← CRA Glossary
CRA Regulatory

Annex II User Information Requirements

Annex II of the EU Cyber Resilience Act specifies the information that manufacturers must provide to users alongside their products. This includes security-relevant details such as the product's unique identifier, known vulnerabilities, the support period, and contact details for reporting security issues.

Annex II of the EU Cyber Resilience Act specifies the information that manufacturers must provide to users alongside their products. This includes security-relevant details such as the product's unique identifier, known vulnerabilities, the support period, and contact details for reporting security issues.

CRA Regulatory
Free CVD portal →

What Annex II Requires

Annex II of the Cyber Resilience Act sets out the information that manufacturers must provide with their products. Unlike Annex I (which specifies technical security requirements) or Annex VII (which specifies documentation for regulators), Annex II is consumer-facing. Required information includes: the name, registered trade name or trademark, and postal address of the manufacturer; the product's unique product identifier (typically a model number or version); any intended purpose and conditions of use that affect security; known vulnerabilities at the time of placing on the market; the expected support period; the address where security-related information can be found; instructions for secure configuration; and information on how to report vulnerabilities. This information must be clear, understandable, and accessible.

CRA reference:Annex II

The Support Period Disclosure Requirement

One of the most commercially significant Annex II requirements is the obligation to disclose the product's support period — the duration for which the manufacturer will provide security updates. This must be stated clearly to users at or before the point of sale. The CRA does not prescribe a minimum support period but requires that manufacturers provide one commensurate with the product's expected use. Products sold with short or no stated support periods face competitive disadvantage as users increasingly demand long-term security commitments. The disclosed support period creates a legal obligation: once stated, manufacturers must actually provide security updates throughout that period or face non-compliance. For consumer IoT devices, a minimum five-year support period is widely recommended by regulators and standards bodies.

CRA reference:Annex II, Article 13

Security Contact and Vulnerability Reporting Information

Annex II requires manufacturers to provide users with a contact point for security-related issues, including vulnerability reporting. This operationalises the broader CVD requirement of Article 13(6) by making the reporting channel publicly visible and easily discoverable at the product level — not just buried in a policy document. In practice, manufacturers typically fulfil this by: including a security contact email or URL in the product's user documentation; publishing a security.txt file at the product's associated website; and referencing the vulnerability reporting channel in the product's settings interface where feasible. The contact details must remain valid and monitored throughout the entire support period.

CRA reference:Annex II, Article 13(6)

How to Implement Annex II Compliance

Manufacturers should integrate Annex II disclosure requirements into their standard product documentation workflow. Key implementation steps:

  • Pre-launch: Ensure product documentation, packaging, and the product's associated web presence include all required Annex II information before the product is placed on the market.
  • Version control: The unique product identifier must allow users and regulators to identify the specific version they are assessing. This is critical for vulnerability correlation.
  • Support period commitment: Define and document the support period during product planning, not as an afterthought. It affects resource planning, pricing, and legal exposure.
  • Security page maintenance: Maintain a dedicated security page at a stable URL where vulnerability reporting instructions, security advisories, and update information are published throughout the product lifecycle.

CVD Portal makes Annex II User Information Requirements compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Where exactly must Annex II information be provided — in the box, online, or both?+

The CRA requires that Annex II information accompany the product when placed on the market. For physical products, this typically means the product packaging or included documentation. For software products distributed digitally, information must be provided before the user commits to the acquisition (e.g., on the product listing page or in the download interface). Information that changes over time — such as security contact details — may be provided online, but the product documentation must reference where to find it.

What is a 'unique product identifier' for CRA purposes?+

A unique product identifier enables users, market surveillance authorities, and vulnerability databases to precisely identify the specific product model and version. This typically means a model number, hardware version, and firmware or software version string. The identifier should be stable enough to be used in CVE and CSAF records — security advisories need to reference the exact affected product versions for Annex II purposes. Manufacturers should consider using established identifier schemes such as CPE (Common Platform Enumeration) or PURL.

If a vulnerability is discovered after the product is placed on the market, does Annex II require updating users?+

Annex II requires disclosure of vulnerabilities known at the time of placing on the market. For post-market vulnerabilities, the CRA's Article 13 obligations apply — manufacturers must provide security updates and publish security advisories. The Annex II information document itself may not need to be physically updated, but the associated online security information (security advisories page, security.txt) must be kept current throughout the support period.

Related terms

Annex I Essential RequirementsAnnex I of the EU Cyber Resilience Act sets out the mandatory cybersecurity requirements that all products with digital elements must meet. It is divided into two parts: Part I covers secure product properties, and Part II covers manufacturer vulnerability handling obligations.Technical Documentation (CRA)Technical documentation under the CRA is the comprehensive set of records a manufacturer must compile and maintain to demonstrate that a product with digital elements meets the Annex I essential cybersecurity requirements. It must be retained for at least 10 years and made available to market surveillance authorities on request.End-of-Life PolicyAn end-of-life (EOL) policy defines the date on which a manufacturer will cease providing security updates, technical support, and vulnerability fixes for a product. Under the EU Cyber Resilience Act, manufacturers must clearly communicate EOL dates and ensure they meet the minimum support period requirements before they can terminate update obligations.CVD PolicyA CVD policy is a publicly published document that defines how a manufacturer receives, processes, and responds to vulnerability reports. The EU Cyber Resilience Act requires manufacturers to publish a CVD policy as part of their vulnerability handling obligations.

CRA articles using this term

Annex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 13Coordinated Vulnerability Disclosure Obligations for Manufacturers

Browse the full CRA Compliance Checklist

See how Annex II User Information Requirements fits into your complete CRA compliance programme.

View checklists →