CRA Scope and Automotive Overlap
The EU Cyber Resilience Act (CRA), effective December 2024 with main obligations starting December 2027, introduces horizontal cybersecurity requirements for any hardware or software with digital elements sold in the EU. For the automotive sector, this regulation targets components that fall outside existing vehicle specific frameworks like UN R155 and ISO/SAE 21434. Key areas of impact include telematics units, infotainment systems, aftermarket diagnostic dongles, cloud connected APIs, V2X components, and EV charging infrastructure. Products already covered by equivalent sector specific EU rules may be excluded, but the burden rests on manufacturers to prove that equivalence.
What OEMs and Suppliers Must Address
The CRA shifts cybersecurity from a vehicle approval issue to a broader product compliance matter. OEMs and suppliers must now demonstrate risk assessment, vulnerability handling, software update capability, and technical documentation for each digital component. This creates a significant supplier management challenge because many connected vehicle risks originate outside the core vehicle platform. The regulation requires manufacturers to exercise due diligence over third party components and to maintain support periods for products with digital elements, with clear end dates communicated at purchase.
Closing the SBOM and OTA Gaps
A Software Bill of Materials (SBOM) becomes critical under the CRA, because connected vehicles contain a complex mix of proprietary code, open source libraries, supplier firmware, and cloud services. Without accurate software composition data, OEMs cannot quickly answer which vehicles contain a vulnerable component or whether a patch can be deployed OTA. Secure over the air updates move from a UN R156 best practice to compliance evidence, as the CRA expects manufacturers to identify vulnerabilities, map affected components, and deploy patches rapidly. Automotive businesses should map CRA scope across their connected vehicle ecosystem, build SBOM maturity, align vulnerability management with CRA reporting timelines, and connect evidence across UN R155, R156, and ISO/SAE 21434 to create a single cybersecurity assurance model.
Source: Automotive IQ

