Understanding the Cyber Resilience Act and Its Impact on the Automotive Industry

As cars become more like computers on wheels, cybersecurity is becoming a major concern. With vehicles now connected to the internet and relying heavily on software, protecting them from cyber threats is essential.

The Cyber Resilience Act (CRA) is a new European law designed to improve cybersecurity for digital products. While it does not directly apply to cars themselves (since they are already covered by other regulations), it still affects many digital systems within the vehicles.

This article explains what the CRA is and how it impacts the automotive industry in simple terms.

How Is Cybersecurity Already Regulated in the Automotive Industry?

As the automotive industry evolves with advancements like autonomous vehicles and enhanced connectivity, cybersecurity has become a critical concern. Car manufacturers must already follow strict cybersecurity regulations to ensure vehicle safety. Some of the key regulations include:

• UNECE Regulations R155 and R156: These require vehicle manufacturers to implement Cybersecurity Management Systems (CSMS) and secure over-the-air (OTA) updates. R155 mandates risk management throughout the vehicle lifecycle, ensures cars are protected against hacking, unauthorized access, and other cyber risks. R156 instead focuses on securing software updates.
• Vehicle General Safety Regulation (EU 2019/2144): This EU law ensures that cars meet certain cybersecurity standards. It references the UN Regulation R155, which requires automakers to implement cybersecurity management systems.
• ISO/SAE 21434: An international cybersecurity standard for car manufacturers. This standard provides guidelines for managing cybersecurity risks during vehicle development. It emphasizes a structured risk assessment process (TARA) and ensures cybersecurity is integrated throughout the vehicle lifecycle, from design to decommissioning.

Together, these regulations form the backbone of automotive cybersecurity, addressing both critical systems and the broader digital components of connected vehicles. These rules mainly focus on safety-critical systems, such as braking and steering. However, they do not fully cover other digital components in vehicles, such as infotainment systems, apps, and third-party software — which is where the CRA comes in.

What Is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) is a new EU regulation designed to improve cybersecurity for all digital products. It requires companies to ensure their software and hardware are secure, regularly updated, and protected against cyber threats.

But aren’t vehicles already covered by cybersecurity regulations?

Yes, the CRA does not apply to cars themselves, because they are already regulated under EU 2019/2144 and UN R155. However, it does apply to many digital systems and software within vehicles.

Which Automotive Systems Are Affected by the CRA?

While critical vehicle functions like braking and steering fall under existing regulations, other digital components and software may be subject to the CRA, including:

1. Infotainment and Navigation Systems – Car dashboards that include web browsers, streaming services, and navigation software.
2. Remote Access and Fleet Management Software – Tools that allow remote monitoring or control of vehicles.
3. Over-the-Air (OTA) Update Systems – Software that updates infotainment systems, apps, or other non-critical vehicle functions.
4. Connected Devices and Network Interfaces – Wireless and Ethernet connections that allow external access to the vehicle.
5. Third-Party Apps and Software – Any external apps (e.g., music streaming, navigation) that integrate with the vehicle.
6. Aftermarket IoT Devices – Devices like GPS trackers, telematics systems, or smart car accessories that interact with vehicle software.

These components are not part of the vehicle’s safety systems, so they may not be covered by existing automotive regulations. The CRA ensures that they still meet high cybersecurity standards.

What Does This Mean for Car Manufacturers and Suppliers?

Even though the CRA does not apply to vehicles themselves, it still affects the automotive industry. Manufacturers and suppliers must ensure that:

• All digital components comply with CRA cybersecurity standards (including third-party software and aftermarket devices).
• Cybersecurity is considered from the beginning of product development.
• Regular security updates and patches are provided for digital products.
• Proper security testing is conducted before selling digital products in the EU.

Any company that provides software, connected devices, or digital services for vehicles must ensure compliance with the CRA to continue operating in the EU market.

Conclusion: How the CRA Complements Existing Automotive Cybersecurity Laws

The Cyber Resilience Act does not replace existing automotive cybersecurity regulations — it complements them. While safety-critical systems (like braking and steering) are already covered under laws like EU 2019/2144 and UN R155, the CRA ensures that all other digital components and software meet strict cybersecurity standards.

As vehicles become more connected and software-driven, the CRA will play a key role in securing the entire automotive ecosystem, covering areas that traditional car regulations do not fully address.

For automakers, suppliers, and third-party software providers, this means adapting to new cybersecurity requirements to ensure their digital products comply with EU regulations.