Need CRA Compliance Help? Here's What to Look for in a Consultant
Your automotive products need EU Cyber Resilience Act compliance by December 2027. The clock is ticking. You need someone who can actually deliver, not just explain the regulations.
I've spent 17 years in cybersecurity. The last several focused on automotive — ECUs, TARA methodology, ISO 21434, UN R155. I've done this work at Scania and InMotion AVS. I know what it takes to get products compliant.
This article explains what you should look for when hiring a CRA consultant. And yes, I'm making a case for why I might be the right fit.
The Problem You're Facing
Your engineering team is busy building products. They don't have time to become regulatory experts. But CRA requires:
Risk assessments that satisfy auditors
SBOM generation for every release
Vulnerability reporting processes that meet 24-hour deadlines
Technical documentation that holds up to notified body scrutiny
Miss the deadline, and you can't sell in the EU.
What a Good CRA Consultant Actually Does
1. Gap Analysis That's Specific to Your Products
Generic CRA checklists won't help. You need someone who understands your specific ECU architecture, your development process, and your existing compliance work.
I start every engagement by mapping what you already have. If you've done ISO 21434 work, you're not starting from zero. I'll show you exactly what transfers and what's missing.
2. Practical Remediation Plans
Some consultants deliver reports. I deliver working processes.
SBOM generation? I'll help you integrate it into your build pipeline. Vulnerability reporting? I'll set up the workflow and train your team. Technical documentation? I'll compile it in the format notified bodies expect.
3. Hands-On Implementation Support
I don't disappear after the assessment. I stay involved until you have:
Working SBOM generation
Tested incident response processes
Complete conformity assessment documentation
A clear path to CE marking
Why Automotive Experience Matters
CRA applies to all products with digital elements. But automotive has specific constraints:
Long product lifecycles (10-15 years of support commitments)
Safety-critical systems (your security can't break safety)
Complex supply chains (Tier-1, Tier-2, component suppliers)
Existing regulations to integrate with (UN R155, ISO 21434)
A general cybersecurity consultant will miss these nuances. You need someone who has worked inside automotive programs.
My Background
InMotion AVS — I manage cybersecurity for power electronics ECUs. DC-DC converters, inverters, products that go into heavy vehicles. I've built TARA processes, defined security requirements, and prepared products for compliance.
Scania — I worked on TARA methodology for ECU systems. Heavy-duty trucks. UN R155 compliance work. Cross-functional teams in China and Sweden.
17+ years in cybersecurity — Before automotive, I worked across multiple industries. I've seen what works and what doesn't when implementing security in real products.
What I Can Do for You
CRA Gap Assessment
I'll analyze your current state against CRA requirements. You'll get a clear picture of what's missing and what it takes to close the gaps.
Deliverable: Gap report with prioritized remediation plan Timeline: 2-3 weeks
SBOM Implementation
I'll set up SBOM generation in your build process. CycloneDX or SPDX format. Integrated with your CI/CD pipeline.
Deliverable: Working SBOM tooling, documented process Timeline: 4-6 weeks
Full CRA Compliance Program
End-to-end support from gap analysis to conformity assessment. I'll manage the entire compliance journey.
Deliverable: CE marking readiness Timeline: 6-12 months depending on starting point
Availability
I'm based in Stockholm. I'm available for new engagements starting Q1 2026.
I work with automotive suppliers across Europe. Remote work for most activities, on-site when needed for workshops and assessments.
Next Step
Book a 30-minute call. I'll listen to your situation and tell you honestly whether I can help.
No sales pitch. No pressure. Just a straight conversation about what you need and whether I'm the right fit.
Leon Kalema
Cybersecurity Manager at InMotion AVS with 17+ years of experience. Specializing in automotive cybersecurity and AI security.