What is SERMI?

According to regulation (EU) no. 2018/858, which came into effect in 2020, vehicle manufacturers are obliged to grant independent operators, such as independent shops or editors of technical information unlimited and standardized access to repair and service information (RMI).

Specific provisions were established for accessing theft- and security-related repair and maintenance information (RMI) of a vehicle. In accordance with article 13 paragraph 9 of the Regulation (EG) no. 692/2008 and article 66 of the Regulation (EU) no. 2018/858 the "EU forum for the access to vehicle information" has been founded. Its aim was to develop a harmonized accreditation system and process architecture across Europe to help independent operators maintain and repair vehicles securely, even when this involves the vehicle's security features (e.g., software updates). As a result, the SERMI certification was created, which implements the requirements of the EU Regulation.

The UK will launch on April 1, 2026, with a select group of brands, including Ford, Jaguar, Land Rover, Nissan, and Toyota. More brands are expected to follow once the system is established.

The general rollout of SERMI began on October 1, 2023, with Sweden as the first country. Since a single start date was not feasible for all EU countries, they will begin at staggered intervals. Like Norway, the UK is voluntarily joining the SERMI regulation.

The SERMI scheme defines the situations in which, in practice, you can access theft- and security-relevant vehicle information in manufacturer portals or via original manufacturer diagnostic tools. Key coding is undoubtedly included.

However, there are pieces of information and activities that manufacturers will define differently. This means that information may be considered SERMI-relevant by one manufacturer but not by another. It is therefore virtually impossible to create a comprehensive catalogue of all information and activities that fall under the SERMI scheme.

You can identify information and activities subject to the SERMI scheme in a manufacturer portal or an original manufacturer diagnostic tool by a message indicating that you can only access the desired information after verifying your identity via the SERMI app and thus providing proof of your certificate.

Hella Gutmann is also affected by the SERMI regulation and has obtained SERMI certification for itself and its relevant technical staff, as we also require information from manufacturers for our Technical Help Line and macsRemote Services.

Unlike independent workshops, however, we are bound by chain authorization because we provide our services on behalf of workshops. This means that not only must we be SERMI-authorized, but so must the workshop if it receives a SERMI-relevant service through Hella Gutmann. Therefore, both the Hella Gutmann employee and the workshop employee must have a valid SERMI certificate when accessing information or performing a task.

For example, coding a key or replacing the immobilizer's access authentication module may require SERMI verification for remote services.

If you contact our Technical Help Line, wiring diagrams for immobilizers or removal instructions for radar units may be classified as SERMI-relevant by the manufacturers.

A message with the appropriate QR-code appears if SERMI-relevant contents are retrieved directly by a shop in the manufacturer portal. The customer scans this code with the SERMI app, and it is hence verified. The request is activated in the manufacturer portal afterwards.

When a workshop queries data via Hella Gutmann, both parties must authorize each other. In this case, the workshop employee first creates an authorization link in the SERMI app and sends it to the Hella Gutmann employee. The Hella Gutmann employee scans the QR code from the authorization link and then the QR code displayed in the manufacturer's portal or diagnostic device. Access to the manufacturer's data is then granted.

The conformity assessment bodies of every country will inform you about the specific documents and information that you require to get the certification as company and as employee of this company.

In general, a country requires a certificate that confirms that the company is part of the automotive sector and that it a has a certain insurance coverage. If necessary, the employees shall submit a certificate of good conduct. Furthermore, you will require a device on which the SERMI app is installed with your profile.

Normally, the certification process is realized via online form of the conformity assessment body. Then the shop can use the account to access its certification data and e.g. it can add new authorized employees.

A list of all conformity assessment bodies (CAB) of your country as well as of all EU countries can be found here: https://www.vehiclesermi.eu/req.html#req

Costs vary from provider to provider. Generally, however, there are fees for registering the workshop and individual employees. Additional costs include unscheduled visits to the workshop during the 5-year validity period and certificate renewal upon expiry.

The Cyber ​​Security access restriction and the SERMI directive have little in common. SERMI does not replace Cyber ​​Security, as has been speculated in some quarters; rather, they are separate regulations that govern access to vehicles by independent workshops.

SERMI originates from an EU regulation and applies to access to theft- and security-related information of a vehicle via a manufacturer's portal or an original manufacturer's diagnostic tool. It only affects workshops within the EU. Furthermore, it applies to all manufacturers with vehicles in the EU.

Cyber ​​Security, on the other hand, regulates access to a vehicle via a diagnostic tool. Its aim is to protect general access to a vehicle via diagnostic tools and to make it traceable for the manufacturer. Cyber ​​Security applies in principle worldwide and only to certain manufacturers on a voluntary basis. Each manufacturer also defines for itself which access to a vehicle it defines as subject to the Cyber ​​Security restriction.

For both types of access, personalized access or certificates are required. Authorized personnel were verified via identity verification procedures. In contrast, SERMI's entire certification process for workshops and employees is more complex, and certificates are only valid for five years. After that, they must be renewed. Cybersecurity access, on the other hand, remains valid for up to ten years after the last active use.