ETG: EtherCAT meets Cyber Resilience Act requirements

EtherCAT Technology Group and TÜV SÜD working on cyber assessment report

Dec. 15, 2025

3 min read

Cyber resilience is shown using a text and picture of attention icon

EtherCAT has met the EU Cyber Resilience Act (CRA) requirements for Security Level 2 without modification, according to the EtherCAT Technology Group (ETG). Extensions are currently being prepared for particularly demanding applications and TÜV SÜD is working with the ETG on a corresponding assessment report.

Cybersecurity and cyber resilience are becoming increasingly vital: new legislation emerging around the world requires appropriate risk assessments and proof of suitable countermeasures. Manufacturers are required to provide reliable statements toward the cyber resilience of their products.

EtherCAT is the Ethernet fieldbus: based on Ethernet, but with the simplicity of fieldbuses and without relying on IT technologies. Common IT cybersecurity measures from the office world are therefore not necessary.

The special functional principle of EtherCAT—the processing of Ethernet frames on the fly using special EtherCAT chips—ensures the exceptionally high performance of the technology and its resilience to cyberattacks. This is supported by the system architecture, which provides a complete separation of the EtherCAT segment from an IT network: the separation significantly reduces the attack surface. The controller itself must, of course, be protected accordingly: then EtherCAT cannot be attacked from the outside.

An attack would require physical access to the EtherCAT segment. The EtherCAT device protocol also uses the Ethernet frame directly, rather than via the Internet Protocol (IP), while virtually all malware is based on IP because it needs IP for routing.

The EtherCAT chips destroy all Ethernet frames that are not native to EtherCAT. EtherCAT devices inherently cannot manipulate data that is not intended for them—even compromised firmware cannot change this. The controller can also detect additional devices that have been inserted, even if they are not EtherCAT devices.

Martin Rostan, executive director of the EtherCAT Technology Group added: “We are therefore convinced that EtherCAT already meets the requirements of the IEC 62443 standard and the CRA requirements for common applications without the need for changes or extensions to the protocol.”

IEC 62443 defines measures and processes for the cybersecurity of industrial control systems and forms the basis for the corresponding standards of the European Cyber Resilience Act. For applications with exceptionally high security requirements, the ETG is working on protocol extensions that can be activated as needed and do not require hardware changes. Additionally, the ETG is preparing its own certification authority (CA) so that ETG members can easily and uniformly sign and authenticate EtherCAT device description files and software.

Therefore, EtherCAT meets the requirements of the Cyber Resilience Act without any changes to the technology, with compatible extensions in preparation for special requirements. TÜV SÜD is working on a test report on the cyber resilience of EtherCAT in accordance with IEC 62443. TÜV SÜD agrees with the ETG's principal findings, although the final assessment report is still pending.

ETG: EtherCAT meets Cyber Resilience Act requirements

Related

Quiz: Can you define serendipitous OT data encounters?

AI is coming for PLC programming, but not how you think

Trending

Wolves in the machine: How to apply the lesson of Chesterton’s Fence to industrial safety

Ethernet-APL, Industry 4.0 and industrial automation

Vibration, voltage and VLANs: How to track factory network faults