The EU Cyber Resilience Act (CRA), which officially came into force on December 10, 2024, sets unified and stringent cybersecurity requirements for all Products with Digital Elements (PDE). These requirements cover the entire product lifecycle—from design and development to deployment and end-of-life. While the regulation has already taken effect, the primary compliance obligations will become fully enforceable starting November 10, 2027, leaving a limited window for the automotive industry to prepare.
Why CRA matters for the automotive ecosystem
Although automakers are already subject to regulations as UN R156 (Software Update Management System), which partially align with CRA requirements, many PDEs within their supply chain will need to meet CRA obligations independently.
These include, for example:
- Third-party in-vehicle applications and aftermarket software
- Wireless connectivity devices (e.g., keyless entry systems)
- Electric vehicle charging equipment (EVSE)
- Digital control modules in agricultural and construction machinery
Under the CRA, manufacturers must continuously monitor vulnerabilities and threats. If an actively exploited vulnerability is discovered, they are required to report it to the EU Agency for Cybersecurity (ENISA) within 24 hours and promptly provide remediation or mitigation. Failure to comply may result in fines of up to €15 million or 2.5% of global annual revenue, whichever is higher. Sanctions apply to violations such as failure to report vulnerabilities, submit Software Bill of Materials (SBOM), or implement secure design practices.
Top 3 CRA compliance roadblocks
For suppliers and developers, CRA introduces several significant challenges:
- Identifying actively exploited vulnerabilities within 24 hours
In reality, this is extremely difficult due to: Limited visibility into whether vulnerabilities are being actively exploited, lack of contextual threat intelligence specific to automotive systems, and incomplete PSIRT processes or manual incident workflows. Without novel threat intelligence and automated detection, it’s difficult to meet CRA’s 24-hour early warning notification requirement. - Vulnerability, patch management, and incident response
Continuously detecting, disclosing, and remediating vulnerabilities across the full product lifecycle takes substantial effort and resources. Could there be a more cost-effective approach to meet these requirements? - Limited supply chain cybersecurity visibility
Responsibility for compliance is difficult to clarify without clear visibility into third-party cybersecurity practices. A lack of transparency in the supply chain leaves manufacturers vulnerable to compliance risks from external suppliers.
One platform to simplify CRA compliance
To meet CRA requirements, companies need a Vulnerability and SBOM Management System capable of handling continuous vulnerability identification, assessment, and remediation.
Key capabilities include:
- Automated vulnerability detection and prioritization
Automatically detect known and unknown vulnerabilities, and classify vulnerabilities based on severity, exploitability, and relevance to system contexts. - Automated SBOM generation and management
Automatically generate and continuously update SBOMs, and cross-reference against known CVEs and potential vulnerabilities. - Automotive threat intelligence for early warning
Built on a continuously updated automotive threat intelligence platform, the system instantly identifies vulnerabilities linked to real-world exploits. It even maps out the full attack path—so you know exactly where threats begin and where they’re headed. - Uncover hidden software risks in supplier components
Automatically identify zero-day and undisclosed vulnerabilities within third-party components included in the PDE.
Introducing VicOne xZETA—a platform that integrates Vulnerability Management, SBOM Management, and Automotive Threat Intelligence, offering a comprehensive solution designed for CRA compliance. Let us help you accelerate your path to compliance—reducing risk, speeding up time-to-market, and earning the trust of the European market.
