ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

— May 18, 2026 · 8 min read

OFTP2 in 2026: the automotive sector quiet TLS upgrade

While the general industry still debates PEPPOL and e-invoicing, the European automotive sector — Stellantis, BMW, VW Group, Mercedes, Volvo, Bosch, ZF, Continental — is wrapping up a major cryptographic overhaul of OFTP2 in 2026, the historic transport protocol of the sector. Media noise is zero; technical effort is considerable.

Recap: what is OFTP2 and why does it still exist?

OFTP2 (Odette File Transfer Protocol version 2) is defined by RFC 5024 published in November 2007. It is the successor of OFTP1 (RFC 2204, 1997). It carries EDIFACT files (often DELFOR, DELJIT, AVIEXP, INVOIC, sectorial automotive ORDERS) between OEMs and Tier-N suppliers in the European automotive supply chain, on dedicated buses.

OFTP2 combines three properties its competitors (AS2, AS4, SFTP) do not jointly offer: (1) native point-to-point over TCP/IP (port 6619) or X.25 legacy; (2) protocol-level compression; (3) signed EERP (End-to-End Response) acknowledgements at individual file level with SHA-256 hash. Security has historically been provided by CMS (RFC 5652) for application-level signature and encryption, on top of TLS transport.

According to Odette International (the standard maintainer since 1985), over 40 000 active OFTP2 connections existed in Europe at end-2025, mainly automotive but also aerospace (Airbus, Safran), rail (Alstom, Siemens Mobility) and defence.

What is changing in 2026

Three concurrent technical updates, coordinated by Odette and VDA (Verband der Automobilindustrie) under the label OFTP2 v2.4 Profile 2026:

1. TLS 1.3 mandatory

Until 2024, many OFTP2 pairs still accepted TLS 1.0 or 1.1 for legacy compatibility. Starting with the Odette Profile Specification 2.4 published in June 2025 (revised March 2026), TLS 1.3 (RFC 8446) is mandatory from 1 January 2027. Suppliers have been notified since 2024 and many have already switched. Residual exceptions (very small Tier-3) are managed via intermediate gateways operated by Tier-1 suppliers.

2. Strengthened signature and encryption algorithms

At the CMS application layer, accepted algorithms in 2026 are: signature RSASSA-PSS with SHA-256/384/512 (RFC 8017), or ECDSA P-256/P-384 (RFC 5753). Legacy RSASSA-PKCS1-v1_5 and SHA-1 are deprecated and rejected. For encryption, AES-128/192/256 in GCM (RFC 5084) or ChaCha20-Poly1305 (RFC 8439).

3. Post-quantum stack preparation

Profile 2026 introduces cryptographic agility: the ability to negotiate in handshake a hybrid suite combining classical ECDH and ML-KEM (NIST FIPS 203, August 2024). For signatures, ML-DSA (FIPS 204) will be supported in hybrid suites from 2027 in Profile 2.5. This is direct alignment on the NIST PQC roadmap, with full migration horizon in 2030. See our article EDI PQC roadmap 2026-2030.

Why this migration is silent

Unlike the ViDA e-invoicing mandates, the OFTP2 upgrade gets no press release. Three reasons:

  • Closed B2B industry: OFTP2 actors are contractually bound by OEMs; no tax authority, no public to inform.
  • Timeline driven by Tier-1s: Bosch, ZF, Continental, Magna, Forvia push their Tier-2/3s without announcements but with precise contractual deadlines.
  • Expert technical community: Odette publishes in private working groups; updates communicated via the Odette Web portal to ~200 members.

What is the impact on a supplier?

Concretely, a typical Tier-2 supplier with 3-5 OFTP2 partners (Stellantis, BMW, VW, Bosch) must:

  • Upgrade OFTP2 software to a version supporting TLS 1.3 AND modern CMS algorithms: Mendelson OFTP2 (pro edition), IBM Sterling B2B Integrator, OpenText Trading Grid, SEEBURGER BIS, iSoft Peer, Cleo Harmony, or the open source Mendelson Community Edition (limited) have all released Profile 2026 compliant versions between Q3 2025 and Q1 2026.
  • Regenerate X.509 certificates: OEM-accepted CAs are strictly whitelisted (DigiCert, T-Systems, SwissSign, Telekom Security, IdenTrust). Maximum validity 1 year or 13 months for newly issued.
  • Configure compliant TLS 1.3 cipher set: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256.
  • Update SSP (Send Signature Policy) and SRP (Send Receipt Policy) to exclude SHA-1 and RSASSA-PKCS1-v1_5.
  • Test with the Odette Conformance Tool before production (free for Odette members, SaaS version since 2025).

Edge cases: X.25 and ENX

A few historical OFTP1 over X.25 links (with dial-up or ISDN bearer) still exist in 2026 at very small Tier-3 suppliers. They are dying out: no OEM accepts new X.25 links, and carriers (Orange Wholesale, Deutsche Telekom) stopped commercialisation. Definitive extinction expected 2028.

The other historical channel ENX (European Network Exchange, operated by ENX Association) — a private multi-tenant VPN between European automotive actors — remains widely used. ENX has published its own 2026 security update (ENX Spec 5.0) which aligns TLS and certificates on VDA doctrine, and serves as transport substrate under OFTP2 in most Tier-1 ↔ OEM relations. See enx.com.

Technical references

For global EDI context, see our foundation "EDI protocols" and the article "Modern AS2, AS4, OFTP2".