← Back to Blogtechnical

Patch Management Requirements Under the CRA

The CRA mandates security updates for at least five years and requires they be distributed without undue delay. This post covers the technical and organisational requirements for a compliant patch management programme.

CRAReady Team·

Patch Management Is a Legal Obligation

Under Annex I Part II of the CRA, manufacturers must:

  1. Address vulnerabilities without undue delay
  2. Provide security updates for at least five years (or product lifetime if shorter)
  3. Distribute updates in a timely manner — ideally through automatic mechanisms
  4. Inform users about available updates

These requirements collectively define a patch management programme that goes well beyond the informal "we'll fix it if it's serious" approach that many smaller manufacturers have historically taken.

"Without Undue Delay" — What Does It Mean?

The CRA does not define fixed remediation timelines. "Without undue delay" is a standard interpreted in light of circumstances — primarily the severity and exploitability of the vulnerability. Guidance from ENISA and national authorities is expected to define concrete timelines. Current industry best practice suggests:

  • Actively exploited vulnerabilities: patch within hours to days — Article 14 reporting triggers before the patch is ready; the patch must follow as quickly as possible
  • Critical (CVSS ≥ 9.0) / not yet exploited: 7–14 days
  • High (CVSS 7.0–8.9): 30 days
  • Medium (CVSS 4.0–6.9): 60–90 days
  • Low (CVSS < 4.0): next regular release

Automatic Update Requirements

Annex I requires updates to be delivered in a timely manner and — where technically feasible — automatically. For consumer-facing products, auto-update should be the default. For industrial and enterprise products, staged rollout with testing windows is acceptable but must still be prompt.

SBOM-Driven Patch Prioritisation

A comprehensive SBOM enables automated vulnerability detection: when a new CVE is published for a component in your SBOM, automated tooling can identify affected product versions, generate Jira tickets, and alert the responsible engineer. Without an SBOM, this process relies on manual monitoring — which is slower and less reliable.

Integrate SBOM-to-vulnerability matching into your CI/CD pipeline. Tools like Grype, OWASP Dependency-Check, and commercial alternatives can scan SBOMs against NVD, OSV, and EUVD continuously.

Supporting Multiple Product Versions

Most manufacturers have multiple product versions in active use simultaneously. A patch management programme must cover all supported versions, not just the latest. This requires:

  • Maintaining a clear product support matrix (which versions are supported, end-of-life dates)
  • A branching strategy that allows backporting security fixes to older supported versions
  • Automated testing of patches across supported versions
  • Clear communication to users about which versions receive security updates

End-of-Life Planning

The CRA requires manufacturers to communicate end-of-life dates. End-of-life planning should begin at product launch — not when you want to discontinue support. Users must have enough notice to transition to a supported product version.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker