" " indicates required fields
The recent endorsement of the Cyber Resilience Act (CRA) by the European Union Parliament marks a significant advancement in cybersecurity legislation. Primarily focused on strengthening Products with Digital Elements (PDEs) within the EU, the CRA sets up a framework to guarantee the cyber resilience of products that have digital components. This article discusses the implications of the CRA for the automotive industry, specifically Trailer Bodybuilders. As the automotive industry evolves with increasing digitalization, various segments must adapt to new cybersecurity standards. One such segment is Trailer Bodybuilders – understanding their role and how the CRA impacts their operations is crucial for comprehending the broader scope of this legislation.
A Primer on Trailer Bodybuilders
A trailer bodybuilder is a company or workshop specializing in designing, constructing, and assembling the bodies or trailers attached to the chassis of commercial vehicles, usually trucks and pickup trucks (US). These bodies or trailers are customized to suit various applications, such as:
Trailer bodybuilders often work closely with truck manufacturers to ensure the bodies they create are compatible with the chassis and meet regulatory standards and requirements.

**
A Primer on the Cyber Resilience Act (CRA)
The European Union Parliament has recently approved the Cyber Resilience Act (CRA), a comprehensive cybersecurity legislation to improve the security of PDEs (both Hardware and Software) within the European Union (EU). The regulation aims to address two main problems with PDEs:
The CRA categorizes products into Class I, Class II, and Unclassified, imposing different levels of cybersecurity requirements based on the associated risk. It mandates security-by-design principles and establishes essential cybersecurity requirements for manufacturers, importers, and distributors of digital products. Once the CRA is entered into effect, PDEs must bear the CE marking to indicate they comply with the new standards
The CRA has four specific objectives:
The CRA is set to enter into force in the 2nd half of 2024, with the majority of its provisions applying three years after publication. However, vulnerability reporting obligations will apply 21 months after this date.
There are six primary obligations for manufacturers:
**
The CRA and the Automotive Industry
While the CRA exempts automotive products covered under the Vehicle General Safety Regulation (Regulation (EU) 2019/2144), the industry is not entirely isolated from its implications. Automotive manufacturers should consider the impact on digitalized components and services, ensure supply chain compliance, and recognize the CRA’s importance for accessing the EU market.
To prepare for the CRA, car makers and Tier 1 suppliers should:
Additionally, note that Annex 1 of the CRA covers essential cybersecurity requirements such as endpoint detection, privilege management, data minimization, and vulnerability and patch management.

Three Reasons Why Trailer Bodybuilders Aren’t Covered under UN Regulation No. 155
Trailer bodybuilders are covered under the Cyber Resilience Act (CRA) and not under UN Regulation No. 155 primarily because of the scope and focus of each regulation. With the increasing integration of digital systems in trailer design and functionality – for advanced monitoring, control, and communication technologies, Trailer Bodybuilders need to ensure that their products meet various cybersecurity standards and regulations. UN Regulation No. 155 targets the cybersecurity and cyber-resilience of complete vehicles and motorcycles, and applies to the Type Approval of vehicles, particularly concerning Cybersecurity Management Systems (CSMS). Trailer bodybuilders are covered under the Cyber Resilience Act (CRA) for three reasons:
**
Fines and Violations of the Cyber Resilience Act (CRA)
The CRA will require manufacturers to ensure their PDEs are free from “known exploitable vulnerabilities” before market release. Vulnerabilities must be addressed and remediated “without delay” through security updates and disclosed publicly once an update is available. Exploited vulnerabilities must be reported even if there is no related cyber incident.
Violations of the CRA will be subject to different fines (PDF):
Fines are from the company’s total worldwide annual turnover for the preceding financial year, whichever is higher.
The new CRA underscores the critical importance of robust cybersecurity measures for organizations across Europe. It emphasizes the need for proactive vulnerability management to identify and mitigate potential threats effectively. A comprehensive cybersecurity platform, such as C2A’s EVSec, plays a vital role in ensuring compliance with CRA and other regulatory frameworks.
Simplifying CRA Compliance with EVSec Platform
EVSec is a product security DevSecOps risk management and automation platform designed to help companies tackle the challenges posed by software-defined products, particularly in regulated industries. EVSec platform leverages a proprietary risk-based approach to product security, enabling organizations to achieve compliance in minimum time and cost while enhancing their overall cybersecurity posture:
• Security by Design with Dynamic TARA, ensuring the highest level of Cybersecurity through the entire product lifecycle.
• EVSec’s binary analysis and BOM Management capabilities for automated BOM validation, ensuring coherence and up-to-date information.
• EVSec’s Centralized platform- enabling correct work and authorization processes for coordinated vulnerability disclosure & mitigation.
Transition to a proactive security posture leveraging EVSec’s comprehensive capabilities for cybersecurity management systems, risk assessment, detection and response, software updates, data protection, and continuous compliance.
CRO
C2A Security
VP and GM, Medical Technology
C2A Security
Ken Zalevsky brings over 20 years of medical device cybersecurity experience to his role at C2A Security, where he serves as VP and GM, Medical Technology, following the acquisition of Vigilant Ops in October 2025. A former Bayer executive, Ken founded Vigilant Ops in 2019 after witnessing the consequences of inadequate technical preparation in the healthcare industry. He is an active contributor to CISA’s SBOM working groups and a frequent speaker on software supply chain security. Ken’s mission: transform SBOM from a compliance checkbox into operational intelligence that keeps patients safe while streamlining regulatory processes.