Skip to main content
← Back to Blog
CybersecurityJuly 17, 2026 • 10 min read

The EU Cyber Resilience Act and Automotive: What Is Actually in Scope

By Shreyansh, Founder & CTO, Agnile Technologies

Key Takeaways

TL;DR — Type-approved vehicles are outside the EU Cyber Resilience Act — but not because of an ‘R155 exemption’. Article 2(2)(c) of the CRA excludes products covered by Regulation (EU) 2019/2144, the General Safety Regulation that implements UN R155/R156 in EU Type Approval. Everything automotive that sits outside that framework — aftermarket devices, EV charging equipment, engineering tools sold as products, standalone components, L-category and agricultural vehicles, fleet hardware — remains in CRA scope, with reporting obligations from 11 September 2026 and full application from 11 December 2027.

  1. 1.The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on 10 December 2024; its Article 14 reporting obligations apply from 11 September 2026 and the regulation applies in full from 11 December 2027.
  2. 2.The automotive exemption is keyed to coverage by Regulation (EU) 2019/2144 via CRA Article 2(2)(c) — what matters is whether the type-approval framework applies to the product, not whether the product complies with UNECE R155. Identical-specification spare parts are separately exempt under Article 2(6).
  3. 3.Six automotive product groups stay in CRA scope: aftermarket devices sold separately, EV charging equipment, development / testing / diagnostic tools sold as products, standalone embedded components sold to the supply chain, L-category and agricultural / forestry vehicles, and fleet hardware outside Type Approval.
  4. 4.The same component can be exempt when delivered inside a type-approved vehicle and CRA-regulated when sold separately — the regime follows the sales channel, not the hardware.
  5. 5.Motorcycles face both regimes converging on one date: 11 December 2027 is the CRA's full-application date and the date Commission Delegated Regulation (EU) 2025/1455 starts applying UN R155 to new L-category vehicle types.
  6. 6.In-scope suppliers with an existing ISO/SAE 21434 process — TARA, Vulnerability Management, monitoring, Work Products — already hold most of the evidence the CRA's Annex I essential requirements ask for.

At a Glance

One-Sentence Answer
Type-approved M, N, and O vehicles and their systems are excluded from the EU Cyber Resilience Act via Article 2(2)(c), while aftermarket devices, EV charging equipment, engineering tools, standalone components, L-category vehicles, and fleet hardware outside Type Approval remain fully in scope.
Who This Is For
Product managers and compliance leads at Tier-1 suppliers, aftermarket and EV-charging manufacturers, embedded component vendors, and OEM regulatory teams mapping CRA exposure.
Last Reviewed
July 2026
Primary References
Regulation (EU) 2024/2847 (Cyber Resilience Act), Regulation (EU) 2019/2144, UNECE R155/R156, Commission Delegated Regulation (EU) 2025/1455, ISO/SAE 21434.
Practical Use
Use the decision table to classify each product in your portfolio as CRA-exempt or CRA-regulated by sales channel before the September 2026 reporting deadline.

Editorial Process: Written and reviewed by Agnile engineers working day-to-day in automotive cybersecurity and safety. AI tooling is used to assist with drafting, outlining, and copy-editing; every claim, standards reference, and technical statement is verified by a human engineer before publication.

Since the Cyber Resilience Act entered into force on 10 December 2024, one question has circulated through every automotive compliance meeting: does this apply to us? The short answer repeated in most webinars — “vehicles are exempt because of UNECE R155” — is wrong in a way that matters. Vehicles are exempt, but the legal mechanism is different, and that difference decides which products in an automotive portfolio carry CE-marking obligations from 11 December 2027 and reporting obligations from 11 September 2026.

This post walks through the actual exclusion in Article 2(2)(c), the six automotive product groups that remain in CRA scope, the awkward fact that the same component can be exempt in one sales channel and regulated in another, and how an existing ISO/SAE 21434 process shortens the path to CRA readiness.

What the Cyber Resilience Act Is — and When It Bites

The Cyber Resilience Act is Regulation (EU) 2024/2847 — the EU's first horizontal cybersecurity regulation for products. It covers “products with digital elements”: hardware and software placed on the EU market that can connect to a device or network. Manufacturers of in-scope products must meet the essential cybersecurity requirements of Annex I, run a documented Vulnerability Management process, undergo conformity assessment, affix CE marking, and report actively exploited vulnerabilities and severe incidents to ENISA and their national CSIRT.

Three dates define the timeline. The regulation entered into force on 10 December 2024. The Article 14 reporting obligations — a 24-hour early warning, a 72-hour notification, and a 14-day final report — apply from 11 September 2026. The regulation applies in full, CE marking included, from 11 December 2027. Note the sequencing: reporting duties arrive fifteen months before the rest of the regulation, so incident-handling readiness cannot wait for the CE-marking programme.

Structurally, the CRA is a different animal from UNECE R155. R155 is a Type Approval regulation addressed to vehicle manufacturers; it certifies an organisation's Cybersecurity Management System and approves vehicle types. The CRA is a product regulation addressed to whoever places a product on the EU market — manufacturers, importers, and distributors alike. The two regimes were never meant to stack on the same product, which is exactly what the exclusion in Article 2(2)(c) prevents.

The Exemption, Read Precisely: Article 2(2)(c), Not “R155”

Article 2(2)(c) of the CRA excludes products with digital elements to which Regulation (EU) 2019/2144 applies. That regulation — the General Safety Regulation — is the EU instrument that makes UN R155 and UN R156 binding inside EU Whole Vehicle Type Approval for vehicles of categories M, N, and O: passenger cars, buses, goods vehicles, and trailers, together with the systems, components, and separate technical units approved within that framework. Recital 27 states the rationale: where sectoral Union law already imposes cybersecurity requirements that achieve an equivalent level of protection, the CRA steps back rather than duplicating them.

Notice what the text does not say. The CRA never names UNECE R155. The pointer runs to the type-approval framework, and that has three practical consequences that a loose “R155 exemption” reading gets wrong.

First, coverage drives the exemption — not compliance. A product leaves CRA scope because Regulation (EU) 2019/2144 applies to it, full stop. A manufacturer of an aftermarket telematics unit cannot argue itself out of the CRA by voluntarily following R155 practices, because the General Safety Regulation does not apply to its product. Second, the exemption's edge follows the edge of the type-approval framework. Anything the General Safety Regulation does not reach — L-category motorcycles, agricultural tractors, aftermarket electronics, charging infrastructure — falls back into the CRA by default. Third, Article 2(6) adds a separate, narrower exemption: spare parts manufactured to identical specifications as the part they replace are out of scope, which keeps long-tail service parts from acquiring new obligations decades into a vehicle's life.

For the vehicles themselves, the cybersecurity regime remains the one described in our UNECE R155 compliance roadmap: mandatory for new vehicle types in the EU since 6 July 2022 and for all new vehicles since 7 July 2024, enforced by type-approval authorities such as KBA, RDW, and UTAC.

Product by Product: CRA or Not?

The decision is mechanical once the legal test is clear: is the product covered by Regulation (EU) 2019/2144, or by the identical-specification spare-part exemption? If neither, and it is a product with digital elements placed on the EU market, the CRA applies. The table below classifies the cases that come up in practice.

Product Placed on the EU MarketCRA StatusWhy
Vehicle of category M, N, or O with EU Type ApprovalExemptArticle 2(2)(c) — Regulation (EU) 2019/2144 applies; cybersecurity is regulated through UN R155/R156 within Type Approval.
Systems and components delivered within that vehicle's Type ApprovalExemptCovered by the same exclusion; obligations flow contractually through the OEM's CSMS and Cybersecurity Interface Agreements.
Spare part built to identical specifications as the part it replacesExemptArticle 2(6) — the identical-specification spare-part exemption.
Aftermarket device sold separately — OBD dongle, retrofit telematics unit, dashcamIn scopeA standalone product with digital elements, outside Type Approval coverage.
EV charging equipment — wallboxes, charging accessoriesIn scopeNot covered by Regulation (EU) 2019/2144; charging products are ordinary CRA products.
Development, testing, and diagnostic tools sold as productsIn scopeEngineering tooling is a product with digital elements in its own right, whatever it is used to build.
Standalone embedded components sold to the supply chain — MCUs, connectivity modules, RTOS, middlewareIn scopePlaced on the market as products, not delivered within a specific vehicle's Type Approval.
L-category vehicles (Reg (EU) 168/2013) and agricultural / forestry vehicles (Reg (EU) 167/2013)In scopeOutside the scope of Regulation (EU) 2019/2144, so the Article 2(2)(c) exclusion does not reach them.
Fleet and telematics hardware outside Type ApprovalIn scopeA standalone product; fitting it to a type-approved vehicle does not extend the vehicle's exemption to it.
CRA scope decision for automotive products — the test is coverage by Regulation (EU) 2019/2144 or the Article 2(6) spare-part exemption, never “R155 compliance”.

The Same Component, Two Regimes

The table hides a twist that catches Tier-1 suppliers and component vendors. Consider a telematics control unit. Delivered to an OEM under a development contract and integrated into a type-approved vehicle, it sits inside the Article 2(2)(c) exclusion: the CRA imposes nothing on it directly, and its cybersecurity obligations arrive contractually — through the OEM's Cybersecurity Management System, Cybersecurity Interface Agreements, and the evidence chain that feeds Type Approval.

Now take the identical hardware, box it, and sell it through distributors as a retrofit fleet-tracking product. It is suddenly a product with digital elements placed on the EU market in its own right: essential requirements, technical documentation, an SBOM, a support period, CE marking by 11 December 2027, and reporting duties from 11 September 2026. Nothing about the silicon changed. The regime follows the sales channel, not the component. The same logic applies to an RTOS, a connectivity module, or middleware licensed on the open market to the supply chain — those are CRA products even though every unit may end up inside a type-approved vehicle.

The practical instruction for product management is to map the portfolio by route to market, SKU by SKU. One engineering platform can produce both exempt deliveries and regulated products, and the compliance file for the second category has to exist on its own — an OEM's Type Approval never certifies your aftermarket channel.

What In-Scope Suppliers Must Actually Do

For products that land in scope, the CRA's obligations cluster into four blocks. First, the Annex I essential requirements: products must be designed and delivered with an appropriate level of cybersecurity, ship without known exploitable vulnerabilities, default to secure configurations, protect the confidentiality and integrity of data, and limit their attack surface. A documented cybersecurity risk assessment must accompany the product through its life.

Second, Vulnerability Management. Manufacturers must identify and document the components contained in the product — including an SBOM in a machine-readable format — operate a coordinated vulnerability disclosure policy, and provide security updates for the product's support period. This is a continuing obligation, not a launch gate: the process has to run for as long as the product is supported. Our SBOM & Vulnerability Monitoring solution exists precisely for this continuous half of the obligation.

Third, conformity and CE marking: conformity assessment against Annex I, technical documentation, an EU declaration of conformity, and the CE mark itself — familiar machinery for hardware makers, new territory for software vendors. Fourth, the Article 14 reporting chain from 11 September 2026: an actively exploited vulnerability or severe incident triggers a 24-hour early warning, a 72-hour notification, and a 14-day final report to ENISA and the national CSIRT. Meeting a 24-hour clock is an operational capability — on-call rotations, triage criteria, and pre-agreed reporting templates — not a policy document.

Motorcycles: Where the CRA and UN R155 Converge

L-category vehicles illustrate how the two regimes are closing in from opposite directions. Because motorcycles are type-approved under Regulation (EU) 168/2013 rather than the General Safety Regulation, they never enjoyed the Article 2(2)(c) exclusion — they are CRA products today. In parallel, Commission Delegated Regulation (EU) 2025/1455, adopted on 23 July 2025, extends UN R155 to L-category vehicles (L1e–L7e, excluding pedal-designed L1e): new vehicle types must comply from 11 December 2027, and existing types from 11 June 2029.

Look at the dates. 11 December 2027 is simultaneously the CRA's full-application date and the day new L-category types need R155 approval. A motorcycle manufacturer planning a 2028 model therefore faces both regimes converging at once, and as the texts stand today the CRA exclusion does not reach L-category vehicles, because it cites a regulation that does not cover them. Prudent programme planning treats both as applicable until the European Commission clarifies the interplay — which in practice means building one Cybersecurity Management System and one engineering process that can serve R155 Type Approval evidence and CRA technical documentation from the same source.

The ISO/SAE 21434 Head Start on CRA Annex I

That last point generalises. Suppliers who built an ISO/SAE 21434 process for R155 programmes hold most of what the CRA asks for, under different headings. The Threat Analysis and Risk Assessment method of Clause 15 produces exactly the risk-based analysis the CRA expects to accompany a product. The continual activities of Clause 8 — cybersecurity monitoring, vulnerability analysis, and Vulnerability Management — map directly onto the CRA's vulnerability-handling requirements. Incident-response maturity built for R155 post-production monitoring is the same muscle the Article 14 reporting chain exercises. And the standard's Work Products give the technical documentation a conformity assessment wants to see: goals, requirements, verification evidence, and traceability rather than a box of test reports.

The deltas are real but narrow: CE-marking mechanics, the EU declaration of conformity, the support-period commitment, and the ENISA-facing reporting workflow. For a team starting from nothing, the sensible sequence is to stand up ISO/SAE 21434 processes first — they serve R155, the CRA, and customer Cybersecurity Interface Agreements at once. Our ISO/SAE 21434 guide covers that build-out clause by clause.

Frequently Asked Questions

Does the EU Cyber Resilience Act apply to cars? No. Vehicles of categories M, N, and O under EU Type Approval are excluded by Article 2(2)(c), because Regulation (EU) 2019/2144 — the General Safety Regulation that makes UN R155 and R156 binding in EU Type Approval — applies to them. Their cybersecurity is regulated through the type-approval framework instead.

Does the CRA apply to Tier-1 ECUs and components? It depends on the sales channel. A component delivered to an OEM for integration into a type-approved vehicle sits inside the Article 2(2)(c) exclusion, with obligations flowing contractually through the OEM's CSMS. The same component sold separately — an MCU, connectivity module, RTOS, or middleware placed on the market as a standalone product — falls under the CRA.

Do EV chargers fall under the CRA? Yes. EV charging equipment is not covered by Regulation (EU) 2019/2144, so the exclusion does not reach it. Wallboxes and other charging products must meet the essential requirements, carry CE marking by 11 December 2027, and report under Article 14 from 11 September 2026.

What is the difference between the CRA and UNECE R155? R155 is a vehicle Type Approval regulation addressed to vehicle manufacturers — a certified Cybersecurity Management System plus per-type approval. The CRA is a horizontal product regulation addressed to whoever places a product with digital elements on the EU market — essential requirements, SBOM, Vulnerability Management, CE marking, and ENISA reporting. For M, N, and O vehicles they do not overlap, by design.

What are the CRA deadlines? In force since 10 December 2024; Article 14 reporting obligations from 11 September 2026; full application, including CE marking, from 11 December 2027.

Need Help Applying This to a Real Programme?

Agnile supports engineering teams from architecture and requirements through implementation, validation, release, and evidence preparation.