Back to Articles
Uncategorized

The CRA Deadline Is Closer Than You Think: What Automotive Suppliers Need to Do Now

January 26, 2026
5 min min read

The CRA Deadline Is Closer Than You Think: What Automotive Suppliers Need to Do Now

August 2026. That's when vulnerability reporting obligations kick in.

December 2027. That's full compliance.

If you're an automotive supplier selling ECUs in Europe, these dates matter. Miss them and you lose market access.

I work with automotive suppliers on exactly this problem. Here's what I'm seeing and what you should do about it.

The Reality Check

Most automotive suppliers I talk to are in one of three situations:

Situation 1: "We have ISO 21434, so we're fine"

You're ahead of many, but you're not done. CRA adds requirements that ISO 21434 doesn't cover:

  • Software Bill of Materials (SBOM) — mandatory

  • ENISA reporting within 24 hours — mandatory

  • Public support period declarations — mandatory

  • Conformity assessment by notified body — mandatory for Class II products

Your ISO 21434 work covers maybe 60% of CRA. The remaining 40% is new work.

Situation 2: "We're waiting for guidance"

The regulation is final. It entered into force December 2024. Yes, implementing guidance is still coming. But the requirements are clear enough to start work now.

Companies waiting for perfect clarity will run out of time. The ones acting now will have margin for course corrections.

Situation 3: "Our OEM customer will handle it"

Your OEM customer handles UN R155 type approval. CRA is different. It applies directly to you as the product manufacturer. Your component needs its own CE marking.

Even if your customer eventually takes on some compliance burden, you'll still need to provide evidence, SBOMs, and vulnerability data. Start building that capability now.

What Needs to Happen

Before August 2026 (Vulnerability Reporting Deadline)

1. Set up SBOM generation

You can't monitor vulnerabilities effectively without knowing what's in your product. Get SBOM tooling integrated into your build process.

Timeline: 2-3 months to implement properly.

2. Establish ENISA reporting process

When you discover an actively exploited vulnerability, you have 24 hours to report to ENISA. That's not enough time to figure out the process. Build it now.

Timeline: 1-2 months to design and test.

3. Publish vulnerability disclosure policy

Put a security contact on your website. Create a process to receive and triage vulnerability reports. This is low effort and shows good faith.

Timeline: 2-4 weeks.

Before December 2027 (Full Compliance Deadline)

4. Complete conformity assessment

For Class II products (most automotive ECUs), you need a notified body to certify your compliance. These organizations have limited capacity. Book early.

Timeline: Start engagement by Q2 2026.

5. Compile technical documentation

Your technical file needs to satisfy auditors. Risk assessments, security design descriptions, test evidence, SBOM, vulnerability handling procedures.

Timeline: Ongoing, complete by Q3 2027.

6. Update CE marking

After conformity assessment, update your Declaration of Conformity and product documentation.

Timeline: Q4 2027.

The Cost of Waiting

Every month you delay:

  • Reduces your buffer for unexpected problems

  • Increases competition for notified body slots

  • Risks your ability to sell in Europe after the deadline

I've seen companies scramble to meet regulatory deadlines. It's expensive, stressful, and often results in shortcuts that create problems later.

The companies that start early spend less money and get better outcomes.

How I Can Help

I help automotive suppliers get CRA-ready. My approach:

Week 1-2: Gap assessment. I'll map your current state against CRA requirements and identify exactly what's missing.

Week 3-4: Remediation planning. We'll prioritize the gaps and create a realistic timeline.

Month 2+: Implementation support. I'll help you build the processes, documentation, and tooling you need.

I've done this work at Scania and InMotion AVS. I know what automotive programs require and how to fit compliance work into real engineering schedules.

Your Next Move

If you're an automotive supplier with products in the EU market, you need a plan for CRA.

Book a 30-minute call with me. I'll give you an honest assessment of where you stand and what it will take to get compliant.

No obligation. No hard sell. Just clarity on your situation.

Schedule a Call →

Leon Kalema

Leon Kalema

Cybersecurity Manager at InMotion AVS with 17+ years of experience. Specializing in automotive cybersecurity and AI security.

Related Articles

Uncategorized

Pass R155 Buyer Audits Without a Cert: A Supplier Playbook

A clear R155 and ISO 21434 playbook for Swedish suppliers. Files, checklists, SBOM pipeline, and a release gate that catches risk.

Uncategorized

Need CRA Compliance Help? Here's What to Look for in a Consultant

Find the right CRA compliance consultant for your automotive products. 17 years experience, Scania and InMotion background. Based in Stockholm.

Available for consultation

Need Expert Guidance?

Schedule a free consultation to discuss how I can help secure your automotive systems.

Schedule Consultation View Services