← CRA Glossary
Technical Security

Firmware Update & OTA Security

A firmware update delivers new software to a device's embedded systems — microcontrollers, bootloaders, and operating environments — to fix vulnerabilities, add features, or address hardware behaviour. Over-the-air (OTA) updates deliver firmware remotely. The CRA requires manufacturers to implement and maintain a secure update mechanism throughout a product's support period.

A firmware update delivers new software to a device's embedded systems — microcontrollers, bootloaders, and operating environments — to fix vulnerabilities, add features, or address hardware behaviour. Over-the-air (OTA) updates deliver firmware remotely. The CRA requires manufacturers to implement and maintain a secure update mechanism throughout a product's support period.

Technical Security
Free CVD portal →

What Are Firmware Updates and OTA Security?

Firmware is the low-level software that controls a device's hardware — it runs on microcontrollers, manages peripherals, and often implements core protocol stacks. A firmware update replaces or patches this software to address vulnerabilities, fix bugs, or add functionality. Over-the-air (OTA) update mechanisms allow firmware to be delivered and installed remotely without physical access to the device. OTA update security refers to the controls that ensure only authentic, integrity-verified firmware is accepted by a device: cryptographic signatures on update packages, TLS-secured delivery channels, rollback prevention, and integrity checks performed by a trusted bootloader before executing new code.

CRA reference:Annex I Part I(2)(j), Article 13(3)

Why Firmware Update Security Is a CRA Requirement

Annex I Part I(2)(j) of the CRA requires manufacturers to ensure that their products include the ability to receive security updates — and that the update mechanism is itself secure. Article 13(3) reinforces that manufacturers must make security updates available promptly and ensure they are easy to install. An insecure update mechanism is a high-value attack target: if an attacker can inject malicious firmware through the update channel, they gain persistent, privileged access to the device. A secure update mechanism is therefore not merely a feature — it is a prerequisite for the manufacturer's ability to fulfil its ongoing security obligations throughout the product support period.

CRA reference:Annex I Part I(2)(j), Article 13(3)

How Manufacturers Implement Secure OTA Updates

A secure OTA update implementation requires controls at every stage of the update lifecycle. During build: firmware images must be signed with a private key held in a Hardware Security Module (HSM); version metadata and changelogs must be generated. During delivery: firmware must be transmitted over a TLS-authenticated channel; update servers must require device authentication before serving packages. On device: the bootloader or update agent must verify the cryptographic signature before staging; downgrade attacks must be prevented via a version counter; and a validated rollback-to-last-good mechanism should exist to recover from failed updates. Update delivery and installation outcomes should be logged for audit purposes.

CRA reference:Annex I Part I(2)(j), Annex I Part II(2)

Common Mistakes

A common firmware update error is signing update packages but not verifying the signature on device — the signature exists in the build pipeline but is never checked before execution. Another error is delivering updates over unencrypted HTTP, making the package susceptible to man-in-the-middle substitution. Manufacturers also frequently implement update mechanisms that lack downgrade protection, allowing an attacker who can intercept the update channel to force installation of an older, vulnerable firmware version. Finally, some manufacturers ship products where the update mechanism depends on a cloud service with no defined availability or continuity commitment, rendering the device unable to receive security updates if the service is discontinued.

CRA reference:Annex I Part I(2)(j)

CVD Portal makes Firmware Update & OTA Security compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Must manufacturers provide firmware updates for the entire support period under the CRA?+

Yes. The CRA requires manufacturers to address vulnerabilities and make security updates available without undue delay for the duration of the product's support period. The minimum support period for most products is five years from market placement, or the expected product lifetime if shorter. Manufacturers must maintain the infrastructure and processes to develop and deliver firmware updates for this entire period — they cannot simply cease providing updates when it becomes commercially inconvenient.

Is it sufficient to make firmware updates available for manual download?+

For many consumer products, making updates available for download without active OTA delivery may not satisfy the CRA's intent that updates are 'easy to install'. The Annex I requirement that security updates can be received and installed is most straightforwardly met by an OTA mechanism. For industrial and enterprise products where manual update processes are standard and change-controlled, manual delivery with clear notification mechanisms may be acceptable, but the manufacturer must ensure the update pathway does not become a practical barrier to timely patching.

What happens to firmware update obligations when a product reaches end of life?+

At end of life, the manufacturer's obligation to provide security updates ends — but this must be managed transparently. The CRA requires manufacturers to clearly communicate the end-of-support date to users in advance, giving users time to plan replacement or mitigation. Manufacturers must not simply stop providing updates without notice. After the support period ends, the product remains on the market as a known risk, and market surveillance authorities may take action if the product's unpatched vulnerabilities pose a significant risk to users or third parties.

Related terms

Secure by DesignSecure by design means that security is built into a product's architecture and development process from the earliest design stage, rather than added as an afterthought after development is complete. The EU Cyber Resilience Act's essential requirements in Annex I mandate a secure-by-design approach for all products with digital elements.End-of-Life PolicyAn end-of-life (EOL) policy defines the date on which a manufacturer will cease providing security updates, technical support, and vulnerability fixes for a product. Under the EU Cyber Resilience Act, manufacturers must clearly communicate EOL dates and ensure they meet the minimum support period requirements before they can terminate update obligations.Support Period (CRA)The support period is the duration for which a manufacturer commits to providing security updates, vulnerability remediations, and related security support for a product. Under the EU Cyber Resilience Act, the support period must be at least five years (or the product's expected lifetime) and must be communicated to users before purchase.Attack SurfaceThe attack surface of a product is the totality of different points — interfaces, APIs, protocols, hardware ports, and user inputs — through which an attacker could attempt to enter or extract data from a system. Reducing attack surface is a core principle of the CRA's essential cybersecurity requirements.

CRA articles using this term

Annex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day Obligations

Browse the full CRA Compliance Checklist

See how Firmware Update & OTA Security fits into your complete CRA compliance programme.

View checklists →