CiA BoD Issues Statement on EU CRA

By Kaija Wilkinson | Daily News | February 17, 2026

1 min to read

Image courtesy of ARC Advisory Group

The Board of Directors (BoD) of the nonprofit Nuremberg, Germany-based CAN in Automation (CiA) association on February 12 issued a statement on the EU Cyber Resilience Act (CRA) and its impact on CAN networks including CANopen, the CAN communication platform for elevator control systems. The statement said “products using CAN and placed on the EU market fall under EU CRA unless the relevant cybersecurity aspects are covered by application-specific EU legislation. In most cases, the required risk assessment may be a self-assessment, unless the product is considered critical (as defined in CRA Annex III).” The BoD said it remains to be seen which future standards best reflect EU CRA requirements. For now, suppliers of CAN-connectible devices are asked by their customers to comply with a dedicated security level (SL) as defined in the IEC 62443 series of standards (security for industrial automation and control systems). Standardized higher-layer protocols such as CANopen do not provide intrinsic cybersecurity measures, but such measures can be added depending on the required SL.

Shares