Cyber Resilience Act: what must I require from my suppliers?
Adopted 2026-06-14 ยท ≈ 1 min read ยท 
edited by Dirk Baaijen
Require suppliers of trackers, telematics and IoT to provide proof of CE marking, conformity assessment, secure-by-default configuration and update guarantees. Fix reporting duties and liability in your contracts before full application on 11 December 2027.
Download the regime cheat sheet (PDF) ↓
Short answer: Require suppliers of products with digital elements (trackers, telematics, IoT) to comply with the Cyber Resilience Act: CE marking, a completed conformity assessment, secure-by-default configuration and update guarantees. Put this in your contracts.
The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on 12 November 2024 and sets security requirements for products with digital elements. For transport and logistics companies this concerns the hardware and software you purchase: trackers, on-board computers, telematics units and other IoT equipment. The obligations rest with manufacturers, importers and distributors, but as a buyer you carry the risk if you deploy non-compliant products in your chain.
What to fix in your contracts
For every purchase of connected equipment, request proof of CE marking and a completed conformity assessment. Require a secure-by-default configuration: the product must be set up securely without manual intervention on your part. Stipulate that the supplier delivers security updates throughout the product's lifetime and remediates vulnerabilities in good time. Ask for technical documentation and, where applicable, an overview of software components.
Reporting duties and deadlines
From 11 September 2026 suppliers face a reporting duty for actively exploited vulnerabilities and severe incidents, to be reported to ENISA and the CSIRT. Agree with your suppliers that they inform you without delay when a reported incident affects your equipment. The notification of conformity assessment bodies runs from 11 June 2026; the regulation applies in full from 11 December 2027.
A practical approach
Map which connected products you use and who supplies them. Build CRA requirements into your procurement terms and renewals. Start now, so your contracts are in order well before full application in 2027.
Read the main file: Cyber Resilience Act and connected products. Or take the Transport & Logistics scan.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/2847/oj
Regulation (EU) 2024/2847 (Cyber Resilience Act); full application 11 December 2027.
Read next
Does my telematics hardware fall under the Cyber Resilience Act?
Yes. Telematics, trackers and IoT devices are products with digital elements and fall under the Cyber Resilience Act (Regulation (EU) 2024/2847). Full application applies from 11 December 2027.
Cyber Resilience Act: which deadline applies when?
The CRA (Regulation (EU) 2024/2847) entered into force on 12 November 2024. Key dates: notification of conformity bodies 11 June 2026, reporting obligation 11 September 2026, full application 11 December 2027.
Cyber Resilience Act: security requirements for connected products
The Cyber Resilience Act (Regulation (EU) 2024/2847) sets EU-wide security requirements for products with digital elements โ from telematics to IoT sensors. Full application on 11 December 2027, reporting duties already from September 2026. What it means for transport and logistics.