Trusq

factual analysis · traceable to primary sources

Explainer

Cyber Resilience Act: what must I require from my suppliers?

Adopted 2026-06-14 ยท ≈ 1 min read ยท Dirk Baaijen

Require suppliers of trackers, telematics and IoT to provide proof of CE marking, conformity assessment, secure-by-default configuration and update guarantees. Fix reporting duties and liability in your contracts before full application on 11 December 2027.

Short answer: Require suppliers of products with digital elements (trackers, telematics, IoT) to comply with the Cyber Resilience Act: CE marking, a completed conformity assessment, secure-by-default configuration and update guarantees. Put this in your contracts.

The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on 12 November 2024 and sets security requirements for products with digital elements. For transport and logistics companies this concerns the hardware and software you purchase: trackers, on-board computers, telematics units and other IoT equipment. The obligations rest with manufacturers, importers and distributors, but as a buyer you carry the risk if you deploy non-compliant products in your chain.

What to fix in your contracts

For every purchase of connected equipment, request proof of CE marking and a completed conformity assessment. Require a secure-by-default configuration: the product must be set up securely without manual intervention on your part. Stipulate that the supplier delivers security updates throughout the product's lifetime and remediates vulnerabilities in good time. Ask for technical documentation and, where applicable, an overview of software components.

Reporting duties and deadlines

From 11 September 2026 suppliers face a reporting duty for actively exploited vulnerabilities and severe incidents, to be reported to ENISA and the CSIRT. Agree with your suppliers that they inform you without delay when a reported incident affects your equipment. The notification of conformity assessment bodies runs from 11 June 2026; the regulation applies in full from 11 December 2027.

A practical approach

Map which connected products you use and who supplies them. Build CRA requirements into your procurement terms and renewals. Start now, so your contracts are in order well before full application in 2027.

Read the main file: Cyber Resilience Act and connected products. Or take the Transport & Logistics scan.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/2847/oj
    Regulation (EU) 2024/2847 (Cyber Resilience Act); full application 11 December 2027.

Share on LinkedIn

Read next

U

Does my telematics hardware fall under the Cyber Resilience Act?

Yes. Telematics, trackers and IoT devices are products with digital elements and fall under the Cyber Resilience Act (Regulation (EU) 2024/2847). Full application applies from 11 December 2027.

U

Cyber Resilience Act: which deadline applies when?

The CRA (Regulation (EU) 2024/2847) entered into force on 12 November 2024. Key dates: notification of conformity bodies 11 June 2026, reporting obligation 11 September 2026, full application 11 December 2027.

U

Cyber Resilience Act: security requirements for connected products

The Cyber Resilience Act (Regulation (EU) 2024/2847) sets EU-wide security requirements for products with digital elements โ€” from telematics to IoT sensors. Full application on 11 December 2027, reporting duties already from September 2026. What it means for transport and logistics.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

Monthly Transport & Logistics alerts

Once a month: the EU developments that affect transport and logistics, briefly interpreted โ€” with sources. No spam, unsubscribe anytime.

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.