Key Steps Automotive Manufacturers Should Take Now to Meet EU CRA Mandatory Requirements

TL;DR

Automotive manufacturers selling in the European Union (EU) stand at the precipice of a major regulatory shift. With the adoption of the Cyber Resilience Act (CRA), the EU has moved beyond voluntary guidelines to mandatory cybersecurity requirements for “Products with Digital Elements” (PDE). This legislation fundamentally alters the EU market access landscape.  Without CRA compliance,  those vehicles and their components that fall under the scope of the CRA cannot be sold in EU member countries.

This blog post is aimed at helping OEMs and their Tier 1-2 suppliers better understand what the CRA requirements are, when they become mandatory, and who is affected. In addition, we’ll discuss the financial consequences of non-compliance with CRA, as well as outlining some of the new tools and capabilities, specifically Unified Vehicle Detection & Response (VDR) and Automated Security Design, that can assist automotive manufacturers in navigating the technical challenges related to compliance.

How Does CRA Affect the Automotive Sector?

The CRA represents the first EU-wide legislation imposing mandatory cybersecurity requirements across the lifecycle of hardware and software products. Its scope is vast, covering any product with digital elements that connect to a device or network.

For the automotive sector, however, application of the CRA is nuanced and depends on the specific vehicle category and its existing regulatory coverage:

• The UNR 155 Exclusion: It’s important to note that vehicles already covered by the specific type-approval requirements of UN Regulation No. 155 (Cyber Security Management System) are generally excluded from the CRA. This primarily applies to vehicle categories M (passenger vehicles), N (used vehicles with non-structural damage), L (two/three-wheelers & quads), and O (trailers).
• The CRA Mandate (T, C, R, S): Conversely, vehicle categories that fall outside the mandatory scope of UNR 155 are fully regulated by the CRA. This includes Category T (Wheeled tractors), Category C (Track-laying tractors), and Categories R & S (Agricultural Trailers and Interchangeable Towed Equipment). For manufacturers of these vehicle types, the CRA is now the governing cybersecurity standard.
  

Compliance Timelines Kick in Soon

Compliance is not a distant target. While the full application deadline is set for late 2027 (36 months after entry into force), critical operational deadlines kick in much sooner. Beginning in September 2026, for example, manufacturers must be fully capable of reporting actively exploited vulnerabilities and severe incidents impacting the security of products with PDEs to ENISA/CSIRTs within strictly defined windows, often as short as 24 hours.

Financial Consequences of Non-Compliance with CRA

The most significant shift introduced by the CRA is the transition from “best practice” to “financial liability.” The regulation empowers authorities to levy substantial administrative fines for non-compliance, according to the following tiers:

• High Tier (non-compliance with essentials): Failure to meet the essential cybersecurity requirements can result in fines up to €15 Million or 2.5% of total global turnover, whichever is higher.
• Mid Tier (reporting failures): Failure to comply with reporting obligations carries penalties up to €10 Million or 2% of global turnover, whichever is higher.
• Lower Tier (inaccuracy): Providing inaccurate or misleading information to market surveillance authorities can trigger fines up to €5 Million or 1% of global turnover, whichever is higher.
  

The Technical Challenge: Meeting Essential CRA Requirements

To avoid these penalties, OEMs must prove their products meet the essential requirements set out in Annex 1 of the CRA. These requirements are categorized into three critical pillars:

1. Cybersecurity Risk Assessment: Before a product is even placed on the market, manufacturers are required to perform and document a comprehensive cybersecurity risk assessment. This foundation allows the organization to identify critical assets, analyze risks, and determine the precise security measures required.
2. Secure by Design: Security must be integrated from the conception phase based on the risk assessment. Products must be delivered with a “secure by default” configuration, possess no known exploitable vulnerabilities, and limit attack surfaces.
3. Vulnerability Handling & SBOM: Manufacturers must establish policies for coordinated vulnerability disclosure. A key component of this requirement is the maintenance of a Software Bill of Materials (SBOM). Manufacturers must maintain a comprehensive record of all software components (including third-party and open-source libraries) to rapidly identify and remediate flaws throughout the product’s support period (minimum five years).

The Solution: An Intelligent and Unified Cybersecurity Architecture

Meeting the CRA’s rigorous standards requires more than disjointed tools; it demands a holistic cybersecurity architecture. To ensure compliance, automotive manufacturers must adopt advanced strategies that embed cybersecurity at every stage of the product lifecycle. 

1. Ensure reporting accuracy with intelligent edge processing and detection

The CRA’s strict reporting obligations create a serious operational challenge for manufacturers. On one hand, they must report quickly (24-hour notification), but reporting inaccurate information (i.e., false positives) is punishable.

A robust and intelligent Vehicle Detection & Response (VDR) platform solves this by focusing on:

• Noise Suppression: Filter “alert noise” and run detection logic at the vehicle edge, ensuring that only verified, high-fidelity incidents are reported.
• End-to-End Visibility: Ingest and correlate data from multiple layers (CAN, Ethernet, Host) to provide a single, unified view of a security incident.
• Forensic Readiness: Retrieves high-fidelity evidence (e.g., pcap logs) on demand for root cause analysis required by regulators.
  

2. Secure by Design & Automated Risk Assessment

The CRA mandates that products be designed securely from the outset. This shift-left security approach means embedding robust cybersecurity tools and automated processes from the early development stages:

• Automated Risk Assessment: Solutions must automate the Threat Analysis and Risk Assessment (TARA) process. By identifying assets and potential attack paths during the design phase, manufacturers ensure appropriate control mechanisms are baked into the product.
• SW Supply Chain Security (SSCS): With the obligation to manage vulnerabilities in third-party components, manufacturers need automated tools to generate and monitor the SBOM. This ensures that when a new vulnerability is discovered in a sub-component, the impact on the vehicle fleet is instantly visible and actionable.
  

Now Is the Time to Take Action

The CRA expands the breadth of automotive manufacturers and suppliers that must treat cybersecurity as a fundamental market requirement. For manufacturers of agricultural and specialized vehicles (Types T, C, R, S) not covered by UNR 155, this represents an immediate and significant change – with severe business implications for those who fail to comply.

To prepare for this shift, OEMs and Tier 1 suppliers must move beyond manual internal compliance processes. Adopting integrated and AI-driven technologies like intelligent Vehicle Detection & Response (VDR) for precise incident reporting and automated security design for lifecycle vulnerability and SBOM management is an effective path for meeting the new  European market cybersecurity requirements.

Need help navigating the CRA compliance maze? At PlaxidityX, we work closely with leading automotive manufacturers to translate complex regulations like the CRA into actionable strategies. If you’d like more guidance on compliance, risk assessments, or secure development practices, contact us.