CRA Compliance for Automotive Suppliers: UN R155/R156 Alignment and Aftermarket Guide

The automotive industry has its own cybersecurity regulations, specifically UN R155 (CSMS) and R156 (SUMS) for vehicle type approval. However, many automotive-related products still fall under CRA. Understanding which regulation applies is essential for OEMs, tier suppliers, and aftermarket product manufacturers.

This guide clarifies CRA applicability for automotive products.

The Automotive Exemption in CRA

What the CRA Says

CRA Article 2(2) exempts certain motor vehicle products:

"This Regulation shall not apply to products with digital elements that are [...] motor vehicles and their trailers, and systems, components and separate technical units designed and constructed for such vehicles, which are regulated by [type-approval regulations]..."

Key exemption: Products covered by UN Regulation No. 155 (cybersecurity) and No. 156 (software updates) under the EU type-approval framework are exempt from CRA.

Why the Exemption Exists

UN R155 and R156 already require:

• Cybersecurity management system (CSMS)
• Software update management system (SUMS)
• Type-approval cybersecurity assessment
• Ongoing cybersecurity monitoring

The EU avoided double regulation by exempting type-approved automotive products from CRA.

Understanding What's Exempt

Type-Approved Vehicles and Components

EXEMPT from CRA:

TYPE-APPROVAL EXEMPT PRODUCTS

COMPLETE VEHICLES:
- Passenger cars (M1)
- Buses and coaches (M2, M3)
- Trucks (N1, N2, N3)
- Trailers (O categories)
- Two/three-wheelers (L category, from 2024)

OEM COMPONENTS (as fitted to new vehicles):
- Engine control units (ECUs)
- Infotainment systems (OEM-fitted)
- ADAS components
- Connected car telematics units
- OEM navigation systems
- Body control modules
- Gateway ECUs

SPARE PARTS (replacing original):
- Replacement ECUs (same specification)
- Original equipment replacement parts

Products NOT Exempt (CRA Applies)

PRODUCTS REQUIRING CRA COMPLIANCE

AFTERMARKET PRODUCTS:
- Aftermarket dash cameras
- OBD-II diagnostic dongles
- Aftermarket GPS trackers
- Third-party infotainment systems
- Smartphone integration devices
- Aftermarket alarm systems
- Performance tuning devices

CHARGING INFRASTRUCTURE:
- EV charging stations
- Home charging equipment
- Charging management software
- Smart charging controllers

FLEET MANAGEMENT:
- Telematics devices (retrofit)
- Fleet tracking systems
- Driver behavior monitoring
- Asset tracking equipment

ACCESSORIES:
- Connected tire pressure monitors (aftermarket)
- Diagnostic tools
- Automotive WiFi hotspots
- Aftermarket connected features

The Tier Supplier Question

Are Tier 1/2/3 Suppliers Exempt?

It depends on how the component is sold:

TIER SUPPLIER ANALYSIS

SCENARIO 1: Selling to OEM for New Vehicle Production
┌─────────────────────────────────────────────────┐
│ Component → OEM → Type-Approved Vehicle         │
│                                                 │
│ Result: Component covered by vehicle's type    │
│ approval. UN R155/R156 apply via OEM.          │
│ CRA does NOT apply directly to supplier.       │
│                                                 │
│ BUT: OEM will require CSMS evidence from you   │
└─────────────────────────────────────────────────┘

SCENARIO 2: Selling Directly to End Users/Repair Market
┌─────────────────────────────────────────────────┐
│ Component → Distribution → End User/Shop       │
│                                                 │
│ Result: Not part of type-approval process.     │
│ CRA applies to you as manufacturer.            │
└─────────────────────────────────────────────────┘

SCENARIO 3: Dual-Use Components
┌─────────────────────────────────────────────────┐
│ Same component sold to both OEM and aftermarket│
│                                                 │
│ Result: Complex situation.                     │
│ - To OEM: covered by type-approval             │
│ - To aftermarket: CRA applies                  │
│ - Consider separate product variants           │
└─────────────────────────────────────────────────┘

OEM Requirements Flow Down

Even if CRA doesn't apply directly, OEMs will require cybersecurity evidence:

OEM REQUIREMENTS FOR TIER SUPPLIERS

UN R155 REQUIRES OEMs TO:
- Identify and manage supplier risks
- Ensure supplier cybersecurity capabilities
- Verify supplier processes

THIS TYPICALLY MEANS:
- CSMS evidence requirements
- ISO/SAE 21434 compliance requests
- Security assessments and audits
- Vulnerability handling agreements
- SBOM requirements (increasingly)

PRACTICAL OUTCOME:
Even without direct CRA obligation, you'll need
similar capabilities to supply automotive OEMs

ISO/SAE 21434 and CRA Alignment

What Is ISO/SAE 21434?

ISO/SAE 21434 "Road vehicles: Cybersecurity engineering" is the automotive cybersecurity standard covering:

• Cybersecurity management
• Risk assessment methodology
• Product development
• Production and operations
• Incident response

ISO/SAE 21434 ↔ CRA Mapping

For aftermarket products where CRA applies:

Using ISO/SAE 21434 for CRA

ISO/SAE 21434 → CRA COMPLIANCE

IF you have ISO/SAE 21434 implementation:
→ Strong technical security foundation
→ Reuse threat analysis and risk assessment
→ Leverage development process evidence
→ Use incident response capabilities

ADDITIONAL FOR CRA:
[ ] SBOM generation (not in ISO 21434)
[ ] ENISA reporting capability
[ ] CE marking process
[ ] 5-year support commitment
[ ] Consumer documentation (if applicable)

Aftermarket Products Deep Dive

Dash Cameras and DVRs

DASH CAMERA CRA COMPLIANCE

CLASSIFICATION: Typically Default category

APPLIES BECAUSE:
- Not part of type-approved vehicle
- Sold directly to consumers/fleet operators
- Aftermarket installation

KEY REQUIREMENTS:
- Secure by default (WiFi, Bluetooth)
- Privacy protection (video data)
- Update mechanism
- No default passwords
- SBOM for firmware
- 5-year support

ADDITIONAL CONSIDERATIONS:
- Video privacy (GDPR alignment)
- Cloud storage security (if applicable)
- App security (companion apps)

OBD-II Devices

OBD-II DONGLE CRA COMPLIANCE

CLASSIFICATION: Potentially Important Class I
(interface with vehicle systems)

APPLIES BECAUSE:
- Aftermarket product
- Connects to vehicle but not type-approved
- Consumer/fleet market

KEY REQUIREMENTS:
- Vehicle network security (critical!)
- Data protection (vehicle data is sensitive)
- Secure communication
- No unauthorized vehicle commands
- Firmware security
- SBOM

SPECIAL CONSIDERATIONS:
- Access to safety-critical networks
- Potential vehicle immobilization risks
- Insurance and liability implications
- Consider industry guidelines (SAE J3061)

EV Charging Equipment

EV CHARGING STATION CRA COMPLIANCE

CLASSIFICATION: Potentially Important Class I or II
(energy infrastructure)

APPLIES BECAUSE:
- Not part of vehicle type-approval
- Separate infrastructure product
- Digital connectivity

KEY REQUIREMENTS:
- Grid security (energy infrastructure)
- Payment security (if applicable)
- Communication protocol security (OCPP)
- Physical security
- Update mechanism
- SBOM

STANDARDS ALIGNMENT:
- IEC 61851 (EV charging)
- OCPP security guidelines
- Smart grid standards
- CRA essential requirements

Fleet Telematics

FLEET TELEMATICS CRA COMPLIANCE

CLASSIFICATION: Default or Important Class I

APPLIES BECAUSE:
- Retrofit/aftermarket installation
- Not type-approved with vehicle
- Separate product

KEY REQUIREMENTS:
- Vehicle data protection
- Location privacy
- Communication security
- Management platform security
- Device firmware security
- SBOM

COMMERCIAL CONSIDERATIONS:
- B2B product (may affect documentation)
- Fleet customer requirements
- Integration with fleet management platforms

Spare Parts Considerations

When Are Spare Parts Exempt?

SPARE PARTS ANALYSIS

EXEMPT (Likely):
- Direct replacement for OEM part
- Same specification as original
- Sold as replacement for type-approved vehicle
- Maintains vehicle's type-approval status

NOT EXEMPT:
- Upgraded/enhanced versions
- Different specifications
- Not matching original approval
- Performance modifications

GRAY AREA:
- Remanufactured parts
- Third-party equivalent parts
- Parts with software changes

RECOMMENDATION:
Document the exemption basis clearly.
If in doubt, consider CRA compliance.

Practical Compliance Paths

For Aftermarket Product Manufacturers

AFTERMARKET PRODUCT CRA PATH

ASSESSMENT:
[ ] Confirm not covered by type-approval
[ ] Classify per CRA categories
[ ] Identify applicable standards

COMPLIANCE APPROACH:
[ ] Leverage ISO/SAE 21434 if already implemented
[ ] Implement CRA essential requirements
[ ] Generate SBOM
[ ] Establish vulnerability handling
[ ] Prepare ENISA reporting

DOCUMENTATION:
[ ] Technical file
[ ] Risk assessment
[ ] User documentation
[ ] Declaration of Conformity
[ ] CE marking

For Tier Suppliers with Dual Channels

TIER SUPPLIER WITH OEM + AFTERMARKET

STRATEGY 1: Separate Products
- OEM variant: supply under type-approval flow
- Aftermarket variant: CRA compliant
- Clear product differentiation

STRATEGY 2: CRA Compliance for All
- Apply CRA to all variants
- Exceeds OEM requirements anyway
- Simplified compliance management
- Single product documentation

STRATEGY 3: Tiered Approach
- Base security for all (ISO 21434)
- Additional CRA elements for aftermarket
- Shared core documentation

For OEMs Managing Supplier Requirements

OEM SUPPLIER MANAGEMENT

UN R155 REQUIREMENTS:
- Verify supplier cybersecurity capabilities
- Assess supplier processes
- Monitor supplier risks

PRACTICAL APPROACH:
- Require ISO/SAE 21434 compliance
- Request security assessment evidence
- Include SBOM requirements in contracts
- Establish vulnerability sharing agreements
- Define incident notification requirements

ALIGNMENT WITH CRA:
Even though CRA doesn't apply to type-approved
components, requiring CRA-like evidence from
suppliers strengthens your UN R155 compliance

Industry Standards and Resources

Relevant Standards

AUTOMOTIVE CYBERSECURITY STANDARDS

ISO/SAE 21434: Road vehicles - Cybersecurity engineering
UN Regulation 155: Cybersecurity (CSMS)
UN Regulation 156: Software Update (SUMS)

SUPPORTING STANDARDS:
ISO/SAE 8000: CSMS auditing
ISO 24089: Software Update Engineering
AUTOSAR cybersecurity specifications
SAE J3061: Cybersecurity Guidebook

CHARGING-SPECIFIC:
IEC 61851: EV charging
OCPP (Open Charge Point Protocol)
ISO 15118: V2G communication

Industry Organizations

Checklist for Automotive Products

AUTOMOTIVE PRODUCT CRA CHECKLIST

CLASSIFICATION:
[ ] Is product covered by type-approval? (Exempt if yes)
[ ] Is it an aftermarket product? (CRA applies)
[ ] Is it a spare part? (Assess exemption basis)
[ ] Is it charging infrastructure? (Usually CRA)

IF CRA APPLIES:
[ ] CRA classification determined
[ ] Conformity assessment path selected
[ ] Technical documentation prepared

TECHNICAL COMPLIANCE:
[ ] ISO/SAE 21434 alignment leveraged
[ ] Security-by-default implementation
[ ] Vehicle network security (if applicable)
[ ] Update mechanism
[ ] SBOM generation
[ ] Vulnerability handling

DOCUMENTATION:
[ ] Risk assessment (TARA methodology works)
[ ] Security architecture
[ ] User documentation
[ ] Declaration of Conformity
[ ] CE marking

SPECIAL CONSIDERATIONS:
[ ] Vehicle data privacy (GDPR)
[ ] Safety implications assessed
[ ] OEM requirements (if supplying)

Key Resources

AUTOMOTIVE CYBERSECURITY RESOURCES

REGULATIONS:
UN Regulation 155 (CSMS)
UN Regulation 156 (SUMS)
https://unece.org/transport/vehicle-regulations

EU Type-Approval:
Regulation (EU) 2018/858
https://eur-lex.europa.eu

STANDARDS:
ISO/SAE 21434:2021
Available from ISO or SAE

GUIDANCE:
ENISA Good Practices for Security of Smart Cars
Auto-ISAC Best Practices

INDUSTRY:
CLEPA Position Papers
VDA Automotive Cybersecurity

Related guides:

• CRA Product Classification: Is Your Product Default, Important, or Critical?
• CRA Supplier Due Diligence: Questionnaire Template and Verification Process

How CRA Evidence Helps

For aftermarket automotive products requiring CRA compliance:

• ISO/SAE 21434 mapping: Leverage existing automotive security work
• SBOM for embedded: Support for automotive firmware components
• Vulnerability tracking: Automotive supply chain coordination
• Multi-product management: Handle product families across channels
• Technical file generation: Automotive-appropriate templates

Start your CRA compliance at app.craevidence.com.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, particularly regarding type-approval boundaries, consult with qualified regulatory counsel.