AI route optimization in logistics: regulatory map

The system computes vehicle routes that minimise distance, time, fuel or carbon while respecting constraints: delivery windows, vehicle capacity, driver hours, road restrictions, customer priority. Inputs are orders, fleet status, real-time traffic, weather and historical patterns. Outputs are sequences of stops with estimated arrival times, fed to driver applications and dispatch consoles.

The system is computational, not safety-critical. It does not control the vehicle; the driver does. That distinction is what keeps the deployment outside the AI Act high-risk regime in normal fleet operations.

Annex III 2 covers AI systems intended to be used as safety components in the management and operation of critical infrastructure including road traffic and the supply of water, gas, heating and electricity. Pure routing for a private fleet does not manage road traffic at the network level. It plans the operator's own vehicles. Supervisors have not extended Annex III 2 to fleet routing in any published guidance to date [1].

Annex III 4 covers AI in employment, worker management and access to self-employment. A routing tool that assigns drivers to routes touches employment if it materially determines work allocation, performance evaluation or termination. The boundary is whether the tool drives HR decisions or merely informs operational planning. Most fleet routing falls on the operational-planning side.

Three patterns push it across the line. First, integration with autonomous-driving features that make the AI a safety component of the vehicle (Annex III 2 plus UNECE WP.29). Second, integration with worker-management systems where the routing score determines pay, performance review or contract continuation (Annex III 4). Third, deployment in critical-infrastructure logistics (energy, water, hospital supply) where operational disruption has societal consequences (potential Annex III 2 reach).

For each, the conformity-assessment, data-governance and oversight obligations of Chapter III engage.

UNECE Regulation No. 155 (Cyber Security Management System) and No. 156 (Software Update Management System) apply to type approval of new vehicle classes from 2024 onwards. Routing AI that runs on the vehicle (in-cab system) becomes part of the vehicle's software stack and falls inside the scope of UNECE R156 update management [2].

For routing AI that runs in the cloud and is consumed by drivers via a phone or dispatch terminal, the vehicle-cybersecurity regulations do not engage directly. The supply-chain cybersecurity reach comes from NIS2 instead.

Directive (EU) 2022/2555 (NIS2) covers transport (including road) as an essential sector and postal and courier services as important. Article 21 requires risk-management measures including supply-chain security, business-continuity, incident handling and basic cyber hygiene. AI vendors providing routing services to in-scope operators inherit those expectations through contractual flow-down and direct supply-chain assessment [3].

The Cyber Resilience Act (Regulation (EU) 2024/2847) adds product-level cybersecurity requirements for connected products. Cloud-routing-as-a-service is not a product under the CRA, but on-premise routing software with digital elements is.

Five elements. Narrow intended-purpose statement (operational route planning, not driver evaluation, not autonomous control). Segregation of routing data from worker-performance systems where employment risk would otherwise engage. NIS2-aligned supplier security including breach-notification cooperation and supply-chain risk management. UNECE R156 alignment if the AI runs on the vehicle. Driver-facing transparency on automated assignment under Article 50 if the AI directly communicates with workers.