Skip to main content

EU Cyber Resilience Act: Implications for the Automotive Industry

Janine Funke
Janine Funke
Lead Strategic Area Cybersecurity Senior Consultant, Software Intensive Systems
November 21, 2024 | 3:09 pm CST
Janine Funke
Janine Funke
Lead Strategic Area Cybersecurity Senior Consultant, Software Intensive Systems

In today’s digital era, industries across the board are navigating an increasingly complex landscape of cybersecurity regulations, with frameworks such as Network and Information Security (NIS) 2 Directive, the EU Cybersecurity Act, and now the Cyber Resilience Act (CRA) shaping the future of cybersecurity practices in the European Union (EU). While each regulation plays a role in building a more resilient digital ecosystem, today we’ll focus on the CRA.

On Oct. 10, 2024, the EU officially adopted the Cyber Resilience Act (CRA), which will come into force in 36 months. This landmark legislation sets out to address cybersecurity risks in products with digital elements, creating a framework to enhance the EU's resilience to cyber threats. If products are in scope but not compliant with the CRA, fines of up to 15 million euros are possible. Automotive cybersecurity and the automotive industry are already highly regulated. Therefore, the question arises: what is the impact on automotive products?

Before diving into the specific challenges for the automotive industry, let´s first understand the basics of the Cyber Resilience Act.

The Cyber Resilience Act is part of the EU’s broader agenda to tighten cybersecurity measures across all sectors. It introduces new requirements for manufacturers, developers and distributors of products that contain digital components, requiring them to demonstrate these products meet stringent cybersecurity standards. The act mandates that cybersecurity must be embedded into the design, production and lifecycle management of all products, including software updates and patching, so that digital security remains a constant priority.

Current cybersecurity standards in the automotive industry

Generally, the automotive industry has already made strides in cybersecurity through regulations such as UN Regulation No. 155 which mandates a Cybersecurity Management System (CSMS), and the respective ISO/SAE 21434 industry standard. These frameworks set out specific requirements for managing cybersecurity risks throughout the vehicle’s lifecycle, from design through to decommissioning.

However, with an expanding regulatory landscape, the industry faces overlapping regulations with varying scopes.

Supply chain implications

A significant aspect of the CRA is how it will impact the entire automotive supply chain, including component manufacturers. Under the principle of lex specialis, the CRA excludes products already regulated by sector-specific regulations, e.g., Regulation (EU) 2019/2144, also known as General Safety Regulation (GSR), which implements the UN Regulation No. 155 in Europe. However, automotive components with digital elements, particularly those produced by suppliers not regulated under GSR, fall under the CRA.

Until now, only original equipment manufacturers (OEMs) — and no suppliers — were in scope of Regulation (EU) 2019/2144.

As OEMs need to manage their supply chain, having a CSMS in place according to the industry standard ISO/SAE 21434 is already required by most OEMs for their suppliers. Therefore, most automotive suppliers are already compliant with ISO/SAE 21434, which is not mandatory.

The CRA introduces another framework for automotive suppliers, compelling them to demonstrate that their components meet cybersecurity standards before being integrated into vehicles. That would mean that for any automotive components that fall within the CRA’s scope, CE marking would be required, which signifies that the product meets EU standards for cybersecurity, along with other relevant health, safety and environmental protection standards.

CRA and ISO/SAE 21434: Complementary frameworks?

Between the basic frameworks from CRA and ISO/SAE 21434, there are a lot of similarities. Both the CRA and ISO/SAE 21434 share similar objectives in terms of enhancing cybersecurity throughout the lifecycle of products with digital elements. At their core, both frameworks emphasize the importance of risk management, updates, vulnerability management, incident response and continuous monitoring to mitigate potential cybersecurity threats.

Similarly, the CRA mandates that manufacturers demonstrate cybersecurity due diligence across the product lifecycle. This includes establishing that products are secure by design, managing vulnerabilities and being prepared to respond to incidents in real time. Companies must also provide regular software updates and patches to address emerging risks so that products remain resilient over time.

Given the overlap in requirements between ISO/SAE 21434 and the CRA, automotive companies that have already implemented the processes and controls required by the ISO standard are well positioned to meet CRA compliance, if needed. However, the CE marking process will add some compliance burdens.

The role of free and open-source software in automotive cybersecurity

Another aspect is the industry's use of free and open-source software (FOSS). FOSS is a key area where collaboration between the automotive sector and the FOSS community drives efficiency, flexibility and cost savings.

While CRA explicitly excludes FOSS developed and distributed outside a commercial context, uncertainty remains as the boundary between noncommercial and commercial use of FOSS is not easy to distinguish. A "commercial activity" in software does not just mean selling the software directly. It can also include charging for technical support, monetizing through a platform or using personal data collected by the for commercial reasons. Furthermore, the CRA introduces the role of the “open-source software steward,” placing new obligations on FOSS organizations, such as fostering secure product development and cooperating with market surveillance. An open-source steward will be required for specific FOSS products intended for commercial use, potentially affecting the role of FOSS organizations within the industry.

Vehicle categories and regulatory scope

Another challenge deals with the scope of vehicle categories. Not all the vehicle categories are regulated by the same regulation. In the context of the CRA and existing regulations, there is an unclear scope for vehicle category O (trailers).. Although the UN Regulation No. 155 mentions vehicle category O in its scope, Annex II of EU 2019/2144 (GSR) does not explicitly apply cybersecurity protections (D4) to these vehicles. This creates ambiguity about whether trailers are covered by the CRA, potentially subjecting them to two sets of regulations at different times.

The big picture: A cross-industry approach to CRA compliance

The CRA will raise the bar for cybersecurity across digital components and systems, protecting against evolving threats — a step forward for the EU’s cybersecurity strategy. For the automotive industry, however, challenges remain in managing this complex regulatory landscape and establishing compliance across a deep, interconnected supply chain.

However, automotive suppliers often operate across industries, supplying components for consumer electronics, medical devices and industrial machinery, each of which faces similar requirements under the CRA. Aligning cybersecurity strategies across different sectors can simplify compliance efforts and enhance security across the supply chain.

With extensive experience in navigating regulatory landscapes, we understand the complexities of aligning cybersecurity practices with evolving standards like the CRA. From risk assessments and secure design principles to lifecycle management, we provide support to meet cybersecurity requirements and mitigate potential risks.

As the CRA unfolds, we can help you integrate and sustain cybersecurity practices that drive resilience across all the industries you serve.

THE ARTICLE IS FOR GENERAL INFORMATION PURPOSES ONLY AND IS NOT INTENDED TO CONVEY LEGAL OR OTHER PROFESSIONAL ADVICE.

 

About the author

Janine Funke

Janine Funke

Janine Funke is a consultant, trainer and assessor dedicated to helping OEMs and suppliers achieve their security goals while contributing to industry standards and supporting women in cybersecurity. Read more

 

Within UL Solutions we provide a broad portfolio of offerings to many industries. This includes certification, testing, inspection, assessment, verification and consulting services. In order to protect and prevent any conflict of interest, perception of conflict of interest and protection of both our brand and our customers brands, UL Solutions has processes in place to identify and manage any potential conflicts of interest and maintain the impartiality of our conformity assessment services.