The EU Cyber Resilience Act and Automotive: What Is Actually in Scope
By Shreyansh, Founder & CTO, Agnile Technologies
By Shreyansh, Founder & CTO, Agnile Technologies
TL;DR — Type-approved vehicles are outside the EU Cyber Resilience Act — but not because of an ‘R155 exemption’. Article 2(2)(c) of the CRA excludes products covered by Regulation (EU) 2019/2144, the General Safety Regulation that implements UN R155/R156 in EU Type Approval. Everything automotive that sits outside that framework — aftermarket devices, EV charging equipment, engineering tools sold as products, standalone components, L-category and agricultural vehicles, fleet hardware — remains in CRA scope, with reporting obligations from 11 September 2026 and full application from 11 December 2027.
Editorial Process: Written and reviewed by Agnile engineers working day-to-day in automotive cybersecurity and safety. AI tooling is used to assist with drafting, outlining, and copy-editing; every claim, standards reference, and technical statement is verified by a human engineer before publication.
Since the Cyber Resilience Act entered into force on 10 December 2024, one question has circulated through every automotive compliance meeting: does this apply to us? The short answer repeated in most webinars — “vehicles are exempt because of UNECE R155” — is wrong in a way that matters. Vehicles are exempt, but the legal mechanism is different, and that difference decides which products in an automotive portfolio carry CE-marking obligations from 11 December 2027 and reporting obligations from 11 September 2026.
This post walks through the actual exclusion in Article 2(2)(c), the six automotive product groups that remain in CRA scope, the awkward fact that the same component can be exempt in one sales channel and regulated in another, and how an existing ISO/SAE 21434 process shortens the path to CRA readiness.
The Cyber Resilience Act is Regulation (EU) 2024/2847 — the EU's first horizontal cybersecurity regulation for products. It covers “products with digital elements”: hardware and software placed on the EU market that can connect to a device or network. Manufacturers of in-scope products must meet the essential cybersecurity requirements of Annex I, run a documented Vulnerability Management process, undergo conformity assessment, affix CE marking, and report actively exploited vulnerabilities and severe incidents to ENISA and their national CSIRT.
Three dates define the timeline. The regulation entered into force on 10 December 2024. The Article 14 reporting obligations — a 24-hour early warning, a 72-hour notification, and a 14-day final report — apply from 11 September 2026. The regulation applies in full, CE marking included, from 11 December 2027. Note the sequencing: reporting duties arrive fifteen months before the rest of the regulation, so incident-handling readiness cannot wait for the CE-marking programme.
Structurally, the CRA is a different animal from UNECE R155. R155 is a Type Approval regulation addressed to vehicle manufacturers; it certifies an organisation's Cybersecurity Management System and approves vehicle types. The CRA is a product regulation addressed to whoever places a product on the EU market — manufacturers, importers, and distributors alike. The two regimes were never meant to stack on the same product, which is exactly what the exclusion in Article 2(2)(c) prevents.
Article 2(2)(c) of the CRA excludes products with digital elements to which Regulation (EU) 2019/2144 applies. That regulation — the General Safety Regulation — is the EU instrument that makes UN R155 and UN R156 binding inside EU Whole Vehicle Type Approval for vehicles of categories M, N, and O: passenger cars, buses, goods vehicles, and trailers, together with the systems, components, and separate technical units approved within that framework. Recital 27 states the rationale: where sectoral Union law already imposes cybersecurity requirements that achieve an equivalent level of protection, the CRA steps back rather than duplicating them.
Notice what the text does not say. The CRA never names UNECE R155. The pointer runs to the type-approval framework, and that has three practical consequences that a loose “R155 exemption” reading gets wrong.
First, coverage drives the exemption — not compliance. A product leaves CRA scope because Regulation (EU) 2019/2144 applies to it, full stop. A manufacturer of an aftermarket telematics unit cannot argue itself out of the CRA by voluntarily following R155 practices, because the General Safety Regulation does not apply to its product. Second, the exemption's edge follows the edge of the type-approval framework. Anything the General Safety Regulation does not reach — L-category motorcycles, agricultural tractors, aftermarket electronics, charging infrastructure — falls back into the CRA by default. Third, Article 2(6) adds a separate, narrower exemption: spare parts manufactured to identical specifications as the part they replace are out of scope, which keeps long-tail service parts from acquiring new obligations decades into a vehicle's life.
For the vehicles themselves, the cybersecurity regime remains the one described in our UNECE R155 compliance roadmap: mandatory for new vehicle types in the EU since 6 July 2022 and for all new vehicles since 7 July 2024, enforced by type-approval authorities such as KBA, RDW, and UTAC.
The decision is mechanical once the legal test is clear: is the product covered by Regulation (EU) 2019/2144, or by the identical-specification spare-part exemption? If neither, and it is a product with digital elements placed on the EU market, the CRA applies. The table below classifies the cases that come up in practice.
| Product Placed on the EU Market | CRA Status | Why |
|---|---|---|
| Vehicle of category M, N, or O with EU Type Approval | Exempt | Article 2(2)(c) — Regulation (EU) 2019/2144 applies; cybersecurity is regulated through UN R155/R156 within Type Approval. |
| Systems and components delivered within that vehicle's Type Approval | Exempt | Covered by the same exclusion; obligations flow contractually through the OEM's CSMS and Cybersecurity Interface Agreements. |
| Spare part built to identical specifications as the part it replaces | Exempt | Article 2(6) — the identical-specification spare-part exemption. |
| Aftermarket device sold separately — OBD dongle, retrofit telematics unit, dashcam | In scope | A standalone product with digital elements, outside Type Approval coverage. |
| EV charging equipment — wallboxes, charging accessories | In scope | Not covered by Regulation (EU) 2019/2144; charging products are ordinary CRA products. |
| Development, testing, and diagnostic tools sold as products | In scope | Engineering tooling is a product with digital elements in its own right, whatever it is used to build. |
| Standalone embedded components sold to the supply chain — MCUs, connectivity modules, RTOS, middleware | In scope | Placed on the market as products, not delivered within a specific vehicle's Type Approval. |
| L-category vehicles (Reg (EU) 168/2013) and agricultural / forestry vehicles (Reg (EU) 167/2013) | In scope | Outside the scope of Regulation (EU) 2019/2144, so the Article 2(2)(c) exclusion does not reach them. |
| Fleet and telematics hardware outside Type Approval | In scope | A standalone product; fitting it to a type-approved vehicle does not extend the vehicle's exemption to it. |
The table hides a twist that catches Tier-1 suppliers and component vendors. Consider a telematics control unit. Delivered to an OEM under a development contract and integrated into a type-approved vehicle, it sits inside the Article 2(2)(c) exclusion: the CRA imposes nothing on it directly, and its cybersecurity obligations arrive contractually — through the OEM's Cybersecurity Management System, Cybersecurity Interface Agreements, and the evidence chain that feeds Type Approval.
Now take the identical hardware, box it, and sell it through distributors as a retrofit fleet-tracking product. It is suddenly a product with digital elements placed on the EU market in its own right: essential requirements, technical documentation, an SBOM, a support period, CE marking by 11 December 2027, and reporting duties from 11 September 2026. Nothing about the silicon changed. The regime follows the sales channel, not the component. The same logic applies to an RTOS, a connectivity module, or middleware licensed on the open market to the supply chain — those are CRA products even though every unit may end up inside a type-approved vehicle.
The practical instruction for product management is to map the portfolio by route to market, SKU by SKU. One engineering platform can produce both exempt deliveries and regulated products, and the compliance file for the second category has to exist on its own — an OEM's Type Approval never certifies your aftermarket channel.
For products that land in scope, the CRA's obligations cluster into four blocks. First, the Annex I essential requirements: products must be designed and delivered with an appropriate level of cybersecurity, ship without known exploitable vulnerabilities, default to secure configurations, protect the confidentiality and integrity of data, and limit their attack surface. A documented cybersecurity risk assessment must accompany the product through its life.
Second, Vulnerability Management. Manufacturers must identify and document the components contained in the product — including an SBOM in a machine-readable format — operate a coordinated vulnerability disclosure policy, and provide security updates for the product's support period. This is a continuing obligation, not a launch gate: the process has to run for as long as the product is supported. Our SBOM & Vulnerability Monitoring solution exists precisely for this continuous half of the obligation.
Third, conformity and CE marking: conformity assessment against Annex I, technical documentation, an EU declaration of conformity, and the CE mark itself — familiar machinery for hardware makers, new territory for software vendors. Fourth, the Article 14 reporting chain from 11 September 2026: an actively exploited vulnerability or severe incident triggers a 24-hour early warning, a 72-hour notification, and a 14-day final report to ENISA and the national CSIRT. Meeting a 24-hour clock is an operational capability — on-call rotations, triage criteria, and pre-agreed reporting templates — not a policy document.
L-category vehicles illustrate how the two regimes are closing in from opposite directions. Because motorcycles are type-approved under Regulation (EU) 168/2013 rather than the General Safety Regulation, they never enjoyed the Article 2(2)(c) exclusion — they are CRA products today. In parallel, Commission Delegated Regulation (EU) 2025/1455, adopted on 23 July 2025, extends UN R155 to L-category vehicles (L1e–L7e, excluding pedal-designed L1e): new vehicle types must comply from 11 December 2027, and existing types from 11 June 2029.
Look at the dates. 11 December 2027 is simultaneously the CRA's full-application date and the day new L-category types need R155 approval. A motorcycle manufacturer planning a 2028 model therefore faces both regimes converging at once, and as the texts stand today the CRA exclusion does not reach L-category vehicles, because it cites a regulation that does not cover them. Prudent programme planning treats both as applicable until the European Commission clarifies the interplay — which in practice means building one Cybersecurity Management System and one engineering process that can serve R155 Type Approval evidence and CRA technical documentation from the same source.
That last point generalises. Suppliers who built an ISO/SAE 21434 process for R155 programmes hold most of what the CRA asks for, under different headings. The Threat Analysis and Risk Assessment method of Clause 15 produces exactly the risk-based analysis the CRA expects to accompany a product. The continual activities of Clause 8 — cybersecurity monitoring, vulnerability analysis, and Vulnerability Management — map directly onto the CRA's vulnerability-handling requirements. Incident-response maturity built for R155 post-production monitoring is the same muscle the Article 14 reporting chain exercises. And the standard's Work Products give the technical documentation a conformity assessment wants to see: goals, requirements, verification evidence, and traceability rather than a box of test reports.
The deltas are real but narrow: CE-marking mechanics, the EU declaration of conformity, the support-period commitment, and the ENISA-facing reporting workflow. For a team starting from nothing, the sensible sequence is to stand up ISO/SAE 21434 processes first — they serve R155, the CRA, and customer Cybersecurity Interface Agreements at once. Our ISO/SAE 21434 guide covers that build-out clause by clause.
Does the EU Cyber Resilience Act apply to cars? No. Vehicles of categories M, N, and O under EU Type Approval are excluded by Article 2(2)(c), because Regulation (EU) 2019/2144 — the General Safety Regulation that makes UN R155 and R156 binding in EU Type Approval — applies to them. Their cybersecurity is regulated through the type-approval framework instead.
Does the CRA apply to Tier-1 ECUs and components? It depends on the sales channel. A component delivered to an OEM for integration into a type-approved vehicle sits inside the Article 2(2)(c) exclusion, with obligations flowing contractually through the OEM's CSMS. The same component sold separately — an MCU, connectivity module, RTOS, or middleware placed on the market as a standalone product — falls under the CRA.
Do EV chargers fall under the CRA? Yes. EV charging equipment is not covered by Regulation (EU) 2019/2144, so the exclusion does not reach it. Wallboxes and other charging products must meet the essential requirements, carry CE marking by 11 December 2027, and report under Article 14 from 11 September 2026.
What is the difference between the CRA and UNECE R155? R155 is a vehicle Type Approval regulation addressed to vehicle manufacturers — a certified Cybersecurity Management System plus per-type approval. The CRA is a horizontal product regulation addressed to whoever places a product with digital elements on the EU market — essential requirements, SBOM, Vulnerability Management, CE marking, and ENISA reporting. For M, N, and O vehicles they do not overlap, by design.
What are the CRA deadlines? In force since 10 December 2024; Article 14 reporting obligations from 11 September 2026; full application, including CE marking, from 11 December 2027.
Agnile supports engineering teams from architecture and requirements through implementation, validation, release, and evidence preparation.