government Conditions on Research, Development, Patents, and the Italian Supply Chain

The intervention of the Italian Government , through the conditional exercise of special powers on the sale of the civil branch of Iveco Group NV to Tata Motors Ltd. , is not only an operation to safeguard security and data , but translates into an impressive act of industrial policy and technological protection aimed at protecting the national intangible and manufacturing heritage ¹ . The decision to approve the operation, while imposing severe conditions, signals a new grammar of Italian industrial policy, no longer oriented towards defensive protectionism, but towards a negotiating approach that accepts foreign capital by dictating the rules for the maintenance of strategic assets ² .

The primary concern of the Ministry of Enterprise and Made in Italy , which clearly emerged from the preliminary investigation report, was the potential erosion of the production base and, above all, of the Research and Development ( R&D ) capacity in Italy ³ . At the time of notification, the Iveco Group operates nineteen industrial sites and maintains thirty research and development centres focused on zero-emission vehicles , electrification , multi-fuel solutions and digitalisation ⁴ . The hypothesis that the overlapping of production activities between the Tata Group and the Iveco Group could lead to commercial choices favourable to the Investor, such as the relocation of activities or the transfer of know-how , made state intervention imperative ⁵ .

To counter this risk, the Prime Ministerial Decree introduced the categorical requirement to ensure the maintenance, within the national context, of the production plants of the Italian companies controlled by Iveco Group NV , together with the research and development centers cited in the notification . ⁶ This forced localization clause aims to preserve the extended Italian automotive supply chain, which, despite being exposed to global dynamics, maintains a significant role in terms of added value generated in highly specialized sectors. The protection of production sites is therefore not only a matter of job protection (the Iveco Group employs 14,513 people in Italy ) , ⁷ but also a defense of the systemic production and assembly capacity.

The second and more sophisticated control mechanism concerns investments in R&D . The Prime Ministerial Decree required TML CV Holdings Pte. Ltd. and Iveco Group NV to ensure the levels of investment in research and development in the Iveco Group ‘s Italian centers and plants detailed in the investigation, crucially guaranteeing adequate financial resources also for the period following the one indicated, in order to preserve the competitiveness of the Iveco Group ⁸ . The need to ensure adequate resources for the future, beyond immediate commitments, aims to go beyond the logic of merely formally maintaining budgets for the current year, aiming at real support for long-term innovative capacity . The investigation report highlighted that a national downsizing of a manufacturing hub of the size of the Iveco Group would have a direct effect on the research sector , potentially causing the probable collapse of the related production network and the extinction of activities linked to projects co-developed with third-party entities ⁹ .

This risk is closely linked to the strategic scientific collaborations that the Iveco Group has established over time with the National Research Council ( CNR ) and with prestigious national universities, including the Polytechnic University of Turin , the Polytechnic University of Milan , the University of Turin and the Tor Vergata University of Rome ¹⁰ . These academic partnerships are the breeding ground for critical technologies (such as electrification and AI ) necessary for the ecological and digital transition of the sector ¹¹ . The imposed obligation to guarantee the continuity of the Iveco Group ‘s scientific collaboration activities and research initiatives with Italian research institutions and universities acts as a protection mechanism for the open innovation ecosystem ¹² . Maintaining these collaborations is fundamental for the ability to go from prototype to demonstrator , preventing the quality of research from being dragged towards low TRL (Technology Readiness Level) levels ¹³ .

The third pillar of technological protection is the protection of Intellectual Property ( IP ). Investments in R&D have generated a vast range of patents , trade secrets and trademarks relating to Iveco Group products and services ¹⁴ . The Prime Ministerial Decree has imposed the requirement to ensure that patents and other intellectual property titles currently held by the Italian companies of the Iveco Group (including those in the application phase or obtainable in the future) remain the property of the same companies ¹⁵ . This anti-transfer clause is fundamental to ensuring that the strategic know-how and innovation developed within the national territory are not easily transferred abroad, regardless of a change in ownership ¹⁶ . The protection of IP is a bulwark against the risk that the decentralisation of the decision-making role could lead to a drain of essential knowledge, compromising the future autonomy of Italy and Europe in the development of critical technologies necessary for the environmental standards imposed on the automotive sector ¹⁷ .

In short, the conditions imposed are not just constraints placed on the investor, but represent a roadmap of compliance and long-term commitment for Tata Motors Ltd. aimed at preserving Italian industrial and technological value. The success of this conditional Golden Power strategy will be monitored by the Ministry of Business and Made in Italy , which will have to oversee compliance with all requirements relating to production localization , R&D levels and IP protection ¹⁸ . The Iveco-Tata operation is therefore an experiment in mature industrial policy that seeks to balance openness to Foreign Direct Investment ( FDI ) with the protection of strategic interests, in a global context where the competitiveness and resilience of supply chains increasingly depend on maintaining internal technological presence ¹⁹ .

Golden Power Monitoring, Enforcement and Sanctioning Mechanisms

The Prime Ministerial Decree (DPCM) authorizing the acquisition of the civilian branch of Iveco Group NV by TML CV Holdings Pte. Ltd. (Tata Group), subject to a complex set of conditions and requirements, does not conclude its cycle with a mere notification. Rather, it inaugurates a prolonged phase of administrative oversight and ongoing monitoring , essential to guarantee effective compliance with the imposed obligations and to ensure that national interests, protected by the Golden Power , are preserved over time.

This phase is strictly regulated by Articles 2 and 3 of the Prime Ministerial Decree, which define the competent authorities for supervision and the sanctions applicable in the event of non-compliance.

The Duality of Institutional Monitoring (Article 2)

Compliance enforcement was meticulously divided between the two ministerial authorities primarily involved, based on the specific nature of the strategic assets to be protected.

The Role of the Ministry of Enterprise and Made in Italy (MIMIT)

The Ministry of Business and Made in Italy ( MIMIT ) is the central authority responsible for monitoring compliance with almost all regulations relating to the civil sector, i.e. those of strategic importance not directly related to defence.

Pursuant to Article 2, paragraph 1 , MIMIT is responsible for supervising the following conditions (referred to in Article 1, point 1.1, letters b), c), d), e), f), g) and point 1.2, letter a)):

Production and R&D Localization: Monitoring the maintenance of production plants and research and development centers throughout the country.
Investments in Innovation: Verification of adequate levels of investment in Research and Development (R&D) and the financial resources allocated to maintaining competitiveness.
Intellectual Property (IP): Control to ensure that patents and intellectual property titles remain the property of the Group’s Italian companies.
Scientific Collaborations: Ensuring the continuity of scientific collaboration activities and research initiatives with Italian institutions, universities and the CNR .
Governance and Control (Mentioned in the Prime Ministerial Decree): Monitoring compliance with governance guarantees and veto rights imposed on TML CV Holdings Pte. Ltd.
Data Localization and Sharing: Monitoring compliance with data localization requirements in infrastructures located in the European Union and the prohibition on sharing such data with entities subject to the jurisdiction of non-EU countries.

MIMIT ‘s oversight mechanism is based on the ability to request detailed information and documentation from the acquiring Group and to conduct inspections or audits at its operating locations to verify compliance with its commitments.

The Role of the Ministry of Defense

The Ministry of Defense monitors the most sensitive area for national security, namely the Defense Business Unit (DBU).

Article 2, paragraph 2 , assigns the Ministry of Defense the task of overseeing compliance with the condition set forth in Article 1, point 1.1, letter a) . This condition requires that the DBU be maintained, in terms of control , ownership , and operation , separate and outside the influence of the Foreign Investor, through its transfer to a party (in this case, Leonardo SpA ) capable of ensuring national control and the protection of technological capabilities and strategic procurement for Defense.

The Sanctioning Regime for Non-compliance (Article 3)

The seriousness of the imposed requirements is reinforced by a sanctioning regime that makes non-compliance a serious offense, subject to the provisions of the law establishing the special power.

Article 3, paragraph 1 , establishes that:

“In the event of non-compliance or violation of the conditions and requirements imposed by this decree, the provisions of Legislative Decree no. 21 of 15 March 2012 shall apply.”

Reference to the primary legislation on Golden Power entails the activation of a severe sanctioning mechanism which may include:

Administrative Pecuniary Sanctions: Heavy fines, which can reach up to double the value of the transaction , or in any case not less than 1% of the total turnover achieved in the last financial year.
Revocation of Authorization and Restoration: In the event of particularly serious violations, the Government may take measures to restore the situation prior to the operation, possibly by imposing the sale of the shareholding.
Compliance Order: The possibility of imposing a stringent order on the defaulting company to comply with the conditions and requirements within a peremptory deadline.

The Reporting Obligation

To complete the supervisory framework, the Prime Ministerial Decree also imposes a transparency and reporting obligation on the companies subject to the provision. Article 1, point 2 , provides that:

“Any circumstances that may prevent compliance with these conditions and requirements will be promptly reported to the Administrations referred to in Article 2 of this decree.”

This obligation provides the authorities with early warning of potential operational or financial difficulties that could jeopardize compliance with the conditions (for example, a plan to downsize R&D centers that becomes necessary for economic reasons), allowing the Government to intervene with corrective measures before the national interest is irreparably compromised.

In conclusion, Chapter 6 of the Prime Ministerial Decree emphasizes that approval of the transfer of control does not represent a final destination, but rather the beginning of a ten-year relationship of supervision and ongoing responsibility for the Foreign Investor. The threat of the sanctions regime is the final deterrent that guarantees the effectiveness of the Golden Power as a strategic defense tool.

The Centrality of Telemetry Data – Strategic, Commercial, and Technological Analysis of the Acquisition of IVECO’s Intangible Assets

The acquisition of the civil arm of Iveco Group NV by Tata Motors Ltd. (TML) is based on an industrial logic that transcends the mere expansion of manufacturing capacity. The true strategic prize and differentiator in the global Commercial Vehicle ( CV ) market, rapidly transitioning towards electrification and autonomy, lies in the domain of Big Data Telemetry generated by the Iveco fleet. This acquisition gives TML access not only to European hardware and engineering know-how , but above all to a dynamic and granular wealth of information , essential for survival in the era of Mobility 4.0 .

The analysis of the purpose of using this data, which ranges from GPS to fuel consumption monitoring , from component wear to environmental sensors , reveals a multidimensional strategy aimed at redefining the competitive positioning of the new Group.

The Structural Value of Data Assets: From Metal to Bit

A modern commercial vehicle is, essentially, a data center on wheels . Iveco’s telematics platform, integrated into the fleet management system , has the ability to collect, in real time, data with the V³ (Volume, Speed, Variety) characteristics:

Volume: The Iveco Group boasts a connected fleet of hundreds of thousands of vehicles in Europe and around the world. This critical mass of data, accumulated over time, creates an invaluable data pool .
Speed: Real-time (or near-real-time) data transmission enables predictive prognostics and diagnostics , critical elements for the logistics sector where downtime is the greatest cost.
Variety: Data includes not only basic information (location, mileage), but also internal parameters (oil temperature, tire pressure, particulate filter regeneration cycles) and environmental/contextual data (altitude, driving style, payload).

Strategic Purpose 🎯: Access to this ecosystem transforms TML from a traditional Original Equipment Manufacturer (OEM) focused on selling metal to a Service Provider focused on Total Cost of Ownership (TCO) . The ability to sell uptime , efficiency, and data-driven value-added services, rather than just vehicles, is the new business frontier.

The Commercial Lever: Monetization and Fleet Optimization

TML’s use of the Iveco data asset immediately focuses on four main verticals of monetization and service improvement:

Predictive Maintenance (PdM)

Sensor data on component wear (brakes, clutches, motors, EV batteries) is analyzed using Machine Learning (ML) algorithms to predict the exact moment when a failure is likely.

Benefit for TML: Enables the transition from fixed-interval (preventative) maintenance to condition-based maintenance . TML can proactively schedule interventions, reducing unplanned downtime and, consequently, the TCO for end customers (logistics and transportation companies). This improves the Group’s reputation for reliability and creates a closer relationship with the after-sales service network.

Logistics Optimization and Consumption Efficiency

GPS data combined with consumption parameters (fuel or kWh) for each specific route, altitude and load provide a granular map of operational efficiency.

Advantage for TML: It allows the company to offer route optimization and virtual coaching services for drivers. By analyzing driving style in correlation with fuel consumption, Artificial Intelligence (AI) can suggest operational corrections in real time (for example, via the Driver Pal voice assistant ), reducing fuel consumption by up to 10-15% .

Financial and Insurance Services (UBI – Usage-Based Insurance)

Risk data, such as sudden acceleration, sudden braking, average speed, and use in high-risk areas, become the basis for assessing the insurance premium.

Advantage for TML: The ability to offer customized insurance ( Usage-Based Insurance ) or leasing/rental solutions based on actual usage and risk profile. This verticalizes the Group’s financial offering, removing it from traditional brokers and creating a high-margin recurring revenue stream (ARR).

R&D Synergy and Asian Integration

Access to Iveco’s European data is crucial for TML, which has a strong presence in emerging markets (Asia, Africa).

Advantage for TML: TML can use the sophisticated performance data collected under the stringent European operating and regulatory conditions (e.g. Euro VI, noise limits, durability tests in temperate climates) to accelerate the development and validation of its models for the global market, particularly for electric vehicles ( BEVs ) and hydrogen vehicles ( FCEVs ), where battery thermal management is critical. Iveco’s data dramatically reduces the required R&D cycles.

Technological Acceleration: AI, Digital Twins, and Autonomous Vehicles

The most profound impact of data assets is in the field of Artificial Intelligence and long-term technological development.

Algorithms Training and Digital Twins

Machine learning and AI are data-hungry. Iveco’s remote diagnostics models (such as the Customer Uptime Center with Digital Twin technology ) depend on a constant supply of clean, well-labeled data.

Use by TML: TML obtains a corpus of data already structured and validated in a complex regulatory and infrastructure environment like the European one. This massive data set is essential for:
1. Digital Twin Enhancement: Create virtual models (digital twins) of every component and vehicle that evolve in real time, improving the accuracy of failure predictions.
2. Autonomous Systems: Although commercial vehicle autonomy is still in its early stages, the enormous amount of data on the driving context ( V2I – Vehicle to Infrastructure and V2V – Vehicle to Vehicle ), road conditions and human behavior (driver fatigue) is the lifeblood for training Advanced Driver-Assistance Systems (ADAS) and, ultimately, fully autonomous driving systems.

Development of Electric Platforms (ZEV)

The transition to zero-emission vehicles (ZEVs) is TML’s most costly challenge.

TML Use: Telemetry data from Iveco electric vehicles already in circulation (primarily light commercial vehicles and buses) provides critical information on battery degradation under different load and temperature conditions, regenerative braking efficiency , and actual (not just theoretical) range. This allows TML to rapidly optimize battery architecture, thermal management systems, and charging strategies for its future global models.

The Challenge of Data Sovereignty: The Golden Power Paradox

Despite the enormous global strategic value of Iveco data for TML, the transaction is constrained by the Golden Power requirements imposed by the Italian government, which create a paradox between TML’s ambition to centralize and maximize global data synergy and the need to respect Italian and European data sovereignty .

As previously analyzed (Chapters 4 and 6), the Prime Ministerial Decree imposes the obligation to:

Data Localization: Obligation to maintain data collected on national territory in infrastructures located within the European Union (EU).
Restriction on Extra-EU Sharing: Prohibition on sharing strategic data with entities subject to the jurisdiction of non-EU states (such as India, where TML is based), unless specifically authorized.

This restriction does not prevent TML from using the data (through analyses and algorithms run on EU servers ), but limits its physical transfer or direct access by personnel and systems outside of European jurisdiction.

Strategic Implication for TML: TML is forced to invest not only in maintaining its Italian R&D centers, but also in establishing a digital center of excellence (hub) in Europe, which will act as a controlled gateway for data analytics, ensuring that the digital brain of the new global Group maintains a significant technological and computing presence within the EU. The acquisition of the Iveco data asset is a key step for TML, but its full integration and global exploitation is conditional on meticulous compliance with this new and rigorous data governance paradigm imposed by the Italian authorities.

Information Asymmetry and Cybersecurity – The Strategic Risk of TATA Exploiting Vulnerabilities in the IVECO Group

The acquisition of the civilian arm of Iveco Group NV by TML CV Holdings Pte. Ltd. (Tata Group), although formally mitigated by the Golden Power requirements on data localization , introduces a profound information asymmetry and a complex cybersecurity challenge that goes beyond the mere transfer of physical assets . The strategic , commercial , and technological analysis must necessarily consider the possibility, and risk, that the new owner will acquire intimate knowledge of the design vulnerabilities and weak points of the Iveco ecosystem , being able to exploit this knowledge to its competitive advantage.

The heart of this vulnerability lies not only in the telematic data in transit, but in the overall architectural design of the electronic platforms and the proprietary firmware , a know-how that Golden Power has attempted to anchor in Italy but whose operation lies in the management control of TML .

The Technology Vector: Proprietary Architecture and Passive Cybersecurity

The ability of a vehicle manufacturer ( OEM ) to detect and exploit vulnerabilities (so-called Zero-Day ) in its products is a decisive competitive advantage. The Iveco vehicle platform , which includes engine control electronics, connected body and ADAS systems , is the result of decades of Research and Development ( R&D ) and is based on a proprietary architecture .

Risk of Exploitation of Cyber-Physical Vulnerabilities

Modern commercial vehicles are highly dependent on Electronic Control Units ( ECUs ) and internal communication lines (such as the Controller Area Network – CAN Bus ). If the basic architecture of the body and electronic sub-systems is shared between civilian models (now Tata ) and military models ( IDV/Leonardo ), as hypothesized by the investigation report, TML ‘s access to the original design , firmware source code and detailed technical documentation on internal communication protocols creates a potential breach in national security .

Asymmetric Competitive Advantage: In-depth knowledge of the modus operandi of Iveco ’s on-board electronics system allows TML to identify and mitigate any vulnerabilities in its future models, but, at the same time, gives it the ability to understand how other actors could access or manipulate Iveco vehicles still in circulation.
Supply Chain Risks : Knowledge of key suppliers of electronic components and the chipsets used by Iveco provides TML with a map of common supply chain vulnerabilities . If a specific component has a known cybersecurity flaw (a backdoor or bug ), TML acquires the know-how to avoid it in its own designs, even though it is aware of its existence in competing (or co-managed) Iveco models.

Commercial Exploitation of Weaknesses

Vulnerabilities are not only cyber-physical in nature. Even when analyzed only on EU servers as required by the Prime Ministerial Decree , telematic data can reveal commercial and design vulnerabilities :

Reliability Analysis: The sensors on the 100,000 connected units allow TML to map with statistical precision which components fail most frequently, under which operating conditions (extreme heat, heavy loads), and with which usage patterns . This creates a critical advantage: TML understands the durability and reliability flaws of its internal competitors (Iveco) and can redesign its global offering to overcome specific weaknesses (for example, reinforcing an axle or modifying a cooling system that Iveco data indicates is undersized).
Market Vulnerabilities: GPS and usage data can reveal Iveco fleet saturation points in certain regions or logistics segments ( long-distance transport , urban distribution ). This business intelligence is invaluable for TML to surgically position its models (or new Iveco models) where competition is weakest or where customer needs are not fully met by current specifications.

The Digital Twin Strategy and Holistic Knowledge

Iveco ‘s use of Digital Twin technology for predictive diagnostics (Customer Uptime Center) is a double-edged sword in this operation. The Digital Twin is a virtual model, powered by all sensor data, which simulates the vehicle’s operational life with extremely high accuracy (NATO Science and Technology Trends Report, 2025 ).

Access to the Transfer Function: By acquiring the Digital Twin ‘s operational capability , TML obtains not only the raw data, but also the transfer function (the algorithm) that translates sensor stress into failure probability. This function is the true dynamic Intellectual Property (IP) . Knowing how Iveco models failure probability (and therefore when the vehicle fails according to the original design ) is a design risk metric that no other OEM could know without years of field testing.
Operational Vulnerabilities: Iveco ‘s telematics platform monitors driver behavior ( Driver Pal ), clutch use , and braking efficiency . Analysis of this data on 100,000 vehicles can reveal operational vulnerabilities specific to Iveco designs : for example, if Iveco trucks show accelerated degradation under certain platooning or autonomous driving conditions, TML receives a free roadmap to improve its ADAS systems .
Remote Manipulation: Full understanding of the tele-management architecture ( over-the-air updates ) opens the door to scenarios, albeit strictly prohibited and regulated by the Data Act , of potential manipulation or selective interruption of services for competing Iveco vehicles in third-party markets, especially if the vehicles depend on updates or cryptographic keys managed from the cloud (if this is the EU hub controlled by TML).

Mitigation and Government Perspectives: The Need for a Permanent Cyber Audit

The Golden Power intervention has imposed data localization to protect digital sovereignty , but it cannot eliminate the risk of intrusive knowledge acquired through ownership changes. Mitigating these asymmetric vulnerabilities requires a much deeper cyber-auditing and R&D control approach, in line with the requirements of the NIS2 Directive on the security of network and information systems (NIS2 Directive – Directive (EU) 2022/2555 , January 2023 ).

R&D Compliance: MIMIT , in monitoring the obligation to maintain R&D levels and IP ownership in Italy , will have to ensure that joint development or integration projects with TML do not involve the covert transfer of critical source code or vehicle system encryption keys . This requires software forensics and cyber-assessment skills applied to R&D monitoring .
Operational Cyber-Defense Separation: The greatest risk is the risk of targeted attacks on Defense Business Unit (DBU) vehicles via hardware or firmware vulnerabilities common to civilian vehicles. TML ‘s obligation to ensure continuity of supply for the DBU makes it crucial for the Ministry of Defense to conduct an ongoing security audit of the specifications of components and subsystems supplied by the civilian branch to ensure they do not contain backdoors or unauthorized modifications that could be exploited by TML or third parties.

Ultimately, the Iveco-Tata acquisition is a school of thought on protecting intangible value in the modern economy. Access to Iveco ‘s digital twin and data pool provides TML with an X-ray view of design and commercial vulnerabilities that no Golden Power clause can completely prevent. The real defense lies not in blocking the use of data, but in ensuring that Italian R&D facilities maintain the ability to continuously address and overcome these vulnerabilities, ensuring continued and autonomous technological superiority [World Economic Forum – The Geopolitics of Technology, 2025 ].

Information Asymmetry and Cybersecurity – The Strategic Risk of TATA Exploiting the IVECO API Ecosystem

The acquisition of the civilian arm of Iveco Group NV by TML CV Holdings Pte. Ltd. (Tata Group) raises a rigorous analysis of the cyber-strategic vulnerabilities inherent in managing a complex vehicle data asset . The sale gives TML access not only to the production chain, but above all to the digital heart that manages the operations of tens of thousands of commercial vehicles and buses: the IVECO ON Web API service . This service, based on the ITxPT TiGR standard for buses and a proprietary API for trucks (such as the Daily , Eurocargo , and S-WAY ), represents a critical attack surface and a vehicle for unprecedented information asymmetry , whose full understanding and potential for malicious exploitation must be assessed at the highest level of government scrutiny.

The Hybrid Attack Surface: ITxPT and Opaque APIs

The technological layering of IVECO ‘s offering introduces a twofold cybersecurity challenge . The ITxPT TiGR ( Information Technology for eXcellent Public Transport ) standard for buses was explicitly designed for multi-brand interoperability in the public passenger transport sector ITxPT Technical Specification, 2025. While adopting an open standard like ITxPT reduces the risk of vendor lock-in and improves diagnostics for fleet managers, its open nature exposes IVECO ‘s specific implementation to well-known risks if its authentication, encryption and API Key management do not strictly adhere to cybersecurity best practices defined by bodies such as the European Union Agency for Cybersecurity ( ENISA ) ENISA API Security Guidelines, 2024 .

The most significant risk, however, lies in the proprietary API used for the truck range . Because its technical specifications are not publicly available ( opaque ), this protocol relies on a security-by-obscurity model . While this may deter general hackers , for a buyer like TML , which now owns the technical documentation, source code , and the entire backend of the IVECO ON service , opacity becomes total and asymmetric knowledge. TML gains a precise map of the competition’s known and unknown ( zero-day ) vulnerabilities (if we consider Iveco an asset whose know-how is being stripped) and the precise authentication and authorization functions that govern access to critical data such as real-time geolocation and diagnostic error codes .

Hostile Use and Data Manipulation Scenarios

Privileged access to proprietary API documentation and data management systems opens TML up to potential hostile use scenarios that, while not legal, pose a strategic and competitive risk.

Commercial Espionage and Logistics Mapping

The most sensitive data accessible via the API is real-time geolocation and fuel/energy consumption of vehicles.

Exploitation Vector: TML can use the acquired know-how to develop internal eavesdropping or targeted data leakage systems , bypassing external controls. Knowledge of the proprietary API ‘s endpoints and authentication methods would allow TML to map the entire logistics chain of competitors using IVECO vehicles with pinpoint precision (including key European customers such as transport operators and couriers).
Danger: Determining key distribution centers , supply routes (e.g., for sensitive or just-in-time raw materials ), and transit frequencies of competitors. This constitutes industrial espionage under Regulation (EU) 2019/452 on the screening of Foreign Direct Investment ( FDI ) if aimed at compromising national economic security . Regulation (EU) 2019/452, 19 March 2019 .

Data Poisoning and Vehicle Health Manipulation

The API provides diagnostic data, including diagnostic trouble codes and driving style assessments . Potentially compromising this data, or altering its source, would open the door to cyber-physical manipulation scenarios .

Exploitation Vector: If a malicious actor (knowing the proprietary architecture) were able to inject false (or “poisoned”) data into the IVECO ON platform for a specific customer, they could trigger incorrect predictive maintenance (e.g. false critical failure alarms) or, conversely, suppress real alarms.
Danger: Causing unplanned downtime and costly inefficiencies for IVECO ON service customers , damaging the reputation and logistics operations of TML competitors . In a crisis scenario, sending incorrect data on the battery charge level of electric vehicles could jeopardize entire critical transport routes.

The Risk of Cyber-Physical Escalation and UNECE R155

The most serious threat of compromised proprietary know-how concerns escalation from the cloud ( API ) to the physical vehicle (the electronic platform and control systems ). UNECE Regulation R155 ( United Nations Regulation on the Approval of Vehicles with Respect to Cybersecurity ) is the key regulation in force from July 2024 that obliges OEMs to implement a Cybersecurity Management System ( CSMS ) across the entire vehicle lifecycle UNECE R155, 2021 .

Violation of the CSMS Principle: If the proprietary IVECO API , designed to access certified data, does not guarantee perfect and encrypted segregation between the cloud and the vehicle CAN Bus , its compromise could theoretically allow the sending of unauthorized commands.
Critical Scenario: An actor with proprietary code could attempt to exploit a bug in the telematics ECU ‘s data parser to perform a Remote Code Execution ( RCE ). A Denial of Service (DoS) attack , limiting the API ‘s functionality and preventing the legitimate fleet manager from accessing critical data, also constitutes a direct attack on public order if it paralyzes essential transportation infrastructure.
Dual-Use Risk: In-depth knowledge of the proprietary API of civilian trucks increases the risk for military vehicles ( IDV/Leonardo ) that share the same chassis and, potentially, electronic subsystems and internal network. An exploit discovered on the civilian platform by TML (even if unused) represents national security information in the hands of a non- EU operator , increasing the risk of hostile back-engineering on defense platforms.

The Regulatory Imperative: From Golden Power to Mandatory Cyber Audit

The Golden Power conditions imposed by the Prime Ministerial Decree (particularly data localization and the ban on sharing outside the EU ) affect where data is stored and with whom it is shared. However, they do not neutralize the risk of the proprietary architectural know-how acquired by TML .

To mitigate the threat of hostile exploitation of API vulnerabilities by the new owner (or through internal eavesdropping ), strengthening monitoring beyond simple auditing is necessary:

Mandatory and Independent Cyber-Audit: The Ministry of Business and Made in Italy (MIMIT) and the National Cybersecurity Agency ( ACN ) should require TML to undergo an annual Cybersecurity Audit , conducted by a third-party entity accredited in the EU , specifically on the architecture of the proprietary API and IVECO ON services . This audit must verify compliance with UNECE R155 and ISO/SAE 21434 ISO/SAE 21434, 2021 .
Code Review : For the most critical part of the proprietary API that interconnects the cloud with onboard diagnostics, MIMIT should reserve the right to require a Code Review to identify backdoors or undocumented remote access protocols, as well as to prevent the use of such proprietary know-how for purposes other than approved commercial ones.
Key Management Governance: A specific requirement must be imposed on TML for the governance of cryptographic keys and Master Access credentials to telematic systems, ensuring that root keys remain under the exclusive management of personnel and systems resident and certified in the European Union , in line with best cybersecurity practices for critical infrastructures [ENISA Cyber Crisis Management Guidelines, 2025 ].

In conclusion, the IVECO Web API , as a gateway to a vast ecosystem of dynamic and sensor data , is the true power interface in the acquisition process. Adversarial use of this interface, fueled by the proprietary knowledge acquired by TML , constitutes a risk that cannot be mitigated by localization clauses alone. Instead, it requires proactive, ongoing, and specialized technological vigilance , recognizing the API not as a mere commercial tool, but as a critical infrastructure for European digital sovereignty .

Integrated Synoptic Table: Strategic, Legal, and Technological Analysis of the IVECO-TATA Operation

This table provides a detailed and documented summary of the key concepts, regulatory constraints and strategic implications that emerged from the analysis of the sale of the civil branch of Iveco Group NV to TML CV Holdings Pte. Ltd. ( Tata Group ) and of the Defence Business Unit to Leonardo Spa. The framework is organised into thematic areas to facilitate a holistic and rigorous understanding.

Conceptual Area	Key Element	Specific Data and Verified Sources	Strategic Implications and Risks
OPERATIONAL AND FINANCIAL CONTEXT	General Operation (Civil)	Estimated value of the acquisition: approximately €3.8 billion [Full Content, Chapter 1]. Acquirer: TML CV Holdings Pte. Ltd. (controlled by Tata Motors Ltd. ), a non- European Union operator .	Redefining the European industrial geography of commercial vehicles. It provides TML with direct access to EU markets and IVECO ‘s green and digital technologies .
	Separation and Defense	Sale of the Defense Business Unit ( IDV/ASTRA ) to Leonardo Spa (notified 11 September 2025 ) [Full Content, Chapter 2]. IVECO ‘s controlling shareholder ( Exor ): 27.1% of the capital with 43.1% of the voting rights [TATA MOTORS TO ACQUIRE IVECO GROUP, 30 July 2025 ].	Preemptive move to isolate national security assets from foreign influence, in line with the principle of Italian and European strategic autonomy .
LEGAL AND REGULATORY FRAMEWORK	Golden Power Regulatory Basis	Legislative Decree 15 March 2012, n. 21 and Prime Ministerial Decree 29 October 2025 [Full Content, Chapter 1]. Sectors affected: Defense/Security (Art. 1) and Strategic Activities ( Transport, Communications, AI, Big Data ) (Art. 2) [Full Content, Chapter 1].	The operation is a fundamental test for the extension of the Golden Power to the high-tech dual-use (civilian with military implications) automotive sectors .
	Critical Data Regulation (Data Act)	Regulation (EU) 2023/2854 ( Data Act ), fully applicable from 12 September 2025 [Regulation (EU) 2023/2854, 13 December 2023 ]. The European Commission published the Guidelines on vehicle data on 12 September 2025 [European Commission, 12 September 2025 ].	The acquisition coincides with the full implementation of the regulation that strengthens the rights of access and data portability for users ( B2C and B2B ), imposing transparency and post-sale competition.
STRATEGIC PRESCRIPTIONS (GOLDEN POWER)	Intellectual Property (IP) Office	Obligation to ensure that patents and other intellectual property ( IP ) titles held by Italian companies (present and future) remain the property of the same companies [Full Content, Chap. 4].	It neutralizes the risk of know-how drain and ensures the autonomy of Italian technological innovation in sectors such as electrification and Artificial Intelligence ( AI ).
	Production and R&D Localization	Obligation to ensure the maintenance of production plants and research and development ( R&D ) centres at national level [Full Content, Chap. 4].	It mitigates the risk of relocation and preserves the value chain and 14,513 employees in Italy . It maintains the ability to prototyping and achieve high TRL (Technology Readiness Level) levels.
	Continuity of Supply (Defense)	Obligation to guarantee the supply of components, products and services to the Defence Business Unit ( Leonardo ) until the needs of national defence cease [Full Content, Chap. 2].	It transforms a commercial contract into an indefinite strategic interest bond , essential given the sharing of chassis and dual-use technology between the civil ( TATA ) and military ( LEONARDO ) branches.
DATA GOVERNANCE AND DIGITAL SOVEREIGNTY	Critical Data Assets	Around 100,000 connected vehicles in Italy that generate GPS data , consumption , predictive diagnostics (e.g. Digital Twin ) and driving style [Full Content, Chap. 3].	This data is the basis for training AI algorithms and eMobility services . It is classified as strategic for national economic and logistical security.
	Data Localization (Prescription)	Obligation to ensure that the data collected by the European companies of the Iveco Group are stored in technological infrastructures located in European Union member states [Full Content, Chap. 3].	Direct defense mechanism against requests for extraterritorial data access (e.g., Cloud Act ). Strengthens the EU ‘s digital sovereignty over its data assets .
CYBER-TECHNOLOGY RISKS AND APIs	API Vulnerability	IVECO uses a proprietary Web API for trucks and the ITxPT TiGR standard for buses, with limited access to customers and partners [Full Content, Chapter 8]. TML acquires full knowledge of these architectures.	Deep Knowledge Asymmetry Risk . TML can identify vulnerabilities ( Zero-Day ) for commercial espionage (logistics mapping of competitors), data poisoning , or fleet management sabotage attempts ( DoS attacks ).
	Cyber Regulatory Risk	Vehicles are subject to UNECE Regulation R155 [UNECE Regulation R155, 2021 ] on Cybersecurity , which requires a CSMS (Cybersecurity Management System) throughout the product life cycle [ATS Europe, 2025 ].	TML ‘s access to proprietary know-how increases the risk of compromising the effectiveness of IVECO ‘s CSMS , undermining UNECE R155 compliance and the physical safety of the vehicles.
MONITORING AND SANCTIONS	Supervisory Authority	Ministry of Business and Made in Italy ( MIMIT ): monitors IP , R&D , Production Localization , Data Localization [Full Content, Chapter 6]. Ministry of Defense : monitors the supply continuity condition to the Defense Business Unit [Full Content, Chapter 6].	Implementation of dual and specialized supervision to ensure long-term fulfillment of the commitments undertaken by TML .
	Sanctioning Regime	In case of non-compliance, the provisions of Legislative Decree no. 21 of 15 March 2012 shall apply , with administrative pecuniary sanctions of up to double the value of the transaction or no less than 1% of the total turnover [Full Content, Chapter 6].	It provides maximum legal deterrence, transforming default into a catastrophic financial risk for the Foreign Investor.

References

Government Publication. Italian Government. Legislative Decree No. 21 of March 15, 2012, converted, with amendments, by Law No. 56 of May 11, 2012 (Regulation of special powers over corporate structures). Internet. Available from: Official Journal of the Italian Republic . Accessed: November 28, 2025.
Regulation (EU). European Parliament and Council of the European Union. Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Protection Act). EUR-Lex. 2023 December 13. Internet. Available from: https://eur-lex.europa.eu/eli/reg/2023/2854/oj . Accessed: 2025 November 28.
Guidance. European Commission – Directorate-General for Communications Networks, Content and Technology. Guidance on vehicle data, accompanying the Data Act. European Commission. 2025 September 12. Internet. Available from: https://commission.europa.eu/publications/data-act-guidelines-automotive_en . Accessed: 2025 November 28.
Policy Overview. European Commission. European data strategy. European Commission. 2025 November 28. Internet. Available from: https://digital-strategy.ec.europa.eu/en/policies/data-strategy. Accessed: 2025 November 28.
Strategy Document. Presidency of the Council of Ministers / Docs Italia. Strategy for Technological Innovation and Digitalization of the Country 2025. Docs Italia. 2019 December 17. Internet. Available from: https://docs.italia.it/italia/mid/piano-nazionale-innovazione-2025-docs/it/stabile/ . Accessed: 2025 November 28.
Report. European Defence Agency (EDA). Capability Development Plan (CDP) 2024 Report. EDA. 2024. Internet. Available from: https://eda.europa.eu/docs/default-source/eda-document-library/cdp-2024-report-final. Accessed: 2025 November 28.
Policy Overview. European Commission. A New Industrial Strategy for Europe. European Commission. 2025 November 28. Internet. Available from: https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/european-industrial-strategy_en. Accessed: 2025 November 28.
Policy Tool. Organisation for Economic Co-operation and Development (OECD). OECD FDI Regulatory Restrictiveness Index. OECD. 2025 November 28. Internet. Available from: https://www.oecd.org/daf/inv/investment-policy/FDI-restrictions.htm. Accessed: 2025 November 28.
Report Series. World Intellectual Property Organization (WIPO). World Intellectual Property Report (WIPR). WIPO. 2025 November 28. Internet. Available from: https://www.wipo.int/wipr/. Accessed: 2025 November 28.
Speech. von der Leyen U, European Commission. State of the Union Address 2025. European Commission. 2025 September. Internet. Available from: https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_25_4664. Accessed: 2025 November 28.
Legal Article. Delli Ponti Law Firm. September 12, 2025: Data Act enters into force. Delli Ponti Law Firm. 2025 September 12. Internet. Available from: https://www.studiolegaledelliponti.eu/12-settembre-2025-data-act-entra-in-vigore/ . Accessed: 2025 November 28.
Legal Article. CMS. “Vehicle data” in the era of the Data Act. The EU Commission Guidelines. CMS. 2025 September 24. Internet. Available from: https://cms.law/it/ita/publication/vehicle-data-nell-era-del-data-act.-le-linee-guida-della-commissione-ue . Accessed: 2025 November 28.
Legal Article. Paradigma. Data Act: What changes from September 12, 2025 for sharing, portability, and interoperability. Paradigma. 2025 September 2. Internet. Available from: https://paradigma.it/2025/09/02/data-act-2025-obblighi/ . Accessed: 2025 November 28.
Regulation (EU). European Parliament and Council of the European Union. Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union. EUR-Lex. 2019 March 19. Internet. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R0452 . Accessed: 2025 November 28.
Article. Innovation Post. Artificial Intelligence Takes Predictive Maintenance to New Application Areas. Innovation Post. 2020 January 17. Internet. Available from: https://www.innovationpost.it/tecnologie/automazione/lintelligenza-artificiale-porta-la-manutenzione-predittiva-verso-nuovi-ambiti-applicativi/ . Accessed: 2025 November 28.
Technical Analysis. ATS Europe. Regolamento UNECE R155 – Cybersecurity per i veicoli. ATS Europe. 2025 November 28. Internet. Available from: https://www.ats-europe.eu/regolamento-unece-r155-cybersecurity-per-i-veicoli/. Accessed: 2025 November 28.
Article/Technical Reference. Fleet Magazine. Unece WP.29 R155: the regulatory framework for vehicle cybersecurity. Fleet Magazine. 2025 September 19. Internet. Available from: https://www.fleetmagazine.com/unece-wp-29-r155-cybersicurezza-veicoli-auto/ . Accessed: 2025 November 28.
Directive (EU). European Parliament and Council of the European Union. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union. EUR-Lex. 2022 December 14. Internet. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555 . Accessed: 2025 November 28.
Press Release (Corporate). Iveco Group NV and Tata Motors Limited. TATA MOTORS TO ACQUIRE IVECO GROUP, CREATING A GLOBAL PLAYER IN COMMERCIAL VEHICLES. Iveco Group. 2025 July 30. Internet. Available from: https://www.ivecogroup.com/-/media/corporate_press_releases/2025/july/tata_motors_to_acquire_iveco_group_together_creating_a_global_player_in_commercial_vehicles/20250730_CS_Iveco_Group_Tata_Motors_to_acquire_Iveco_Group.pdf . Accessed: 2025 November 28.