In a nutshell: Frosty relations between the US and China might have thawed slightly over the last few days, but Europe is investigating a new concern related to the Asian nation: whether electric buses made in the country and being used on EU roads can be remotely shut down by their maker.
The issue began when an investigation in Norway concluded that Yutong electric buses could be "stopped or rendered inoperable" by the Zhengzhou-based company – the world's largest manufacturer of buses by sales volume. Yutong has exported nearly 110,000 buses to more than 100 countries, and holds more than 10% of the global market.
Ruter, which operates around half of Norway's public transportation network, said the government-owned Yutong had "direct digital access to each individual bus" to carry out software updates and diagnostics. "In theory, this could be exploited to affect the bus," it said.
The tests, which were carried out in a mountain tunnel to block external signals, involved a brand-new Yutong bus and a three-year-old bus from Dutch manufacturer VDL. It was found that the Dutch vehicle didn't have the capability to carry out over-the-air updates, while the Chinese-manufactured buses did.
"There is access to the control system for battery and power supply via mobile network through a Romanian SIM card. In theory, therefore, this bus can be stopped or rendered inoperable by the manufacturer," Ruter said.
‼️ Yutong could remotely detonate its buses.
– International Cyber Digest (@IntCyberDigest) November 10, 2025
Norwegian public transport company Ruter found that buses can be disabled and a thermal runaway could potentially be initiated remotely. Yutong buses drive all around Europe.
All SIM cards were removed to block over-the-air updates.… pic.twitter.com/Cm8M88zR1l
Ruter did not say there was any evidence that Yutong had tried to control the buses. It added that the bus cameras were not connected to the internet and there was no risk of image or video transmission. The agency said it would impose "even stricter security requirements in future procurements," and that firewalls were being developed to ensure local control and protection against hacking.
Denmark opened its own investigation following the Norwegian findings. Movia, the nation's largest public transport company, said it was investigating the risks but emphasized that they were not specific to Chinese buses. It said OTA updates were common in many electric vehicles, including those made in Western countries.
"Electric buses, like electric cars, in principle can be remotely deactivated if their software systems have online access," Movia chief operating officer Jeppe Gaard told NBC News.
The UK is also examining the Chinese buses. The Department for Transport and the National Cyber Security Centre said it wanted to understand and mitigate potential risks.
Yutong said in a statement to NBC News that it "understands and highly values the public's concerns regarding vehicle safety and data privacy protection," and that it "strictly complies with applicable laws, regulations, and industry standards."
The company also explained that the vehicle data is encrypted, stored in an Amazon Web Services data center, and cannot be accessed without customer authorization. Yutong added that the data is "used solely for vehicle-related maintenance, optimization and improvement to meet customers' after-sales service needs."
Fears that Chinese-made products pose security and surveillance risks are nothing new. It's what landed Huawei on the US Entity List, and it's one reason why TP-Link's routers could be banned in the United States.
Europe fears Chinese EV buses on its roads could be shut down remotely
