Automotive development involves multiple tiers of suppliers. A Tier 1 supplier delivers your ECU. That supplier uses a software stack from a Tier 2 supplier. That stack includes libraries from Tier 3 suppliers, and sometimes Tier 4. The CRA requires seamless traceability across all these tiers. When a vulnerability is discovered in a third-party library, you must identify all affected products across your entire portfolio in under 24 hours. Not days or weeks but hours.
Here's what happens today: An auditor asks, "Show me all products affected by the Log4Shell vulnerability." Your honest answer? "That will take two weeks. I need to contact all our suppliers and aggregate their responses." Under the CRA, that's not compliant.
This isn't about better processes or more diligent engineers. Your teams are already working hard on cybersecurity. The problem is that your current tool landscape, designed for ISO 21434 compliance, can't answer CRA questions at the speed and granularity required. You need automated SBOM generation that works across supplier boundaries, continuous vulnerability scanning at the component level, integrated supplier systems providing real-time visibility, and searchable audit trails connecting vulnerabilities to products instantly. This is new infrastructure, not process improvement.
Test your readiness with three questions:
- Can you generate a machine-readable SBOM for any product on demand? If you need more than an hour, there's a gap.
- Do you know which products contain which specific third-party library versions? If this requires calling suppliers, there's a gap.
- Can you trace a supplier's component to all affected products in under 24 hours? If this takes days or weeks, there's a gap.
These aren't theoretical questions. They're what CRA compliance audits will ask.