CRA & ISO 21434:Cybersecurity Is Already a Regulatory Reality
For vehicle manufacturers and suppliers, cybersecurity is already a regulatory reality — not a future concern. Cyberattacks on connected vehicles rose 225% between 2018 and 2021. Since July 2024, UNECE R155 is mandatory for new vehicle homologation across Europe. And starting in 2026, incident response and vulnerability analysis processes must already be documented. The CRA is not optional: it impacts both type approval and day-to-day business operations right now.
On 26 February 2026, OTC Engineering delivered the first session of a new training cycle organised by Light Mobility Cluster, bringing together cluster members to address the growing regulatory pressure around product cybersecurity. The core message was clear: ISO 21434 is not only a technical standard — it involves management, processes, roles, and documentation across the entire project lifecycle. And OTC Engineering's methodology bridges it directly with CRA requirements.
Why cybersecurity is already a regulatory reality for your products
The session was structured around the complementary expertise of three organisations, each addressing a distinct phase of the compliance journey. Together, OTC Engineering, DEKRA, and Applus+ IDIADA covered the full arc — from design and methodology, through testing and validation, to certification and conformity.
OTC Engineering's contribution centred on mapping the CRA's requirements across the product lifecycle and presenting a methodological approach to integrating cybersecurity from the earliest stages of design — well before a product reaches market.
CRA, ISO 21434 & UNECE R155: aligning your compliance strategy
A central theme of the session was the relationship between the CRA and international standards already familiar to the automotive sector. The training explored how the CRA's obligations can be aligned — and in many cases, integrated — with ISO 21434, the standard governing cybersecurity engineering in road vehicles, and with UNECE Regulation No. 155, which establishes type-approval requirements for cybersecurity management systems.
The numbers are unambiguous
Over 90% of OEMs already require suppliers to comply with ISO 21434 and demonstrate a documented TARA before SOP. Non-compliance with UNECE R155 can result in fines exceeding €30 million. And the automotive cybersecurity market is projected to grow from $2.4B in 2021 to over $10B by 2030 — making this both a regulatory and a business imperative. As PwC's Global Automotive Survey found, 65% of automotive companies now treat cybersecurity as a strategic priority, not a technical one.
How the session was structured
OTC Engineering — Regulatory framework & ISO 21434 methodology
Presentation of the CRA and UNECE R155 regulatory landscape, and how OTC Engineering applies ISO 21434 frameworks to implement CRA requirements — enabling them to serve both clients that need CRA compliance and clients in the broader mobility sector.
DEKRA — Testing & validation
An overview of the technical evaluation processes required to demonstrate security properties in digital products, including test methodologies aligned with CRA requirements.
Applus+ IDIADA — Certification & conformity
The role of conformity assessment bodies, certification pathways, and the practical steps manufacturers must take to demonstrate regulatory compliance before placing products on the European market.
Three sessions to turn regulatory reality into readiness
This session is the first in a cycle of three training workshops that will progressively deepen the sector's understanding of cybersecurity applied to light mobility. Each session will build on the previous one, taking companies from regulatory awareness through to technical implementation and conformity readiness.
The goal is to help companies anticipate the incoming requirements — not react to them — and strengthen the security of their products for the benefit of end users and the long-term resilience of the sector as a whole.
