Cyber Resilience Act FAQ: Support Period

Continuously updated questions and answers

The support period is hands-down the topic where manufacturers have most questions. It was also one of the most controversial topics between EU member states and EU commission when the CRA was drafted, with opinions ranging from “5 years support” to “unlimited support” for all products. The compromise, of course, was an “it depends”. This could be one reason why the resulting support period concept as described in the CRA text is a bit complicated and leaves lots of room for interpretation. Let’s try and dissect what the facts are, what is open for interpretation, and what could be pragmatic ways to handle uncertainties.

I will continuously update this article with more questions. If you have a question, comment on this article or send it to me via LinkedIn. If you are looking for a more general primer on what the CRA is about, take a look at my 5-minute introduction.

Last updated: Oct 07, 2025

Support period definition

CRA Art. 3 (20): ‘support period’ means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;

Q1: What obligations do manufacturers have during the support period?

For the duration of the support period, manufacturers must make sure that vulnerabilities of the product are handled “effectively and in accordance with the essential cybersecurity requirements” (Art. 13 (8)).

More specifically, manufacturers must identify and evaluate vulnerabilities, and provide cybersecurity updates, security advisories, and updates to technical documentation including information and instructions to the user.

Cybersecurity updates must be provided

• for products with digital elements (including all components)
• for exploitable vulnerabilities
• separate from feature updates (Annex I Part II (2))
• free of charge (Annex I Part II (8))
• to customers (Annex I Part II (8)).

Security advisories must be provided

• for products with digital elements (including all components)
• for fixed vulnerabilities
• free of charge
• to the public (Annex I Part II (4)).

The technical documentation must be kept up to date during the support period (Art. 31 (2)). A likely candidate for an update is the risk assessment (Art. 13 (3)), which is part of the technical documentation, and can change in case new vulnerabilities become known. However, the technical documentation is not made available to customers or the public — only to notified bodies for third-party conformity assessments or market surveillance authorities upon request.

This is different for the information and instructions to the user, which are the primary source of product cybersecurity information for customers. This document must be provided

• for products with digital elements (including all components)
• free of charge
• to customers.

Since the information and instructions to the user contains condensed information form the non-public technical documentation including some information on cybersecurity risk, changes like new known vulnerabilities can also require updates of the information and instructions to the user.

Q2: How is the length of the support period determined?

The support period is determined by manufacturers.

It must be no shorter than five years (with few exceptions) and it must realistically reflect the length of time during which the product is expected to be in use (Art. 13 (8)). This essentially leaves the decision to manufacturers, but the CRA at least provides some relevant criteria that should be taken into account:

• reasonable user expectations
• the nature of the product including its intended purpose and other applicable regulation
• support periods for similar products
• availability of the operating environment
• support periods of integrated third-party components providing core functions
• guidance from the dedicated administrative cooperation group (ADCO).

The challenge is that now literally every manufacturer is trying to determine reasonable support periods at the same time, eyeballing competitors. All manufacturers are torn between making too ambitious commitments and ending up with support periods strikingly shorter than everyone else, thus looking unprofessional. Especially in OT environments, where expected lifespans of 30 years or more are the norm, the span of thinkable support periods is huge.

This is where ADCO comes into play. ADCO is a group established specifically for the CRA, to ensure its uniform application (Art 52 (15)). It doesn’t take much guesswork to suspect that one challenge will be the uniform interpretation of support periods. Art 52 (16) states that ADCO will publish statistics for product categories including their average support periods as determined by manufacturers, and also guidance with “indicative support periods” for product categories.

The only remaining question is when this guidance will come out — before or after December 2027? This determines if manufacturers need to take a first shot “into the blue” on their own to estimate an appropriate support period duration for their product.

In any event, manufacturers must include relevant information taken into account to determine the support period in the technical documentation (Annex VII (4)) to ensure authorities can reproduce their line of argumentation.

Q3: When does the support period start?

The CRA always separately applies to each instance of a products placed on the market; and never to types, charges, or series of products.

Consequently, the support period begins with the date each product instance is placed on the market (Art. 13 (8)). “Placing on the market” is defined in more detail in the Blue Guide, but to simplify things, one can think of placing on the market as the time the manufacturer signs a purchase contract — either directly with a customer or with a distributor.

This does raise some open questions for cases where end users buy from distributors, not the manufacturer: Suddenly, the date when the distributor has purchased the product matters for the end user because it determines how long the product is supported. In the worst case, end users could buy a product from a distributor that already is out of support.

In any event, the start (and end!) of the support period depends on when a product was purchased from the manufacturer. If I buy a product today, and you buy the same product a year later, you would get support for a year longer than me.

Q4: How can manufacturers plan end-of-support?

As we’ve learned in Q3, there is no fixed end-of-support date for a product in CRA, as the end of the support period depends on the date each product instance was placed on the market. In most cases, that means the date the product was purchased from the manufacturer.

From a manufacturer’s perspective, this means that a product must be supported (for free) for the duration of the support period after its the last product instance was sold. If we assume a 5-year support period, that means that if manufacturers want to take a product out of support in 2040, they need to stop selling it in 2035.

However, there is an exception for software product versions, which I’ll address in Question Q7.

Q5: Can manufacturers set a fixed end-of-support date for their products?

As we’ve learned in Q3, there is no fixed end-of-support date for a product in CRA, as the end of the support period depends on the date each product instance was placed on the market. In most cases, that means the date the product was purchased from the manufacturer.

In reality, it probably isn’t practical for manufacturers to trace all the individual support periods for each product instance. If there is a vulnerability that requires fixing, it’s likely more economic to just make the fix available for free to all customers than to differentiate depending on the purchase date.

Also, end-of-support planning is a cornerstone of lifecycle planning for components. Continuously monitoring for vulnerabilities, assessing them, and providing free security updates consumes resources. Manufacturers want and need to plan ahead how long they invest into supporting products. For lifecycle planning, too, fixed end-of-support dates would simplify things.

One CRA-compliant way to define fixed end-of-support dates would be to voluntarily provide free “extended support” after the end of the official CRA support period until a fixed end-of-support date is reached. Products purchased earlier would get extended support for a longer timespan than products purchased later, and the last product instances wouldn’t get any extended support but just the offical CRA support period. (I’ve first seen this concept proposed by Steffen Zimmermann of VDMA).

Q6: Can the support period for the same product vary during its lifecycle?

Another way to define a fixed end-date for support periods would be to define varying support periods for the same products depending on the date it is placed on the market: If I purchase a product when it first came out, I get 10 years support, and if you purchase the same product 5 years later, you only get 5 years of support.

The CRA doesn’t say anything about varying support periods for the same product. In any event, manufacturers would need to argue the shorter support period in line with the criteria explained in Question Q2. If it can be reasonably argued that the product, if purchased later, is expected to be in use for a shorter timespan, one interpretation of the CRA text could be that in those cases defining a shorter support period is acceptable.

However, this is a grey area. Market surveillance authorities, and ultimately courts, will have to decide if varying support period lengths are acceptable practice.

Q7: For software, do manufacturers have to support all versions for the full duration of the support period?

Art. 13 (10) suggests that manufacturers may only support the latest version as long as

• they provide an option to upgrade to the latest software version at no extra cost
• the upgrade doesn’t require adjustments to hardware or software environments

See Recital 40 for more details and an example.

Q8: How do customers know when the support period ends?

The end of the support period (month and year) must be specified at the time of purchase on the product, its packaging, or by digital means (e.g., on a website). Also, where technically feasible, manufacturers must include a notification to users when the end of support is reached (Art. 13 (9)).

Since the end of support period depends on the date the manufacturer has placed the product on the market, the end of support could be more difficult to find in cases where customers purchase products from distributors — see Question Q3.

Q9: What if a product contains third-party / open source components with shorter support periods?

Under the CRA, manufacturers are responsible for the cybersecurity of their product as a whole, including any third-party and open source components. This includes the effective handling of vulnerabilities, including the provision of security updates for exploitable vulnerabilities, for the duration of the support period (Art. 13 (8)).

The fact that the component manufacturer probably won’t provide the necessary patch doesn’t release the product manufacturer from providing an update for his product but turns the responsibility fully to them (Art. 13 (6)).

How manufacturers live up to this responsibility is up to them. Options include

• working with the component manufacturer to patch the vulnerability
• making sure that they can patch or otherwise mitigate component vulnerabilities themselves
• for open-source components: contributing to the open-source community to ensure a patch is being developed. In this case, manufacturers.

In addition, the CRA obliges manufacturers to share any security updates they may create for third-party components with the person or entity responsible for the component (Art. 13 (6)).

Updates to the FAQ are shared in my monthly “Security Briefing for Hard Hats”. You can subscribe here (German) or (English coming soon).