Nordics Today
Back to Home
🇾đŸ‡Ș Sweden
1 day ago
55 views
opinion

EU Cyber Act: Nordic Car OEMs Face 2027 Deadline

By Leon Kalema ‱

The CRA adds new cybersecurity requirements on top of UN R155. Nordic automotive suppliers have until late 2027 to comply or face fines up to 15 million euros.

Editorial illustration for EU Cyber Act Nordic OEMs article

This opinion piece represents the views of the author(s) only and does not necessarily reflect the editorial position of Nordics Today.

The EU Cyber Resilience Act enters force in late 2024. Full compliance is required by late 2027. For Nordic automotive OEMs and suppliers, this law creates new obligations that go beyond existing UN R155 and ISO 21434 requirements.

Many automotive companies believe UN R155 covers their cybersecurity needs. It does not. The CRA targets products with digital elements sold in the EU market. Vehicles contain dozens of such products. ECUs, telematics units, infotainment systems, and sensors all fall under CRA scope.

What the CRA Requires

The law mandates security throughout the product lifecycle. Manufacturers must document vulnerabilities, provide security updates, and report incidents within 24 hours. Products must carry CE marking that confirms compliance.

For automotive suppliers, three requirements stand out:

  1. Software Bill of Materials (SBOM) for every product
  2. Vulnerability handling and disclosure processes
  3. Security updates for the expected product lifetime

A Tier 1 supplier selling an ECU to Volvo or Scania must now prove CRA compliance. The OEM cannot simply absorb this responsibility.

The Timeline Problem

Vehicle development cycles run 3 to 5 years. A program starting today will launch products in 2028 or 2029. The CRA compliance deadline is December 2027. This means current development programs must already include CRA requirements.

Volvo Cars has stated publicly that suppliers must demonstrate CRA readiness. Scania and other commercial vehicle makers follow similar policies. Contracts signed in 2025 will reference CRA obligations.

Where UN R155 Falls Short

UN R155 requires a Cybersecurity Management System at the organizational level. The CRA requires product-level compliance. A company can hold UN R155 type approval and still fail CRA requirements.

Consider an example. A Swedish supplier makes brake control units. They achieved UN R155 compliance through their OEM customer. The CRA now requires them to maintain their own vulnerability database, issue security patches, and report exploits to authorities. These are new obligations.

The Cost of Non-Compliance

CRA fines reach 15 million euros or 2.5 percent of global turnover, whichever is higher. For a medium-sized Nordic supplier with 200 million euros in revenue, the maximum fine is 5 million euros. Product recalls add further costs.

Market access is the larger risk. Non-compliant products cannot carry CE marking. Without CE marking, products cannot be sold in the EU. An ECU supplier who misses the deadline loses access to every European OEM.

Practical Steps for 2025

Nordic suppliers should take four actions this year:

  1. Audit current products against CRA requirements
  2. Establish vulnerability handling procedures if none exist
  3. Create SBOM generation capabilities in the development process
  4. Review supplier contracts for CRA flow-down clauses

The gap between UN R155 compliance and CRA compliance is smaller for companies with mature security programs. Those starting from scratch face 18 to 24 months of work.

The AI Complication

The CRA includes specific provisions for AI systems. Vehicles increasingly use AI for perception, prediction, and control. An AI-based parking system or driver monitoring camera falls under both the CRA and the EU AI Act.

Nordic OEMs building AI into vehicles must address both regulations. The compliance burden multiplies. Security testing, documentation, and update procedures become more complex.

What Happens Next

The European Commission will publish implementing acts throughout 2025. These acts clarify technical requirements and conformity assessment procedures. Automotive-specific guidance may follow.

Companies waiting for perfect clarity will run out of time. The core requirements are set. Product security by design, vulnerability management, and incident reporting are not negotiable.

Nordic automotive suppliers built strong positions in electric vehicles and autonomous driving. Maintaining that position requires CRA compliance. The December 2027 deadline is closer than most product roadmaps suggest.

L

About the Author

Leon Kalema

Automotive Cybersecurity Consultant, Leon Secure

Leon Kalema secures vehicles for Nordic OEMs. He helps automotive companies achieve ISO 21434 compliance, UN R155 certification, and EU Cyber Resilience Act compliance. Based in Stockholm, he works at InMotion and has experience with Scania and Nordic suppliers.

LinkedIn Website

Published: December 10, 2025

Tags: EU Cyber Resilience ActCRAUN R155Nordic automotivecybersecurityVolvoScaniaautomotive compliance