Automotive & the CRA: Why ISO 21434 isn't enough

You're ahead of most industries, but three critical gaps will catch you off guard.

want to explore your CRA readiness?

You're already ahead

If you're developing automotive systems, you have a significant advantage. ISO 21434 and ASPICE have already taught you cybersecurity-by-design, threat analysis, requirements traceability, and structured verification processes. You're used to rigorous documentation and change management.

This puts you miles ahead of most industries facing the Cyber Resilience Act.

But here's the problem: the CRA builds on these foundations in ways that expose gaps in how automotive companies currently work, especially across the supply chain.

 

Three gaps between ISO 21434 and CRA Compliance

  1. The SBOM Format Gap
    ISO 21434 requires you to maintain a component inventory. You probably have this in spreadsheets or internal databases. The CRA requires machine-readable formats like SPDX or CycloneDX that can be automatically generated, continuously updated, and shared across organizational boundaries.

    Your Excel sheet isn't compliant, not because it lacks information, but because it can't integrate into automated supply chain processes.

  2. The Audit Trail Gap
    ISO 21434 requires traceability of design decisions. Most automotive teams document this in Confluence, Word documents, or similar tools. The CRA requires structured, searchable, machine-readable audit trails with timestamps and decision rationales.

    Manual documentation doesn't provide the automated verification capabilities regulators will demand.

  3. The Component Granularity Gap
    This is the most challenging difference. ISO 21434 focuses on system-level security traceability, you can prove your ECU meets security requirements. The CRA requires traceability down to individual third-party libraries and their specific versions.

    Can you prove that OpenSSL 1.1.1 in your firmware has no critical CVEs? Not just that your system is secure, but that this specific library version is safe?

Why This Matters: The Supply Chain Reality

Automotive development involves multiple tiers of suppliers. A Tier 1 supplier delivers your ECU. That supplier uses a software stack from a Tier 2 supplier. That stack includes libraries from Tier 3 suppliers, and sometimes Tier 4. The CRA requires seamless traceability across all these tiers. When a vulnerability is discovered in a third-party library, you must identify all affected products across your entire portfolio in under 24 hours. Not days or weeks but hours.

Here's what happens today: An auditor asks, "Show me all products affected by the Log4Shell vulnerability." Your honest answer? "That will take two weeks. I need to contact all our suppliers and aggregate their responses." Under the CRA, that's not compliant.

This isn't about better processes or more diligent engineers. Your teams are already working hard on cybersecurity. The problem is that your current tool landscape, designed for ISO 21434 compliance, can't answer CRA questions at the speed and granularity required. You need automated SBOM generation that works across supplier boundaries, continuous vulnerability scanning at the component level, integrated supplier systems providing real-time visibility, and searchable audit trails connecting vulnerabilities to products instantly. This is new infrastructure, not process improvement.

Test your readiness with three questions:

  1. Can you generate a machine-readable SBOM for any product on demand? If you need more than an hour, there's a gap.
  2. Do you know which products contain which specific third-party library versions? If this requires calling suppliers, there's a gap.
  3. Can you trace a supplier's component to all affected products in under 24 hours? If this takes days or weeks, there's a gap.

These aren't theoretical questions. They're what CRA compliance audits will ask.

What you should do now

The gap between ISO 21434 and CRA compliance is real, but you can bridge it by building on the strong foundations you already have. The key is understanding where your current infrastructure falls short and addressing those specific gaps before 2027.

Start by assessing your current SBOM capabilities, supplier integration, and component-level traceability. The earlier you identify gaps, the more time you have to close them without disrupting ongoing development.

want to explore your CRA readiness?

Fields with * are required