Norwegian public transport operator Ruter announced plans to tighten cybersecurity measures after discovering that Chinese-made Yutong electric buses in its fleet could be remotely accessed and potentially deactivated by the manufacturer. The findings came following a technical test that showed Yutong retained the ability to connect to the buses’ control systems for software updates and diagnostics.

According to Ruter, this kind of access could, in theory, be misused to interfere with the buses’ operation. The tests were carried out in underground facilities designed to block external signals, using both new Yutong vehicles and older models from Dutch manufacturer VDL. While the Dutch-made buses were found to lack remote update capabilities, the Yutong buses demonstrated full over-the-air connectivity.

Yutong did not immediately comment, but in a statement cited by The Guardian, the company said it strictly adheres to local laws where its vehicles operate and that all data related to the buses is stored in Germany. A company spokesperson added that the data is encrypted and used exclusively for maintenance, optimization, and customer service purposes.

The results have intensified ongoing debates in Europe about cybersecurity risks and potential foreign influence in key infrastructure systems. Ruter, which operates about half of Norway’s public transport network, including routes in Oslo and the Akershus region, said the test confirmed the manufacturer’s direct digital access to its buses. The company stated it is now moving from “concern to concrete action,” introducing new security systems to guard against hacking or unauthorized interference.

Concerns about remote vehicle control are not unique to Norway. Earlier this year, US regulators opened an investigation into Tesla’s remote movement features after several reported accidents, underscoring broader fears about vulnerabilities in connected electric vehicles.

In Denmark, transport company Movia said it is also reassessing cybersecurity and data protection measures following the Norwegian findings. The Danish operator stressed that, according to Norwegian researchers, the issue is not limited to Chinese-made vehicles but affects any modern vehicle or device equipped with similar electronics and network access.

Ruter confirmed that onboard cameras are not connected to the internet, meaning no visual data can be transmitted externally. However, the company noted that the manufacturer can still access systems linked to the battery and power supply via the mobile network, which theoretically could allow a remote shutdown.

In response, Ruter is introducing stricter procurement standards that include specific cybersecurity requirements, developing firewalls to ensure local control, and collaborating with Norwegian authorities to establish clearer rules for data protection in public transport systems. The company also plans to delay incoming data transmissions to inspect updates before they reach the buses, aiming to eliminate any possibility of external manipulation.