From Regulation to Implementation: How the CRA Forces the Industry to Reimagine Vulnerability Management (VM)

OEMs in the automotive industry face an underlying threat in securing supply chains. Attacks against Tier-1 automotive suppliers and continued regulatory pressure from various governing bodies have made it a virtual necessity to implement a comprehensive cybersecurity strategy.

Further Reading:
Download your complimentary CRA 1-pager (PDF)
Pocket Guide: CRA’s Impact on the Industrial Sector (blog post)
CRA for MDMs and Healthcare Security Leaders (blog post)
Cyber Resilience Act and Trailer Bodybuilders (blog post)
Navigating UN Regulation No. 155 (blog post)

OEMs must meet Cyber Resilience Act (CRA) requirements to demonstrate that vulnerability management programs have been established, access controls strengthened, and all software supply chain components have been properly documented and regularly updated in a Bill of Materials (BOM) assessment. 

Research taken from Upstream’s 2025 Global Automotive Cybersecurity Report found that thousands of vehicle owners in the UK became eligible to join a lawsuit against a Japanese OEM over a rise in vehicle thefts. The suit claimed that a specific component within the CAN BUS enabled thieves to bypass security and steal vehicles without damage. Over 120,000 vehicles are allegedly at risk, and the claim seeks compensatory damages for contract breaches and consumer rights violations.

The threats extend beyond legal and reputational damages as they directly compromise consumer safety and critical asset security, negatively impacting manufacturers’ status of receiving a CE marking to ship automotive components or vehicles to market. A single component deemed hazardous to consumers can result in massive recalls, regulatory penalties, and headline-worthy security breaches.

OEMs, Tier-1 suppliers, and security vendors can all benefit from following the Automotive Threat Matrix (ATM) established by the Automotive Information Sharing and Analysis Center (Auto-ISAC). Heavily modeled after the MITRE ATT&CK framework and designed specifically for automotive security, the ATM helps ensure that all stakeholders adopt consistent cybersecurity best practices. 

Auto-ISAC serves as a foundational blueprint for securing every phase of the vehicle lifecycle, from initial design to post-production. Threat Analysis and Risk Assessment (TARA) provides detailed insights that OEMs and Tier-1 suppliers can leverage to protect the security and integrity of vehicles in the pre-market phase of development. 

Aligning UN R155 with CRA Requirements 

CRA mandates real-time vulnerability monitoring for all software and embedded systems in vehicles. OEMs and Tier-1 suppliers must consider these requirements while complying with various automotive cybersecurity regulations, such as the standard ISO/SAE 21434. OEMs and Tier-1 suppliers must implement secure-by-design principles to ensure vehicle safety before integrating components into the assembly line.

Upstream’s annual report, revealed that in March of 2024, a Chinese Tier-2 supplier was hit by a ransomware attack, which led to a major breach of 1.2TB of data, impacting both Chinese and global OEMs. A comprehensive BOM assessment could have prevented this incident by accurately identifying and addressing critical vulnerabilities in every component of the supply chain, from the earliest phases of design and development.

UN R155 is the OEM’s responsibility. OEMs are required to maintain UN R155 compliance and have a Cybersecurity Management System (CSMS) certification. Tier-1 suppliers must align their cybersecurity efforts across the interconnected automotive supply chain to meet the OEM’s requirements.

UN R155 establishes binding requirements for automotive manufacturers to obtain a CE marking, allowing them to sell new vehicles. Threat Analysis and Risk Assessment (TARA) accelerates this process by identifying and mitigating critical vulnerabilities early in the product development lifecycle and supply chain, reducing compliance audit delays, and ensuring proactive risk management.

Preventing Security Disasters on the Interconnected Roads

A diagram of a car AI-generated content may be incorrect.

Security researchers at Colorado State University successfully accessed Wi-Fi passwords and breached an electronic logging device (ELD) to distribute malicious firmware and send messages that manipulated the truck’s speed. This example highlights the many security risks embedded inside an ELD and unsecured wireless connectivity.

A threat actor could essentially disarm an entire fleet and disrupt operations through diagnostic protocol flaws, open ports, ELDs, OTA update mechanisms with weak passwords, or proximity-based wireless attacks.

Threat actors can also send or receive CAN messages to overwhelm the network with a targeted Denial of Service (DoS) attack or inject malicious commands to disable the brake system entirely. Frightening, yet surreal scenarios that OEMs must proactively address to prevent catastrophic failures and safety risks on the open roads. Cybersecurity must be implemented from the beginning to prevent such disasters and meet CRA requirements. 

How OEMs and Tier-1 Suppliers Can Achieve CRA Readiness with EVSec

Obtaining the CE marking is an incentive, but OEMs and Tier-1 suppliers must look beyond the coveted seal and focus on the bigger picture, minimizing the threat landscape in the automotive supply chain throughout the product lifecycle to ensure end-to-end vehicle security. 

This is where C2A Security can steer you in the right direction and help you achieve CRA readiness in several ways:

Comprehensive Cybersecurity Management

  • End-to-end premarket and postmarket security: EVSec provides a holistic solution from development to deployment, offering postmarket monitoring to ensure continuous compliance. This includes Full visibility into open-source and third-party software components.
  • Automated Security Processes: EVSec automates vulnerability scanning, patch management, and compliance audits, significantly reducing manual workload and maintaining continuous security. This ensures cybersecurity without disrupting operations. This includes automated BOM validation for internal teams and external suppliers.
  • Seamless regulatory compliance with ISO 21434, UN R155, and more.

Risk Management and Collaboration

  • Context-driven prioritization: EVSec evaluates cybersecurity risks based on business context, ensuring critical threats are prioritized effectively.
  • Risk mitigation throughout the entire product lifecycle.
  • Collaboration & delegation: The platform enhances real-time collaboration, task delegation, and workflow tracking while automating critical security tasks.

C2A Security’s EVSec Platform helps automotive manufacturers and Tier-1 suppliers meet CRA requirements while strengthening cyber resilience across the supply chain.

As the only context-driven product security platform for Premarket Approval and Postmarket Surveillance, our leading DevSecOps Product Security platform leverages dynamic risk, BOM, and Vulnerability management, as well as attack path triage, to ensure targeted protection and seamless compliance for the development and operations of medical devices.

Schedule a demo to learn how C2A Security can help you prepare for CRA readiness.