Finite StateFinite State
Finite StateFinite State
LoginLogin
Compliance & Regulations

Go Beyond CRA: Why Forward-Thinking OEMs Aim Higher

CRA is the baseline—but many forward-looking manufacturers aren’t stopping there. In this clip, Dario Lobozzo, GM of EMEA at Finite State, explains why OEMs in industries like automotive and medical devices are choosing to align with more stringent cybersecurity standards like UN R155 or MDR—even when not strictly required. The reasoning? Standards tend to evolve, and the effort to meet them today builds resilience for tomorrow.

October 14, 2025•1:58•HD•0 views

Go Beyond CRA: Why Forward-Thinking OEMs Aim Higher

Transcript

CRA is kind of an overarching regulation. But within it, there are carve outs for automotive and for medical device and for radio equipment devices, etcetera. So one thing that we're seeing is folks like OEMs in the automotive industry who are not applicable to something like a twenty one thousand four thirty four or an r one hundred fifty five, but they are still within CRA. So for them, since those automotive cybersecurity standards are actually a bit more stringent than CRA, and since they are in the automotive vertical, and since standards do tend to evolve to become more and more stringent over time, What we're seeing people do is a lot of what we saw in the OT security world where I'm an automotive manufacturer and OEM and maybe I'm in heavy machinery or trucking or something like that, that doesn't fall into the existing European automotive regulatory standards. But I'm gonna adhere to them anyway because I assume that one day they will. And it's better for me if I just meet those standards and then hand that report to CRA as opposed to just meeting the CRA standards. Because there's quite a lot of overlap already. So, I may as well just go the extra mile now while I'm hiring this compliance team, I'm getting all of these ducks in a row across all the silos in my organization. I should just aim beyond CRA and go to the standard that matches my industry. So maybe it's MDR from the medical device manufacturer, but I still fall outside of the scope for whatever reason, or one of those automotive things, or one of those automotive regulatory standards, or one of those automotive regulations.
Finite StateFinite State

Finite State is the Product Security Automation Platform that functions as an autonomous Product Security OS: design → verify → prove, grounded in what you ship.

Platform

Platform Overview
Ground Truth Inventory
Exploitability-Based Prioritization
Design-Time Architecture Security
Automated Evidence-Backed Compliance

Solutions

Device Manufacturers
Automotive
Medical Devices
Energy & Utilities
Government
Industrial

Resources

Blog
Resource Library
Webinars & Videos
Events
Documentation

Company

About Us
CareersHIRING
Press & Media
Contact Sales
X

Privacy PolicyTerms of UseCustomer Terms and Conditions