← Back to Blogcompliance

The CRA Support Period: The Five-Year Security Update Rule Explained

The CRA obliges manufacturers to support products with security updates for a defined period — at least five years for most. Here is how the support period, update availability, and record retention interact.

CRAReady Team·

Security Support Is Now a Legal Obligation

One of the most operationally significant CRA requirements is the duty to provide security updates. Manufacturers can no longer ship a product and walk away. For the length of the support period, they must handle vulnerabilities and make security updates available to users.

Getting the support period right affects engineering roadmaps, end-of-life planning, and — because it must be communicated to buyers — sales and marketing.

How Long Is the Support Period?

The manufacturer determines the support period based on how long the product is reasonably expected to be in use. But the CRA sets a floor: the support period must be at least five years, unless the product is genuinely expected to be in use for a shorter time. For products with a longer expected lifespan — much industrial and infrastructure equipment — the support period should reflect that longer life, not default to the five-year minimum.

Crucially, the support period must be stated to the buyer at the point of purchase. "How long will this receive security updates?" is now a question every purchaser can ask and every manufacturer must answer up front.

What You Must Do During the Support Period

Throughout the support period the manufacturer must:

  • Handle vulnerabilities in line with the Annex I Part II vulnerability-handling requirements
  • Provide security updates that fix or mitigate vulnerabilities, without undue delay
  • Make updates available free of charge and, where feasible, with advisory notices explaining them
  • Continue to operate the coordinated vulnerability disclosure process

Security updates should, wherever possible, be provided separately from feature updates, so users can apply a security fix without being forced to accept unrelated functional changes.

The Availability Rule: Updates Must Outlast the Support Period

A subtle but important point: fixing a vulnerability is not enough — the update has to remain available to users for long enough to actually deploy it. The manufacturer must keep security updates available for at least ten years after the update has been issued, or for the remainder of the support period, whichever is longer.

In practice this means your update distribution infrastructure — download servers, package repositories, firmware endpoints — must remain operational well beyond the point at which you stop actively developing the product.

Record Retention: Ten Years

Distinct from the support period, the CRA requires manufacturers to keep the technical documentation and the EU Declaration of Conformity for at least ten years after the product was placed on the market (or for the support period, if longer). These records are what a market surveillance authority will request to verify compliance — and an incomplete or missing file is itself non-compliance, independent of the product's actual security.

A Quick Reference

ObligationMinimum duration
Support period (security updates provided)5 years (or expected product life, if longer)
Update availability after issuance10 years, or remainder of support period, whichever is longer
Technical file & DoC retention10 years after placing on market, or support period, whichever is longer

Planning for It

The five-year floor sounds generous until you map it against a product portfolio with staggered release dates. Every version you ship starts its own clock. Practical steps:

  1. Decide and document a support period per product line, justified by expected use.
  2. Publish it to buyers — in documentation, on the product page, and in the DoC.
  3. Ensure your update-delivery infrastructure is budgeted to run for the full availability window.
  4. Track support-period expiry dates centrally so end-of-life is a planned, communicated event — not a silent lapse that leaves you non-compliant while the product is still in customers' hands.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker