In the current realities, automotive cybersecurity is mostly driven by compliance need, however, we are used to view compliance as some form of just ticking a box without considering the real implication of cyber security. But is it really everything that compliance stands for? Automotive cybersecurity is a good example that shows how vehicle manufacturers are required to take cyber security into account not only in the cars themselves but also integrate into all existing manufacturing processes. Regulators require from automotive industry to develop appropriate cyber security management system, perform threat and risk assessment, take control over their suppliers and of course perform penetration testing. In this talk we are going to focus on the study case of performing threat and risk assessment of the door system of a bus that seemed like a trivial task without any obvious cyber security threats. In reality we have identified around 50 potential cyber security threats some of them having direct impact on safety of the passengers. Those risks would have been missed and not addressed without the regulators requirements.