The Human Environment and Transport Inspectorate (ILT) imposes strict requirements on ICT service providers that supply taxi transport data to the Central Taxi Transport Database (CDT).
An important requirement is that these service providers must be ISO 27001 certified, a certification that guarantees the highest standards in the field of information security. Our research across several companies shows that this requirement, while understandable given the sensitivity of the data, places significant pressure on smaller software companies in the market.
ISO 27001 is a comprehensive standard that goes beyond the usual technical security measures required by platforms such as Apple and Google. The certificate means that an organization must implement a complete information security management system. This includes risk management, continuous monitoring and detailed documentation of processes. This can be a heavy burden for small software companies, which are often not used to such extensive compliance frameworks.
The ILT also states that ICT service providers must submit a self-assessment annually, or with every functional renewal of their systems. These self-assessments must demonstrate that the service provider still meets the required requirements, including those of ISO 27001. This ensures that the data sent to the CDT is correct, complete and secure, protected against unauthorized access, loss or manipulation .
disproportionate impact
Although the ILT's intention is clear, to ensure the security of sensitive taxi data, this requirement has a disproportionate impact on smaller companies. Obtaining ISO 27001 certification is a costly and time-consuming process. Small businesses are often forced to hire external consultants to help them implement the standard, which can result in costs ranging from $10.000 to $50.000 depending on the complexity of the organization. In addition, there are internal costs, such as setting up and maintaining an information security system, and the actual audit and certification, which can also cost thousands of euros.
By introducing the requirement for ISO 27001 certification, the ILT can delegate the responsibility for much of this complex technical auditing to external certification bodies, which specialize in assessing information security systems.
In addition to the initial investment, there are also ongoing costs associated with maintaining certification, such as annual reassessments and system updates. These recurring costs can amount to thousands of euros per year, which represents a significant financial burden, especially for smaller companies.
competitive position
As a result, many smaller software companies struggle to recoup the costs of certification, especially if their customer base is limited to smaller taxi companies who may not be willing to pay extra for a certified solution. This creates an unfair competitive position in which larger companies, who have the resources to meet these demands, have a clear advantage.
De strict requirements of the ILT can be seen as a way to largely place the responsibility for information security with the service providers. This potentially helps the ILT to reduce their own monitoring and auditing costs as they can rely on the certifications granted by recognized audit bodies. If the ILT had to check the security and compliance of every software solution itself, this would require a lot of time, expertise and money.
Nevertheless, the requirement for ISO 27001 certification raises questions about its proportionality, especially in light of the impact on smaller software companies. There is an argument to be made that the ILT could consider less stringent, but still effective, security standards that better suit the scale and resources of smaller companies in the taxi sector. This could, for example, involve accepting other forms of certification or security standards, or taking a phased approach where smaller companies can gradually scale up to ISO 27001.
The current situation limits innovation and competition as smaller companies are excluded from the market due to the high cost and complexity of ISO 27001 certification. This not only undermines the diversity and dynamism in the sector, but can also hinder the development of affordable and innovative solutions for the taxi market.
The taxi market is struggling with rising costs, competition from new mobility services such as Uber, and economic challenges. This makes it difficult for many taxi companies to absorb additional costs, which is an important consideration when determining the feasibility of new software solutions.
Many taxi companies operate on small margins, especially in the current market conditions. The introduction of additional costs for software that meets strict security requirements may be met with resistance, especially if these costs are not immediately seen as necessary or if they do not directly improve service. Furthermore, many small to medium taxi companies may not be willing to pay significantly more for a solution, especially if they are currently using cheaper alternatives or even the existing, expensive taxi on-board computer (BCT).
profitability
Suppose a software company offers its solution for a license fee of €20 per month per driver. This amount has been chosen to remain competitive in the market, while being aware of the price sensitivity of the taxi companies. If we assume that the monthly operating costs for the software company including the costs of ISO 27001 certification, maintenance, and support are, for example, €10.000 per month, we can calculate the minimum number of drivers needed to be profitable.
The number of drivers needed to cover the costs can be calculated using the formula:
This means that the software company must have at least 500 drivers as customers to cover costs and break even. Each additional driver above this number would contribute to the company's profitability.
data plan
In addition to the costs for the software license, taxi drivers must also take into account the additional costs for their mandatory data subscription, as the solution requires data to be supplied in real time to the ILT's Central Database for Taxi Transport (CDT). This means that drivers must be constantly connected to the internet via their mobile network, which incurs additional costs.
The cost of a data plan can vary depending on the amount of data used and the mobile provider's rates. If we assume an average data plan that is sufficient to have a continuous connection for sending real-time data, this could cost an additional €10 to €20 per month for a driver, for example.
The total additional costs per month for a taxi driver or self-employed person would then vary between:
For a taxi company with multiple drivers, these costs can quickly add up. For example, for a small taxi company with 10 drivers, the total additional monthly costs would be between €300 and €400. This amount is in addition to other fixed costs the company already has to bear, such as vehicle maintenance, fuel, insurance, and existing licensing or leasing costs for other necessary equipment.
Given the current financial pressures in the taxi market, many drivers and taxi companies will likely be reluctant to accept these additional costs unless the new solution offers significant benefits. Especially if the profitability of taxi rides is already under pressure, even relatively small additional costs can further reduce the margin.
conclusion
The need to be continuously connected to the internet for real-time data delivery to the ILT introduces an additional cost element that significantly increases the total monthly costs for drivers. For small taxi companies and self-employed drivers, these additional costs can be an important consideration when deciding whether to switch to a new solution that meets the requirements of the ILT.
For smaller software companies, this means they need to attract a significant number of drivers to justify the costs of ISO 27001 certification and other operational expenses. In an industry where many taxi companies are already under financial pressure, achieving this scale quickly can be difficult, especially if the cost of the license is seen as an additional burden.
It is likely that many taxi companies will be reluctant to bear these additional costs unless the new solution offers significant advantages over existing alternatives. For software companies, this can be a challenge, and it requires a carefully crafted strategy to build a large enough customer base. This underlines the importance of offering added value and possibly looking for ways to reduce costs, for example by collaborating with larger companies or achieving economies of scale.