EuroComply
Konto erstellen
Automotive & Mobility TechFrance

Cyber Resilience Act for Automotive & Mobility Tech in France

A practical country and industry compliance guide — obligations, evidence, and next steps.

Direct answer

Automotive & Mobility Tech manufacturers in France must classify their products by CRA category, apply Annex I essential cybersecurity requirements, establish a vulnerability handling process, prepare technical documentation and CE marking, and report actively exploited vulnerabilities to ENISA. Full obligations apply from 11 December 2027; vulnerability reporting starts 11 September 2027.

What are the CRA obligations for Automotive & Mobility Tech in France?

Automotive & Mobility Tech manufacturers in France must classify their products by CRA category, apply Annex I essential cybersecurity requirements, establish a vulnerability handling process, prepare technical documentation and CE marking, and report actively exploited vulnerabilities to ENISA. Full obligations apply from 11 December 2027; vulnerability reporting starts 11 September 2027.

  • Map connected vehicle components and charging hardware against CRA and WP.29 requirements
  • Leverage ISO/SAE 21434 (automotive cybersecurity engineering) as CRA compliance evidence
  • Define OTA software update capability and document in technical file
  • Establish vulnerability disclosure policy aligned with ENISA and automotive-sector CSIRT
  • Confirm type-approval scope: WP.29 R155/R156 compliance provides partial CRA equivalence for type-approved vehicles
CountryFrance
IndustryAutomotive & Mobility Tech
RegulationRegulation (EU) 2024/2847
SupervisionANSSI will act as the French CRA market-surveillance authority and is expected to produce sector guides building on its existing CSPN (Certification de Sécurité de Premier Niveau) and Common Criteria certification schemes
Source: Official Journal of the EU — Cyber Resilience Act for product manufacturers and software developersReviewed:
Cyber Resilience Act for product manufacturers and software developersRegulation (EU) 2024/2847, Articles 3, 6, 13, 14 and Annex I

The CRA applies to manufacturers and importers of products with digital elements (hardware and software) sold or made available in the EU market. It requires essential cybersecurity requirements, CE marking, vulnerability handling throughout the product lifetime, and incident reporting to ENISA. Critical and important product categories face conformity assessment by notified bodies.

2027-12-11Full CRA obligations for all products

All essential cybersecurity requirements, secure-by-design obligations, CE marking, and vulnerability management obligations apply from 11 December 2027.

Source: Regulation (EU) 2024/2847, Articles 3, 6, 13, 14 and Annex I

Automotive & Mobility Tech CRA checklist

Action checklist
Classify your product by CRA category

Determine whether your product is Default (most products), Important Class I (e.g. browsers, password managers, VPNs, network monitoring tools), Important Class II (firewalls, IDS/IPS, microprocessors), or Critical (HSMs, smart cards). Category determines conformity assessment route.

Articles 6, 7, Annex III, Annex IV

Apply Annex I essential cybersecurity requirements

Implement secure-by-default and secure-by-design: minimal attack surface, no default passwords, access control, encrypted communications, data minimisation, integrity protection, vulnerability remediation capability, and security update mechanism.

Article 13, Annex I Part I

Establish a vulnerability handling process

Document a coordinated vulnerability disclosure policy, a process to receive and assess security reports, a remediation and update release workflow, and a communication channel for security researchers.

Article 13, Annex I Part II

Prepare technical documentation and Declaration of Conformity

Compile technical documentation covering product design, risk assessment, essential requirements compliance evidence, test results, and instructions for users. Issue an EU Declaration of Conformity before affixing the CE mark.

Articles 26, 28, 32

Report actively exploited vulnerabilities and severe incidents

Notify ENISA (via national CSIRT) within 24 hours of becoming aware of an actively exploited vulnerability or severe incident. Provide early warning, followed by a full notification within 72 hours and a final report within 14 days.

Article 14

Plan security support lifecycle

Commit to a support period during which security updates will be released — minimum 5 years or the expected product lifetime, whichever is longer. Communicate the end-of-support date to users.

Articles 13(8), 13(9)

What is specific to France

ANSSI will act as the French CRA market-surveillance authority and is expected to produce sector guides building on its existing CSPN (Certification de Sécurité de Premier Niveau) and Common Criteria certification schemes. French manufacturers of Important Class I and II products may be able to leverage existing ANSSI certifications as CRA conformity assessment evidence. ANSSI has been active in ENISA's CRA working groups.

Priority actions for Automotive & Mobility Tech

  • Map connected vehicle components and charging hardware against CRA and WP.29 requirements
  • Leverage ISO/SAE 21434 (automotive cybersecurity engineering) as CRA compliance evidence
  • Define OTA software update capability and document in technical file
  • Establish vulnerability disclosure policy aligned with ENISA and automotive-sector CSIRT
  • Confirm type-approval scope: WP.29 R155/R156 compliance provides partial CRA equivalence for type-approved vehicles

Turn this guide into a real assessment

Use EuroComply's free tools to check your specific scope, estimate fine exposure, and build an evidence file.

Check EU compliance scope Full EU compliance check

Informational only. This page is not legal advice — consult qualified counsel for your specific situation. Last reviewed: .