← CRA Glossary
CRA Legal Terms

End-of-Life Policy

An end-of-life (EOL) policy defines the date on which a manufacturer will cease providing security updates, technical support, and vulnerability fixes for a product. Under the EU Cyber Resilience Act, manufacturers must clearly communicate EOL dates and ensure they meet the minimum support period requirements before they can terminate update obligations.

An end-of-life (EOL) policy defines the date on which a manufacturer will cease providing security updates, technical support, and vulnerability fixes for a product. Under the EU Cyber Resilience Act, manufacturers must clearly communicate EOL dates and ensure they meet the minimum support period requirements before they can terminate update obligations.

CRA Legal Terms
Free CVD portal →

What Is an End-of-Life Policy?

An end-of-life (EOL) policy is a public commitment by a manufacturer specifying when a product will cease to receive security updates, bug fixes, and technical support. It defines the 'end of support' or 'end of maintenance' date after which the manufacturer no longer has an active obligation to address newly discovered vulnerabilities. Well-defined EOL policies give users and organisations time to plan device replacement or compensating controls before support ceases. EOL should be distinguished from 'end of sale' (when a product stops being sold) — security support obligations continue long after sale ends.

CRA reference:Article 13(3), Annex I Part II(2)

EOL Policy Requirements Under the CRA

The CRA establishes that manufacturers must provide security updates for the expected product lifetime or at least five years, whichever is shorter. Critically, Annex I Part II(2) requires manufacturers to clearly communicate to users the duration of the support period at the point of purchase — not after sale. This means the EOL date must be known and published before a product is placed on the market, not determined reactively. ENISA guidance reinforces that manufacturers should make EOL dates searchable and machine-readable. Failure to meet the minimum support period or to communicate it adequately is a breach of the CRA's essential requirements.

CRA reference:Article 13(3), Annex I Part II(2)

How Manufacturers Implement an EOL Policy

A compliant EOL policy should: (1) state the specific end-of-support date (or minimum years from date of market placement) for each product version; (2) be published on the manufacturer's website and referenced in product documentation and packaging; (3) be communicated to users 12 months before support ends, giving advance notice to plan migration; (4) cover what happens to the product after EOL — for example, whether the manufacturer will make a final firmware release, what users should do with internet-connected devices after support ends, and how to safely decommission the product; (5) define separate dates for security updates and feature updates if applicable.

CRA reference:Annex I Part II(2), Article 13(3)

Common Mistakes

Many manufacturers have historically left EOL dates undefined or communicated them only in obscure support documentation. Under the CRA, failing to communicate the support period at point of purchase is a compliance violation, not merely a customer service issue. A second error is conflating end of sale with end of support — regulatory obligations for security updates continue for the full support period regardless of whether the product is still commercially available. Manufacturers also sometimes announce EOL with insufficient notice, depriving users of time to plan replacements. For IoT products, abrupt EOL without a final hardening release can leave millions of devices permanently exposed.

CRA reference:Annex I Part II(2)

CVD Portal makes End-of-Life Policy compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

What is the minimum support period required by the EU Cyber Resilience Act?+

The CRA requires manufacturers to provide security updates for a minimum of five years from the date a product is placed on the market, or for the expected product lifetime if that is shorter. For products with a longer expected operational lifetime — for example, industrial controllers expected to operate for 15 years — the manufacturer may need to provide security support for longer than five years depending on regulatory interpretation.

Must the EOL date be communicated before purchase?+

Yes. Annex I Part II(2) of the CRA requires manufacturers to ensure users are informed of the support period duration as part of product information provided at the time of purchase. This means the EOL date or support period must be clearly stated on product packaging, in marketing materials, and on the manufacturer's website — not buried in a rarely-read support policy page. The intent is to enable consumers and businesses to make informed purchasing decisions based on how long the product will remain secure.

What obligations remain after a product reaches end of life?+

Once the support period ends, the manufacturer's obligation to develop new security updates ceases. However, the manufacturer should still notify users that the product is now unsupported and advise them to replace it or take compensating measures. If a CRA-covered product continues to pose a significant risk after EOL — for example, due to a critical remotely exploitable vulnerability — market surveillance authorities may still take enforcement action. Manufacturers should ensure EOL products are not knowingly sold as new after support has ended.

Related terms

Support Period (CRA)The support period is the duration for which a manufacturer commits to providing security updates, vulnerability remediations, and related security support for a product. Under the EU Cyber Resilience Act, the support period must be at least five years (or the product's expected lifetime) and must be communicated to users before purchase.Firmware Update & OTA SecurityA firmware update delivers new software to a device's embedded systems — microcontrollers, bootloaders, and operating environments — to fix vulnerabilities, add features, or address hardware behaviour. Over-the-air (OTA) updates deliver firmware remotely. The CRA requires manufacturers to implement and maintain a secure update mechanism throughout a product's support period.Manufacturer Obligations (CRA)Manufacturer obligations under the EU Cyber Resilience Act are the comprehensive set of cybersecurity duties that apply to any entity that designs, develops, or produces a product with digital elements for the EU market. These obligations span product design, vulnerability handling, market surveillance cooperation, and post-market security support.Products with Digital Elements (PDE)A 'product with digital elements' (PDE) is the CRA's term for any hardware or software product that has the ability to process, store, or transmit data and that connects, directly or indirectly, to another device or network. This definition determines whether the CRA applies to a given product.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 10Obligations of Manufacturers — Product Security by Design

Browse the full CRA Compliance Checklist

See how End-of-Life Policy fits into your complete CRA compliance programme.

View checklists →