“””

EU Cyber Resilience Act (CRA) – Security Patch Provision Duration

Summary

Under Article 13 of the EU Cyber Resilience Act (CRA), manufacturers must provide security patches for their software products for a minimum of five years, or for the expected lifetime of the product if it is less than five years. Longer support periods may be required for products expected to be in use for more than five years.

Relevant CRA Provisions

• Recital (40)
• Recital (59)
• Recital (60)
• Article 13
• ANNEX I, Part II (2), (8)

Detailed Explanation

Article 13 of the Cyber Resilience Act mandates that manufacturers of products with digital elements must ensure the effective handling of vulnerabilities for a defined support period. This period is generally no less than five years, unless the product’s expected lifetime is shorter. For products expected to be in use beyond five years, manufacturers must ensure longer support periods. The support period should reflect reasonable user expectations, the nature of the product, and relevant Union law. Manufacturers must also identify and document vulnerabilities, provide security updates, and share information about fixed vulnerabilities. Security updates must be provided free of charge and, where technically feasible, separately from functionality updates.

Obligations for Stakeholders

Manufacturers: Must determine and adhere to a support period for security patches, provide security updates free of charge, and ensure that updates are available without delay. They should also facilitate the reporting of vulnerabilities and maintain a policy on coordinated vulnerability disclosure.