Does my telematics hardware fall under the Cyber Resilience Act?
Adopted 2026-06-14 ยท ≈ 1 min read ยท 
edited by Dirk Baaijen
Yes. Telematics, trackers and IoT devices are products with digital elements and fall under the Cyber Resilience Act (Regulation (EU) 2024/2847). Full application applies from 11 December 2027.
Short answer: Yes. Telematics hardware qualifies as a product with digital elements and therefore falls under the Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, which entered into force on 12 November 2024.
Why your hardware is covered
The CRA sets cybersecurity requirements for products with digital elements made available on the European market. This expressly includes devices such as telematics units, trackers and other IoT equipment. This type of hardware collects, processes or transmits data and is connected to a network or another device. As a result, nearly all modern telematics equipment in transport and logistics falls within scope. Whether you supply vehicle tracking, cargo monitoring or remote diagnostics, the regulation applies to the product itself.
What obligations apply
The CRA imposes obligations on manufacturers, importers and distributors. Manufacturers carry the heaviest burden. In concrete terms this includes:
- Secure-by-default: products are delivered in a secure configuration.
- Updates: security updates and vulnerability management throughout the support period.
- CE marking: the product demonstrates conformity with the requirements.
- Conformity assessment: depending on the product category, either self-assessed or via a notified body.
Importers and distributors must verify that manufacturers have met their obligations before placing the product on the market or reselling it.
Key dates
The obligations take effect in phases. Notification of conformity assessment bodies is possible from 11 June 2026. The reporting duty for actively exploited vulnerabilities and severe incidents, to be reported to ENISA and the CSIRT, applies from 11 September 2026. Full application of the regulation follows on 11 December 2027. From that point, all new telematics hardware you place on the EU market must comply with the CRA. Start mapping your product portfolio and chosen conformity route in good time.
Read the main file: Cyber Resilience Act and connected products. Or take the Transport & Logistics scan.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/2847/oj
Regulation (EU) 2024/2847 (Cyber Resilience Act); full application 11 December 2027.
Read next
Cyber Resilience Act: what must I require from my suppliers?
Require suppliers of trackers, telematics and IoT to provide proof of CE marking, conformity assessment, secure-by-default configuration and update guarantees. Fix reporting duties and liability in your contracts before full application on 11 December 2027.
Cyber Resilience Act: which deadline applies when?
The CRA (Regulation (EU) 2024/2847) entered into force on 12 November 2024. Key dates: notification of conformity bodies 11 June 2026, reporting obligation 11 September 2026, full application 11 December 2027.
Cyber Resilience Act: security requirements for connected products
The Cyber Resilience Act (Regulation (EU) 2024/2847) sets EU-wide security requirements for products with digital elements โ from telematics to IoT sensors. Full application on 11 December 2027, reporting duties already from September 2026. What it means for transport and logistics.