Autonomous Solutions
Autonomous trucks and the systems they are a part of depend on secure software throughout their lifecycle. As the EU raises its expectations on cybersecurity, the industry must take greater responsibility for how connected products are built maintained and protected. At Volvo Autonomous Solutions, we welcome this shift, as it is essential to safe, reliable, and trusted autonomous transport.
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is the EU’s new framework for improving the cybersecurity of connected products. It entered into force in December 2024 and will be phased in over the coming years. Reporting obligations for actively exploited vulnerabilities and serious security incidents will apply from September 2026, while the main product requirements apply from December 2027. Compliance will be linked to CE marking, and national market surveillance authorities will be responsible for enforcing the rules.
The CRA was introduced to address the fact that products that rely on software, connectivity, and continuous updates can create cybersecurity risks long after they have entered the market. It therefore places clearer responsibilities on manufacturers to design products securely, manage vulnerabilities, provide security updates, and respond quickly when serious issues are discovered.
In practice, this means that cybersecurity becomes part of how connected products are designed, released, maintained, and eventually phased out. Manufacturers need to understand what software is included in their products, manage risks in third-party components, provide users with clear support information, and be able to show that vulnerabilities are handled in a structured way.
For companies working with autonomous transport, this is highly relevant. Autonomous operations depend on more than the vehicle itself. They rely on a wider system of software, sensors, connectivity, control functions, and update processes that must work together safely and reliably in demanding environments. Even when the base vehicle falls under existing automotive type-approval rules, the autonomous system around it brings additional cybersecurity responsibilities into focus.
Cybersecurity in autonomous transport is not only about protecting data or preventing digital disruption. Weaknesses in software, configuration, or update processes can affect operations, equipment, and the safety of people working around the system. As these systems become more capable and more widely deployed, customers will expect clear assurance that they are secure by design, properly maintained, and supported throughout their lifecycle.
At Volvo Autonomous Solutions, we see the CRA as a step in the right direction. It promotes a more consistent approach and a stronger baseline to cybersecurity across the industry.
A new framework for connected products
The CRA introduces cybersecurity requirements for products with digital elements placed on the EU market. In practice, it raises expectations for how these products are designed, developed, monitored, and maintained once they are in use. Manufacturers will need to build security into their products from the start, manage vulnerabilities throughout the product lifecycle, and report serious incidents and exploited vulnerabilities within defined timeframes.
This represents a broader shift in how cybersecurity is treated. It is no longer enough to address security mainly during development. Manufacturers must continue to understand product risks, monitor vulnerabilities, and provide support after the product has entered the market.
For customers and consumers, this means greater clarity and stronger long-term protection. For manufacturers, it raises the standard for product governance, lifecycle management, and technical supervision, meaning that they cannot treat cybersecurity as a one-off development point. Poor readiness can lead to compliance gaps, delayed product updates, and reduced customer confidence. It can also carry regulatory consequences, including administrative fines and, in serious cases, restrictions on whether products can remain available in the EU market.
What this means for autonomous transport
Autonomous transport systems combine hardware, software, sensors, and connectivity in environments where reliability is critical. They are data-driven, continuously updated, and expected to perform safely over long periods of time.
When a type-approved truck is combined with an autonomous driving system, the regulatory picture becomes more complex. Type approval is the framework used to confirm that a vehicle meets the applicable road-vehicle requirements before it can be put into service. It is the regulatory route for the base truck as a vehicle.
CE marking serves a different purpose. It is used for many types of products ranging from laptops to machines, to show that they meet applicable EU requirements, including requirements related to safety, health, and cybersecurity. Under the CRA, CE marking will also be used to show that products with digital elements meet the CRA’s cybersecurity requirements.
This distinction matters for autonomous transport because the base truck and the virtual driver do not follow the same regulatory route. The base truck remains regulated through the automotive type-approval framework while the autonomous driving capability may fall within the CE-marking framework and therefore bring CRA requirements into focus.
Even though this creates a hybrid regulatory landscape for autonomous operations, cybersecurity has always been closely tied to operational performance in autonomous transport. A well-protected system supports uptime, reliability, and confidence in daily operations. Above all, it supports safety.
That responsibility does not end when the system is deployed. Autonomous transport systems need to be monitored, updated, and supported throughout their lifecycle so that vulnerabilities can be identified and addressed as threats evolve. For customers and consumers, this provides greater confidence that the system will remain secure and reliable over time. For people working around autonomous vehicles, it helps support a safer working environment as weaknesses in software can affect not only digital security, but equipment, operations, and may impact safety of people working around the system.
Better visibility into software
One of the most important practical effects of the CRA is the need for better visibility into the software used in connected products. Modern software is rarely built from scratch. Instead, it often relies on third-party libraries, open-source components, and reused code that helps speed up development. But these dependencies can also introduce vulnerabilities that are difficult to detect without a clear view of what is included in the product.
For autonomous transport systems, this visibility is especially important because software supports functions that are directly tied to vehicle behavior and operational performance.
A more disciplined approach starts with knowing what software is installed, which external components it relies on, and where vulnerabilities may exist. Under the CRA, this becomes more than good practice. Manufacturers will need to show that they understand the software in their products, can identify and assess vulnerabilities, and have processes in place to address them throughout the product’s lifecycle. Without that visibility, it becomes much harder to prioritize risk, provide timely updates, and demonstrate that the product is being maintained in line with regulatory expectations.
The main CRA obligations apply from December 2027, but the work required to meet them cannot be left until then. Building software traceability, vulnerability management, documentation, and update processes take time, especially for complex systems with long development cycles and lifetime.
Organizational maturity
The CRA is not only a technical regulation. It also tests how well an organization can manage cybersecurity as a lifecycle responsibility. Meeting the requirements will depend on more than secure code or individual security controls. Companies will need clear ownership, repeatable processes, and close collaboration between teams.
For autonomous transport, this is especially important. Deploying type-approved trucks together with autonomous driving technology creates a regulatory and operational environment where engineering, safety, security, and compliance teams must work closely together. Cybersecurity decisions need to be connected to product development, safety assessments, and long-term customer support.
This is where many companies may feel the real impact of the CRA. The challenge is not simply to demonstrate compliance at a single point in time, but to build ways of working that make cybersecurity traceable, repeatable, and embedded throughout the product lifecycle.
What customers gain
For customers, the long-term value is clear. The CRA supports more secure products and more structured maintenance over time.
That includes stronger attention to vulnerabilities, clearer support expectations, and an industry-wide move toward better lifecycle management. There is also value in the broader market effect. When expectations rise across the industry, suppliers and manufacturers alike will have to strengthen their cybersecurity practices, helping to create a more resilient ecosystem for everyone.
A step forward for the industry
The CRA will require effort across the market and will ask more from manufacturers and suppliers. At the same time, it supports an important shift in how connected products are built and maintained.
For Volvo Autonomous Solutions, the CRA reinforces an approach that is already central to how we develop autonomous transport systems. That is, responsibly, systematically, and with long-term support in mind. As regulation develops, customers will need partners who understand not only the technology, but also the complex patchwork of safety, cybersecurity, vehicle, machinery, and product regulations that apply across Europe.
Autonomous transport is a long-term commitment and choosing a partner with the ability to manage cybersecurity, regulatory requirements, and product support over time will become increasingly important as connected and autonomous systems scale.
