EU Cyber Resilience Act Guide for Fleet Management & Telematics Vendors

Fleet management hardware — OBD-II dongles, CAN bus gateways, satellite tracking units, tachograph remote download devices, and trailer telematics units — are products with digital elements within CRA scope. Software platforms for fleet management that include an installed hardware component (gateway, dongle) are similarly in scope for the hardware element.

Telematics hardware that connects directly to a vehicle's diagnostic port or CAN bus presents elevated risk: a compromised telematics device could potentially inject commands into vehicle systems or exfiltrate sensitive operational data. Such products are classified as Important Class I under Annex III. OBD-connected devices are specifically relevant given the growing use of telematics for commercial vehicle compliance (digital tachograph, emissions monitoring, ADAS data collection) and insurance telematics. Vendors must assess each product's vehicle integration depth to determine classification.

Telematics hardware vendors must address Annex I requirements that account for the vehicle-network interface and cellular connectivity of their products:

• Authenticated CAN/OBD access: Where a telematics device reads from or writes to vehicle CAN bus systems, access must be authenticated and the device must not accept commands from unauthorised sources that could be passed to the vehicle network.
• Cellular communication security: All data transmitted over cellular networks (MQTT, HTTPS, proprietary protocols) must be encrypted with current TLS standards. Certificate pinning should be considered for high-security applications.
• Firmware update authentication: OTA firmware updates to telematics hardware must be cryptographically signed. Update delivery over cellular must verify integrity before installation.
• Data minimisation: Telematics devices must not collect or transmit data beyond what is necessary for the declared fleet management function.
• Remote wipe/disable: If the telematics device processes sensitive fleet or driver data, a mechanism for remote data wipe upon device loss or end-of-service must be provided.

Fleet management vendors serve commercial vehicle operators — logistics companies, bus operators, construction fleets — whose operations depend on the integrity and confidentiality of telematics data. Security vulnerabilities in telematics hardware or platforms can expose route planning data, driver behaviour records, and vehicle location information that has significant commercial sensitivity.

• Define the scope of covered products (hardware and software)
• Provide a submission channel for fleet operator security teams and independent researchers
• Commit to customer notification for vulnerabilities that could expose fleet operational data
• Address vehicle security implications — vulnerabilities that could affect vehicle systems (via OBD interface) must be treated with elevated urgency and coordinated with vehicle OEMs where relevant

CVD Portal enables telematics vendors without dedicated security teams to establish a standards-compliant CVD programme through the intake, triage, and advisory publication workflow.

Article 14 applies when a telematics vulnerability is being actively exploited. For fleet management vendors, exploitation scenarios include mass location data exfiltration, fleet route manipulation, and in rare cases, vehicle system interference via the OBD interface. The 24-hour ENISA notification requirement must be built into incident response procedures.

Fleet operators who are themselves NIS2-obligated entities (e.g., transport operators designated as essential services) have independent incident reporting obligations. Telematics vendors should be prepared to provide fleet operator customers with the technical information they need to fulfil their own NIS2 reporting obligations, in addition to filing the Article 14 CRA report. The coordination between vendor CRA reporting and operator NIS2 reporting should be pre-agreed as part of commercial contracts and security incident response plans.

Class I telematics products require third-party conformity assessment. Vendors should leverage alignment with UNECE WP.29 R155 (which applies to the vehicles themselves) and ISO/SAE 21434 (automotive cybersecurity engineering) as evidence supporting CRA conformity assessment.

1. The vehicle interface security design (CAN bus access controls, OBD communication security)
2. Cellular communication security architecture
3. OTA update security mechanism
4. SBOM for firmware and software components
5. CVD policy and operational status

Vendors with products subject to tachograph regulations (EU 165/2014 and amendments) should ensure that CRA conformity assessment covers tachograph interface components — these have additional security requirements under tachograph-specific regulations.