The Cyber Resilience Act (CRA) in the automotive industry: What carmakers and suppliers need to know

First of all, one might think that with UN Regulation No 155 and the Cybersecurity Management System, and the associated application of the ISO/SAE 21434 industry standard for automotive cybersecurity, a sufficiently legally binding framework should already be in place.

This brings us to the first key difference.

Market access vs. type-approval: two different regulatory perspectives on cybersecurity

Let us first consider two different but complementary regulatory approaches: market-based and type-approval-based requirements. Both the Cyber Resilience Act (CRA) and UN Regulation No 155 (UN R155) are broadly aimed at protecting against cyber threats and reducing cyber risks, but they differ significantly in their purpose, application and legal enforcement.

What is the Cyber Resilience Act?

The Cyber Resilience Act is a market regulation that aims to set new standards of cybersecurity for all products with digital components in the European Union. The focus is on the security of the product throughout its lifecycle – from development and updates to decommissioning. In essence, manufacturers will be required to demonstrate that their products are “cybersecure by design”, i.e. that they have properly considered cybersecurity from the outset, that they will always maintain it, and that there are specific responsibilities for defects.

How does UN Regulation No 155 differ from the CRA?

While the CRA applies to products across all industries, quality-conscious industries, such as the automotive industry, already have their own industry-specific regulations, such as UN Regulation No 155 on cybersecurity. UN R155 essentially regulates the cybersecurity requirements that a vehicle manufacturer must demonstrate in order to obtain road approval for a vehicle type. A certified (!) Cyber Security Management System (CSMS) is required to obtain type approval. Put simply, the focus is on processes and not primarily on the product itself. Although, of course, processes that include cybersecurity also have the objective of cybersecure products. In the case of vehicles, for example, it must also be possible to prove that the processes have been followed, e.g. in the form of a vehicle risk analysis.

How do CRA requirements affect automotive manufacturers and suppliers?

Knowing this distinction makes things interesting, as it is now clearer which requirements apply where and how.

It should also be noted that the CRA is not applicable if specific cybersecurity requirements already apply to certain products. Specifically, this means that industry-specific regulations, such as UN R155 using ISO/SAE 21434, take priority if they impose stronger or more specific cybersecurity requirements. This is the case for UN R155.

However, the Cyber Resilience Act is a horizontal regulation that applies to all industries.

So if vehicles as a product category continue to be covered by the type approval regulations under UN R155 as described, and as such are exempt from the CRA, can you stop reading here, close the browser and call it a day?

Not necessarily.

Even if the vehicle as a whole does not fall within the direct scope of the CRA, the regulation affects numerous products and components that are installed in or connected to the vehicle – and thus numerous OEM-related functions and, in particular, numerous suppliers along the diverse automotive supply chain.

Examples of automotive components with digital functions that may not be covered by the above type approval, but will still need to meet CRA requirements, include

• Electronic control units (ECUs) – Telematics and infotainment systems (e.g. retrofit solutions)
• Aftermarket components with internet access (e.g. diagnostic devices, dongles)
• Firmware and software
• Connected charging infrastructure (V2G communication)
• Cloud and back-end components that communicate with vehicle functions via APIs
• Non-road vehicles, such as agricultural machinery, construction equipment and industrial transport vehicles

All of these “products with digital elements” are likely to fall within the scope of the CRA according to their product classification – regardless of whether they are integrated into a vehicle or not.

Challenges posed by the CRA for automotive suppliers and OEMs

As a result, suppliers, especially those at the Tier 1 and Tier 2 levels, are required to demonstrate that their products and processes meet the cybersecurity requirements defined in the CRA – including security by design, vulnerability management, and updateability.

In particular, suppliers of complex electronic and digital systems that operate across multiple industries will need to prepare for independent CRA compliance.

Meanwhile, automotive OEMs face a new challenge in addition to the established procedures for UN R155/CSMS compliance: They must ensure that purchased components and systems are CRA compliant – even though the “vehicle” product itself is not regulated. This means that procurement and quality management must introduce new criteria and contractual provisions.

At the same time, non-compliance with the CRA can lead to delivery delays, liability risks or digital service approval problems for critical components.

The good news: ISO/SAE 21434 paves the way for CRA compliance

The challenges posed by the Cyber Resilience Act (CRA) for manufacturers of digital products may seem intimidating at first glance – especially given the multitude of technical, organisational and documentation requirements.

But the automotive industry, which has always been quality-conscious and has been several years ahead of the curve in implementing cybersecurity, has a key advantage: the current ISO/SAE 21434:2021 standard already provides a proven, structured and internationally applied industry standard that systematically covers many of the CRA’s key requirements.

As is well known, ISO/SAE 21434 provides a methodological framework for organising, implementing and demonstrating cybersecurity throughout the lifecycle of electrical/electronic components in vehicles.

Many of these measures can be directly mapped to the requirements formulated in the CRA Regulation – for example, risk management, vulnerability management, incident response, security updates and secure-by-design principles.

Organisations and development projects that already have ISO/SAE 21434 processes and procedures in place are therefore in an excellent position.

A mapping between ISO/SAE 21434 and the Cyber Resilience Act

This raises the question of the extent to which ISO/SAE 21434 and the requirements of the CRA will overlap. This is particularly relevant for Tier 1 and Tier 2 suppliers whose components fall under the CRA but are also within the scope of UN R155 and ISO/SAE 21434. Smart integration of both requirement catalogs into the development process saves effort, reduces redundancies, and supports a consistent compliance strategy.

However, it is important to understand that ISO/SAE 21434 generally describes the “how” – in other words, what processes, methods and structures should look like. The CRA, on the other hand, attempts to formulate the “what”, i.e. to specify the minimum cybersecurity requirements for products with digital elements.

At the same time, the specific obligations of the CRA, which go beyond ISO/SAE 21434, must of course also be taken into account. For example, certain reporting and documentation requirements.

A look at the bigger picture: summary and recommendations for action

We can see that the regulatory requirements for cybersecurity are growing rapidly. And not just for the automotive industry. The European Union is taking it seriously, for example, cybersecurity is being addressed in the revised EU Product Liability Directive.

For those responsible for cybersecurity management in the automotive and vehicle industry, this results in a need for action, which we will try to present here in the form of recommendations:

1. Facilitate harmonization and mapping

A systematic mapping between the requirements of the vertical industry regulations and industry standards and the horizontal cross-industry guidelines is essential in order to systematically overlay the existing practices, processes and requirements and thus make the synergies and differences visible. As outlined above: Those who already apply ISO/SAE 21434 may have an advantage in terms of CRA compliance. The key is to maintain an overview.

2. Identifying gaps

At the same time, this mapping is part of the systematic gap analysis that is becoming indispensable. The aim is to accurately assess products and ensure that they are correctly classified. It is then a matter of systematically identifying regulatory gaps, deficiencies and weaknesses in processes and products.

3. Integration of partners and suppliers

What automotive manufacturers already know from CSMS compliance, namely that they are responsible for the cybersecurity risks of their suppliers, also applies to CRA compliance. Suppliers must provide CRA-compliant components. Clear service interface agreements and contractual safeguards will become increasingly important, especially over the entire product lifecycle.

4. Awareness and competence building

Almost every one of our technical articles ends with this recommendation for action: It is essential to raise awareness of the new cybersecurity requirements among responsible employees and to develop and expand the necessary practical skills. The CRA, which also underpins conformity assessments, explicitly mentions the need for expertise, including for internal audits and reviews. Sustained training of staff in all aspects of cybersecurity engineering and testing is becoming essential, whether horizontal or vertical cybersecurity requirements are to be considered.