EU Cyber Resilience Act Guide for Connected Vehicle Platform & V2X Vendors

The CRA's relationship with automotive cybersecurity regulation requires careful scoping. Automotive systems incorporated into vehicles as part of type approval under UNECE Regulation 155 are addressed through the automotive type approval process, with cybersecurity managed under Regulation 155 CSMS (Cybersecurity Management System) requirements. However, aftermarket connected devices — OBD-II dongles, fleet telematics units, aftermarket infotainment systems, and V2X retrofit units — are products with digital elements placed on the EU market and fully subject to the CRA. Software platforms sold to vehicle manufacturers for integration into new vehicles may be exempt where they are incorporated into a type-approved system, but standalone commercial software and hardware products sold through distribution channels are in scope. Vendors of connected vehicle platforms must map each product line against this boundary to determine CRA applicability.

Connected vehicle telematics and V2X products operate in a unique threat environment: they are mobile, physically accessible to vehicle occupants and third parties, and connected to both vehicle CAN bus networks and public cellular or DSRC networks simultaneously. Annex I requirements include: authenticating all V2X messages using the ETSI ITS PKI certificate framework; encrypting all telematics data transmissions to cloud backends; implementing tamper-resistant hardware design for physical access risks; ensuring firmware updates are authenticated and cannot be triggered remotely without authorisation; implementing network separation between vehicle network interfaces and external connectivity interfaces; and providing telematics platform operators with access controls preventing unauthorised access to vehicle location and diagnostic data. The SBOM must cover the device firmware, cellular modem firmware, and any V2X protocol stack components.

Article 13 mandates a published CVD policy. Connected vehicle vendors face active security research from automotive cybersecurity specialists — vulnerabilities in vehicle telematics and V2X systems are regularly presented at automotive security conferences including escar and the Billington Cybersecurity Summit. The CVD policy must: maintain a dedicated security reporting channel; address researcher notification timelines compatible with automotive industry responsible disclosure norms (typically 90 days); specify how vehicle owners, fleet operators, and automotive OEM customers are notified of security updates; and coordinate with the relevant national transport CSIRT for vulnerabilities in V2X infrastructure with public road safety implications. For vendors who supply telematics platforms to fleet management companies, the CVD policy must address how fleet operators are notified when a vulnerability affects the security of their managed vehicles.

Article 14 requires CSIRT notification within 24 hours of confirmed active exploitation. For connected vehicle products, exploitation scenarios range from fleet data exfiltration to vehicle tracking by unauthorised parties, to — in the most severe cases — remote vehicle system manipulation through the telematics interface. For V2X roadside units, exploitation could affect traffic signal communications with implications for road safety. Vendors must have incident response procedures that can assess exploitation scope across the deployed fleet within the 24-hour window and generate the regulatory notification with the required information. For V2X vulnerabilities with road safety implications, simultaneous notification to relevant transport authorities and road safety agencies is appropriate alongside the CSIRT notification.

CRA conformity assessment for in-scope connected vehicle products should leverage the cybersecurity evidence developed for UNECE Regulation 155 compliance where available, even though the two frameworks are distinct. CSMS documentation, threat analysis and risk assessment (TARA) reports, and security testing evidence from the WP.29 process all provide relevant inputs to the CRA technical file. V2X roadside units qualifying as Class II Important Products require notified body assessment. Aftermarket telematics units classified as Important Class I may self-declare using harmonised standards — ISO/SAE 21434 (automotive cybersecurity engineering) is the primary applicable standard, supplemented by ETSI ITS security standards for V2X components. The CE marking for CRA purposes must be affixed to the product before EU market placement.