CAN Networks Can Meet EU CRA Requirements, but Security Levels Matter

The European Union Cyber Resilience Act marks the first continent‑wide mandate that sets a minimum cybersecurity bar for any product containing digital elements, including CAN controllers and software stacks. While the regulation officially took effect in December 2024, its enforcement timeline stretches to December 2027, giving manufacturers a window to assess risk, select an appropriate IEC 62443 security level, and prepare for third‑party conformity assessments beginning June 2025. Understanding the CRA’s scope—excluding open‑source, medical, automotive, and defense‑specific items—is essential for supply‑chain planning and market entry strategies across the EU.

Security Level 2 (SL 2) is positioned as the baseline for most CAN networks, achievable through basic hardening measures such as password‑protected object dictionaries and secure firmware update mechanisms. For higher‑risk applications, SL 3 calls for cryptographic protection at the data‑link or application layer, which can be costly to implement on legacy hardware. CiA suggests that, where physical access is tightly controlled, continuous monitoring of traffic anomalies can satisfy CRA requirements without full‑blown encryption, aligning with IEC 62443’s defense‑in‑depth philosophy. This approach balances compliance costs with operational practicality, especially for industrial automation environments where gateway firewalls already limit external exposure.

Looking ahead, the industry is preparing new security extensions like CANsec (CiA 613‑2) and integrating authentication signatures into upcoming CANopen CC/FD specifications. These developments aim to embed cryptographic identity checks and secure bootloader functions directly into the protocol, simplifying future CRA compliance. Manufacturers should therefore prioritize participation in CiA’s cybersecurity special interest groups, update their product roadmaps to include secure node authentication, and establish incident‑response processes ahead of the September 2026 reporting deadline. Proactive alignment not only avoids regulatory penalties but also strengthens the overall resilience of CAN‑based control systems in an increasingly threat‑rich landscape.