The Cyber Resilience Act and its Implications on the Automotive Industry
The regulatory landscape for automotive cybersecurity is undergoing significant transformation. On one hand, emerging domain-specific standards such as ISO/SAE PAS 8477 and ISO/SAE TR 8475 are contributing to the harmonization of automotive specific cybersecurity concepts. On the other hand, new horizontal regulations are being introduced that are particularly relevant for automotive-related products and services that fall outside the scope of traditional type approval processes. As automotive companies increasingly offer digital services that extend beyond the vehicle, and as suppliers and also OEMs operate in different roles and across multiple industries (or vehicle categories) a broader understanding of cybersecurity obligations is essential.
The presentation will focus on the European Union’s Cyber Resilience Act (CRA), highlighting its implications and the opportunities it presents for the automotive industry. We will explore the conditions under which the CRA becomes applicable and examine its intersection with established standards such as ISO/SAE 21434. By comparing CRA requirements with existing automotive cybersecurity practices, we aim to clarify compliance pathways and identify areas of alignment. Additionally, we will offer a forward-looking perspective on how organizations can leverage the CRA as a catalyst for strengthening their overall product security posture. This includes developing tailored cybersecurity capabilities within a robust framework, which is also applicable for dual- or multi-use items.
About the Speaker:
Stefan is part of the Deloitte Cyber team, specializing in Secure Product Engineering and regulatory frameworks such as ISO/SAE 21434 and the Cyber Resilience Act. He has supported automotive companies and software subsidiaries in building effective Product Security Offices and Management Systems, and brings extensive experience from projects with OEMs, suppliers, and connected product manufacturers, including certification and type approval processes.