AutomotiveDeadline: September 2026

CRA Compliance Checklist: Fleet Management & Telematics

Default to Annex III Class I — fleet telematics hardware and software are products with digital elements; tachographs and legally mandated devices may have additional regulatory intersections

Fleet management and telematics systems — including GPS trackers, OBD-connected devices, electronic logging devices (ELDs), tachograph systems, and fleet management platforms — are products with digital elements fully in scope for the CRA. They collect sensitive location and operational data at scale, often operate in remote or unattended environments, and some are legally mandated safety and compliance devices. Security is both a CRA obligation and a competitive differentiator.

checklist items

high priority

September 2026

deadline

Automotive

sector

Track progress free →

CRA Classification:Default to Annex III Class I — fleet telematics hardware and software are products with digital elements; tachographs and legally mandated devices may have additional regulatory intersections

1. Scope & Classification

Confirm all fleet telematics hardware (GPS trackers, OBD devices, tachograph systems) are products with digital elements in CRA scope

highArticle 3(1)

All fleet telematics hardware with network connectivity (cellular, Bluetooth, Wi-Fi) is in scope. Fleet management software platforms with locally installed components are also in scope.

Assess whether digital tachographs and ELDs under transport regulations are subject to additional sectoral requirements

mediumArticle 3(2), CRA

Digital tachographs are subject to EU Regulation 2016/799. Assess whether this provides equivalent cybersecurity requirements that affect CRA scope. Consult legal counsel for current Commission guidance.

Compile SBOM covering telematics unit firmware, cellular modem software, GPS engine, and cloud platform SDK

highArticle 10(6)

Telematics units combine multiple vendor components: cellular modem firmware, GPS engine, application firmware, and cloud connectivity SDK. Track all components.

2. Product Security (Annex I Part I)

Implement unique per-device credentials and certificate-based identity for all telematics devices — no shared fleet credentials

highAnnex I, Part I(2)

Fleet-wide shared credentials mean a single compromised credential affects all vehicles. Each telematics unit must have a unique cryptographic identity (device certificate or unique symmetric key).

Encrypt all telematics data — location, speed, driver behaviour, and vehicle diagnostics — in transit and at rest

highAnnex I, Part I(3)

Fleet telematics data reveals sensitive operational and personal (driver) data. Encrypt all transmissions with TLS 1.3 and protect stored data with AES-256.

Implement tamper detection for physical telematics hardware — log and alert on physical tampering attempts

highAnnex I, Part I(8)

Fleet telematics units are physically accessible in vehicles. Implement tamper detection (enclosure breach, power manipulation) that generates alerts and logs forensic evidence.

Implement cryptographically signed OTA firmware updates with rollback protection

highAnnex I, Part I(9)

Fleet telematics devices in the field must receive secure OTA updates. Sign all updates, verify on-device, and implement rollback to the previous working version on update failure.

3. CVD Policy & Vulnerability Handling

Publish a CVD policy with a dedicated security contact for fleet telematics vulnerabilities

highArticle 13(1)

Fleet telematics vulnerabilities can expose location data for thousands of vehicles. A responsive CVD process enables rapid response to avoid fleet-wide data exposure.

Provide security patches deployable via OTA to entire fleets — automate patch delivery for critical vulnerabilities

highAnnex I, Part II(1)

Fleet operators cannot manually patch thousands of remote telematics units. Automate security patch delivery and provide a fleet management console for patch status monitoring.

Define security support lifecycle — minimum 5 years from last unit production for fleet telematics hardware

mediumAnnex I, Part II(5)

Fleet vehicles are operated for 5–10 years. Telematics units installed at vehicle purchase should receive security support for the vehicle's operational life.

4. Article 14 Incident Reporting

Define Article 14 triggers for fleet management incidents — focus on mass location tracking exposure, fleet-wide device compromise, or driver data exfiltration

highArticle 14(1)

An actively exploited vulnerability enabling access to the real-time location of an entire fleet is a high-severity Article 14 trigger, particularly for high-risk cargo carriers.

Coordinate Article 14 and GDPR breach notifications for driver personal data — location data of employees is personal data

highArticle 14(2), CRA / GDPR Article 33

Fleet location and driver behaviour data constitutes personal data under GDPR. A breach triggers both CRA Article 14 and GDPR Article 33 obligations.

5. CE Marking & Technical Documentation

Prepare CRA technical file including device security architecture, credential provisioning process, SBOM, and OTA update mechanism documentation

highArticle 23, Annex V

Technical documentation for fleet devices should demonstrate fleet-scale security management — not just single device security. Include fleet credential management and OTA architecture.

Issue EU Declaration of Conformity referencing the CRA for all fleet telematics hardware and software

highArticle 20, Article 22

Cellular-connected telematics units also require RED compliance. Reference both CRA and RED in the DoC.

Track your Fleet Management & Telematics compliance progress in CVD Portal.

Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.

Start your free portal

Frequently asked

Our telematics units are installed by vehicle dealers, not by us — does this affect our CRA obligations?+

No. Your CRA obligations as manufacturer apply regardless of who installs the product. The installer is not the manufacturer. You must ensure the product meets CRA requirements as supplied and installed. You can provide installation guidelines that specify security configuration requirements, and the installer must follow them, but the underlying product compliance remains your responsibility.

We process telematics data on behalf of fleet operators — are we a manufacturer or a processor under CRA?+

The CRA focuses on the product (hardware and associated software), not data processing roles. If you supply the telematics hardware and software, you are the manufacturer for CRA purposes regardless of your data processing role under GDPR. Your CRA obligations relate to the security of the product; your GDPR obligations relate to your role in processing personal data. Both apply independently.

Do fleet management mobile apps need to comply with CRA?+

Yes. A fleet management app that connects to telematics devices or the fleet management platform is a software product with digital elements in scope for the CRA. If you publish the app as part of your fleet management solution, it requires its own CRA compliance: CVD policy, SBOM, security updates, and DoC. Consumer mobile apps for fleet drivers are similarly in scope.

Related compliance checklists

Automotive Electronics & In-Vehicle Systems

Automotive

→

IoT Sensors & Connected Devices

Industrial & Manufacturing

→

Drones & Unmanned Aerial Vehicles

Automotive

→

Consumer Routers & Modems

Consumer Electronics

→

Need a CVD policy for Fleet Management & Telematics?

Download a free CRA-compliant disclosure policy template and deploy it in minutes.

Browse templates →