Recommendations for a European Framework for Autonomous Vehicle Testing on Public Roads
The EC-funded project FAME has established a European coordination framework including a harmonized regulatory baseline for testing Connected, Cooperative, and Automated Mobility (CCAM) solutions on public roads across EU. Primarily targeting SAE Level 3 and Level 4 Automated Driving Systems (ADS), the framework aims to eliminate regulatory fragmentation, streamline cross-border testing, and ensure rigorous safety and ethical standards prior to commercial deployment.
By providing a comprehensive overview of the autonomous vehicle (AV) testing and approval process, the following recommendations aims to foster collaboration and understanding among all parties involved in bringing automates driving technology to public roads, including policymakers and legislators, automotive manufacturers, research and development centres, technical services, safety assessors, national and regional authorities, and transportation and mobility sector stakeholders. FAME recommendations establish a legal framework and provide vehicle safety through type approval.
The framework is subdivided into the following sections:
- Safety Operator: FAME broader and define the role of the safety operator, compared with the definition in EU 2022/1426.
- Test Permit Procedure: This section defines the procedures or actions necessary to obtain the permit for testing.
- Mutual Recognitions and Cross-Broder Testing: To facilitate the deployment of prototypes with testing aims, FAME proposes a European mutual recognition process for AV testing on public roads by incorporating a Safety Validators Group (SVG) and a European platform.
- Cybersecurity Management Plan: This section describes recommendations to detail how cybersecurity risks are assessed throughout the vehicle’s development.
- Monitoring Process and Reporting: In this section, different types of occurrences are described, and the reporting process is detailed.
- Data Governance: FAME analyses data requirements during and after AV testing, and proposes some recommendations on data handling and transfer, and data elements.
- Coordinated Ethical Public Involvement: In this section, personal data, user content, and the AI Act are discussed, and proposes documenting safe and ethical operation concepts.
Safety Operator
FAME explicitly distinguishes the safety operator required during the testing phase from the standard operator defined under EU Regulation 2022/1426 for commercial deployment. Because testing involves vehicles still under development that cannot be guaranteed to operate robustly under all conditions, the safety operator acts as the ultimate safety fallback.
The safety operator must always be engaged and supervise the vehicle’s system to detect potential issues the vehicle itself might not identify, order the ADS to start the Minimum Risk Manoeuvre (MRM), and to take the control of the Dynamic Driving Task (DDT) partially or fully when necessary.

Test Permit Procedure
To mitigate the risks associated with deploying developmental ADS on public roads, the FAME framework establishes a highly structured, multi-stage authorization protocol. The procedure mandates the formal designation of a Safety Validation Responsible entity, which Member States may define as the national type-approval authority, an accredited independent Technical Service, or the applicant acting through self-assessment.
The authorization process is delineated into the following stages:
- First Documental Submission Stage: The applicant must submit an exhaustive initial documentation package that allows the safety validator to construct a baseline risk profile. This stage encompasses three primary components:
- Application: For testing campaigns involving multiple vehicles with identical hardware, software configurations, and Operational Design Domains (ODDs), the framework reduces administrative friction by allowing a single, comprehensive application that covers the entire fleet, provided each vehicle is uniquely identified.
- Testing Activity Description: The applicant must rigorously define the testing objectives, the specific ADS features to be evaluated, and the exact Physical and Digital Infrastructure (PDI) prerequisites. Crucially, this section must also document the comprehensive training programs and certification protocols established for the designated safety operators.
- System Documentation Package: The core engineering submission must detail the foundational system architecture. It legally necessitates a formal Hazard Analysis and Risk Assessment (HARA) and a Threat Analysis and Risk Assessment (TARA) demonstrating cybersecurity compliance with principles derived from UN Regulation No. 155.
- Risk Assessment: Following the initial review, the safety validator conducts a test-specific risk assessment. If the proposed testing activity presents elevated risks, such as the deployment of custom-built prototypes lacking standard manual controls (steering wheels or brake pedals) or significant modifications to the base vehicle’s braking and steering architectures, the validator will compel a second documental submission.
- Second Documental Submission Stage:
- Proving Gound Pre-Tests: Mandatory closed-track dynamic testing must be executed to validate fundamental safety parameters before any public road exposure. These tests must empirically prove the system’s ability to execute emergency overrides, maintain longitudinal and lateral control, and autonomously achieve a Minimal Risk Condition (MRC) during simulated failure scenarios (e.g., communication loss).
- Data Logger Integration: The applicant must verify the implementation of high-frequency data recording systems (such as the Data Storage System for Automated Driving (DSSAD) or the Event Data Recorder (EDR)) capable of logging kinematic data, ADS actuations, and external object perception to facilitate post-incident forensic analysis.
- Remote Operation Validation: If the testing relies exclusively on a remote safety operator, the applicant must submit specific documentation proving the robustness of the communication latency, redundancy protocols, and remote intervention capabilities.
- Inspection of Test Vehicles: Before the final issuance of the test permit, the safety validator must conduct a strict physical, on-site verification to ensure the actual test vehicles perfectly correspond to the submitted technical dossiers.

Mutual Recognition and Cross-Border Testing
The mutual recognition of testing permits is a foundational regulatory mechanism designed to facilitate the deployment of ADS across European jurisdictions without subjecting applicants to redundant, ground-up homologation efforts in every Member State.
To operationalize technical approvals, each participating Member State must statutorily designate cross-border safety validators, which may be integrated within the national type-approval authority or delegated to accredited third-party Technical Services. Collectively, these designated national representatives form the Safety Validators Group (SVG). The SVG bears the technical responsibility for auditing and verifying multi-national Automated Vehicle (AV) testing applications.
This coordination is facilitated by a centralized European platform for public road testing, acting as an online application exchange space where Member States agree to adopt a harmonized evaluation framework. When a testing campaign spans multiple countries, the platform automatically notifies the respective SVG members and securely distributes the technical documentation.
Mutual Recognition Process
The technical assessment for a multi-national testing route follows a strict, multi-step review process to ensure comprehensive safety validation while minimizing administrative friction:
- Designation of the Lead Member State: Rather than conducting simultaneous independent evaluations, a single Lead Member State is designated to execute the primary technical safety review. The selection of the lead state is determined by objective Key Performance Indicators (KPIs), including the authority’s prior technical expertise with AV tests, the availability of dedicated administrative resources, and the Cooperative & Connected Mobility Readiness (PDI) of the proposed route.
- Primary Safety Assessment and Reporting. The Lead Member State conducts an exhaustive engineering review, evaluating the vehicle’s ODD against the physical realities of the route. Upon conclusion, the lead authority issues a formal evaluation report, which explicitly affirms compliance with harmonized guidelines, details the safety checklist utilized, and justifies any operational exemptions granted.
- Targeted Gap Analysis by Secondary Jurisdiction: The primary safety report is distributed via the European platform to the SVG representatives of the secondary countries. Crucially, these secondary authorities do not duplicate the initial homologation. Instead, they execute a targeted technical gap analysis to evaluate the Lead Member State’s assessment against their localized requirements, such as distinct national traffic laws, unique highway configurations, or specific environmental conditions.
- Proportional System Adaptations and Consensus. During the gap analysis, secondary jurisdictions may compel the applicant to adapt specific ADS operational parameters to safely navigate local infrastructure. A universally recognized testing permit is formally granted only after all participating SVG members complete their review and achieve technical consensus.

Partial Mutual Recognition
In operational scenarios where absolute technical harmonization is legally or structurally unfeasible, due to conflicting national traffic laws or fundamental infrastructural incompatibilities, the framework incorporates the mechanism of partial mutual recognition. Under this provision, a secondary SVG member authority may conditionally accept the test permit by imposing explicit, localized restrictions on the vehicle’s operation. This ensures that cross-border testing can proceed in a controlled manner without compromising the localized safety standards of the respective jurisdiction.
Pre-Certified AV Test Corridors
To significantly accelerate the mutual recognition procedure, the framework strongly advocates for the utilization of established cross-border AV test corridors. These corridors, such as the digital testbed connecting France, Germany, and Luxembourg, offer predefined operational conditions where the PDI, Cooperative Intelligent Transport Systems (C-ITS), and safety protocols are harmonized in advance. Because these environments are pre-verified, SVG member states can issue mutual recognition permits relying on highly accelerated secondary safety evaluations, thereby bypassing standard regulatory delays and facilitating seamless cross-border testing.
Cybersecurity Management Plan
The regulatory framework shall recognize that the vehicle’s electronic architecture and its protection against cyber threats are rigorously certified prior to market entry under UN Regulation No. 155 for Cybersecurity Management Systems (CSMS). The manufacturer’s CSMS, which includes a comprehensive Threat Analysis and Risk Assessment (TARA) covering vulnerabilities from external connectivity, unauthorized access, and malicious software injection, is legally assumed to be validated at the homologation stage. Consequently, local deployment authorities do not need to reassess vehicle-level network security, access management, or cryptographic controls.
Furthermore, the infrastructure and protocols for modifying the vehicle’s software are legally certified through compliance with UN Regulation No. 156 for Software Update Management Systems (SUMS). The manufacturer’s procedures for securely delivering, executing, and verifying over-the-air software updates are therefore legally established prior to deployment. National deployment regulations should not attempt to regulate the technical delivery mechanisms of these updates. However, they must mandate an administrative notification or re-authorization process if a software update fundamentally alters the authorized ODD boundaries or impacts system safety.
Monitoring Process and Reporting
To ensure continuous operational safety and facilitate regulatory oversight, FAME proposes to establish strict, harmonized reporting protocols derived from the EU Regulation 2022/1426 baseline. Legislation shall distinguish between two primary tiers of driving events:
- Non-critical occurrences: Events involving an operational interruption, defect, fault, or safety degradation that does not prevent normal operation, as well as emergency or complex manoeuvres executed successfully to prevent a collision.
- Critical occurrences: Severe collisions resulting in an injury requiring medical assistance, significant physical damage to vehicles or stationary objects exceeding a certain threshold, or any event triggering an airbag deployment.
Statutorily, the manufacturer or fleet operator shall notify the competent type-approval and market surveillance authorities of any safety-critical occurrences without delay. For experimental or pre-deployment operations, activities must be halted immediately, an initial safety assessment report must be submitted within 3 days, and a fully elaborated technical report must be provided within 30 days before authorities may authorize the resumption of operations.
Additionally, operators are legally required to submit periodic safety reports (annually for commercial deployment, or semi-annually during specific testing phases) to provide aggregated data on the ADS performance and occurrences related to ODD exits.
Data Governance
The operational data logging architecture of an automated vehicle relies fundamentally on the Event Data Recorder (EDR) mandated by UN Regulation No. 160 and the Data Storage System for Automated Driving (DSSAD) mandated by UN Regulation No. 157, both of which overarching the EU Regulation 2022/1426.
Because the physical integration and hardware survivability of these systems are structurally validated during the European whole-vehicle type-approval process to ensure data retrievability after significant mechanical impacts, national authorities are statutorily prohibited from imposing new or divergent hardware capability requirements during the deployment phase. To guarantee data integrity for potential use as digital evidence in legal or safety investigations, the framework must mandate the implementation of cryptographic checksums and timestamped traceability for all data processing stages.
Data governance must strictly enforce Privacy by Design in accordance with the General Data Protection Regulation (GDPR). The technical mechanisms for anonymizing or pseudonymizing highly intrusive vehicle telemetry, particularly location data that could reveal user lifestyle habits, are evaluated at the homologation level. The deployment legislation must ensure that access to this sensitive data is strictly governed by proportionate legal mechanisms, limiting disclosure exclusively to authorized entities for the express purposes of incident investigation and law enforcement.
Coordinated Ethical Public Involvement
The commercial deployment of automated mobility introduces complex societal dimensions that necessitate transparent ethical oversight and proactive public engagement. Fleet operators and testing organizations must ensure algorithmic fairness by demonstrating that their systems are trained on diverse datasets to minimize discriminatory patterns, while also ensuring that services meet accessibility targets for diverse populations, including individuals with disabilities.
Furthermore, the regulatory framework should compel applicants to conduct wide and transparent socio-economic impact assessments, utilizing established European methodologies such as the FESTA and EU-CEM handbooks, to evaluate the technology’s effect on traffic flow, environmental sustainability, and workforce dynamics.
To foster societal trust and satisfy public transparency requirements, the legislation must enforce localized public engagement mandates. Specifically, operators should be required to publish a Safe and Ethical Operational Concept (SEOC). This publicly accessible document must clearly articulate, in non-technical terms, how the automated vehicle protects vulnerable road users, executes passenger evacuation procedures without a human driver, handles emergency situations, and enforces data privacy protections, thereby bridging the transparency gap between technological developers and the general public.
For detailed operational requirements discussed in this page, the complete report is available for download:
- Other related references: Recommendations for a European Framework for Testing on Public Roads