← CRA Glossary
Technical Security

Patch Management

Patch management is the process of identifying, testing, approving, and deploying software updates that fix security vulnerabilities and bugs. The EU Cyber Resilience Act requires manufacturers to provide security patches for their products throughout the defined support period and to deliver them without undue delay.

Patch management is the process of identifying, testing, approving, and deploying software updates that fix security vulnerabilities and bugs. The EU Cyber Resilience Act requires manufacturers to provide security patches for their products throughout the defined support period and to deliver them without undue delay.

Technical Security
Free CVD portal →

What Is Patch Management?

Patch management is the disciplined process of keeping software and firmware up to date by identifying applicable security updates, testing them for compatibility and regression issues, and deploying them to affected systems in a controlled manner. For manufacturers, patch management encompasses two separate responsibilities: outbound patch delivery — developing and releasing patches for vulnerabilities in their own products — and inbound patch management — applying upstream patches from third-party and open-source components to their products. Both are relevant under the CRA. Effective patch management requires a maintained SBOM to know which components are in scope, and a CVD policy to receive external vulnerability reports.

CRA reference:Article 13(1), Annex I Part II

CRA Patch Delivery Obligations

Annex I Part II of the CRA requires manufacturers to address vulnerabilities without undue delay, and to make security patches freely available to users. Article 13(1) requires manufacturers to exercise due diligence when integrating components. The CRA's Article 13(8) specifically states that manufacturers must inform users about vulnerabilities and available updates. Key implications:

  • Security patches must be free of charge — manufacturers cannot monetise security fixes.
  • Patches must be made available through a mechanism users can reasonably access — not requiring specialist tools or contractual arrangements.
  • The patch delivery mechanism must be stated in the manufacturer's end-of-life policy and technical documentation.
  • Patches must be accompanied by a security advisory explaining the vulnerability addressed.
CRA reference:Article 13(1), Article 13(8), Annex I Part II

Patch Timelines and Support Period

The CRA does not mandate a universal patch SLA in hours or days, but requires patches 'without undue delay'. Industry norms and ENISA guidance treat the following as reasonable:

  • Critical (CVSS 9.0+) vulnerabilities — patch or mitigation within 14–30 days.
  • High (CVSS 7.0–8.9) vulnerabilities — patch within 60–90 days.
  • Medium/Low vulnerabilities — addressed in regular release cycles.

Manufacturers must also define and publish a support period — the duration for which security patches will be provided. The CRA expects the support period to be proportionate to the product's expected use life. For Class I and Class II Important Products, the support period expectation is higher. At end-of-life, manufacturers must notify users in advance.

CRA reference:Article 13(1), Article 13(8), Annex I Part II

Common Patch Management Failures

CRA non-compliance in patch management typically arises from:

  • No SBOM — manufacturers who do not know their component inventory cannot identify which CVEs affect them, leading to missed patches in embedded libraries.
  • Paid patch programmes — charging for security fixes is prohibited by the CRA; all security updates must be free.
  • No firmware update mechanism — hardware products that cannot receive over-the-air or USB firmware updates cannot be patched at scale.
  • Undefined support period — customers cannot plan without knowing when support ends; this also creates CRA documentation non-compliance.
  • Patch without advisory — releasing a fix without a security advisory leaves users unable to assess urgency or verify they need the update.

CVD Portal makes Patch Management compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Can manufacturers charge users for security patches under the CRA?+

No. The CRA explicitly requires that security updates be provided free of charge to users. Manufacturers may charge for feature updates, new versions, or extended support agreements, but security fixes that address vulnerabilities covered by the CRA's essential requirements must be delivered without additional cost for the duration of the stated support period.

What is the minimum support period required under the CRA?+

The CRA does not prescribe a universal minimum support period. It requires the support period to be 'proportionate to the expected use life of the product' and mandates that it be documented and communicated to buyers. For consumer IoT products with typical 5–7 year lifespans, regulators and market surveillance authorities would expect a support commitment of at least 5 years. The European Commission may adopt delegated acts with more specific requirements for product categories.

Does our patch management process need to be documented?+

Yes. The CRA requires manufacturers to maintain technical documentation covering their vulnerability handling processes, including how patches are developed, tested, and released. This documentation must be available to market surveillance authorities on request. It should describe the patch development workflow, testing methodology, release process, and the update delivery mechanism used to reach end users.

Related terms

Software Bill of Materials (SBOM)An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.Zero-Day VulnerabilityA zero-day vulnerability is a security flaw that is unknown to the vendor and for which no patch exists at the time of discovery or exploitation. Zero-day vulnerabilities are particularly significant under the CRA because their active exploitation triggers immediate notification obligations to ENISA within 24 hours.Vulnerability HandlingVulnerability handling is the complete lifecycle process through which a manufacturer identifies, evaluates, remediates, and discloses security vulnerabilities in its products. Annex I Part II of the CRA makes robust vulnerability handling a mandatory ongoing obligation for all manufacturers of products with digital elements.Firmware Update & OTA SecurityA firmware update delivers new software to a device's embedded systems — microcontrollers, bootloaders, and operating environments — to fix vulnerabilities, add features, or address hardware behaviour. Over-the-air (OTA) updates deliver firmware remotely. The CRA requires manufacturers to implement and maintain a secure update mechanism throughout a product's support period.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsAnnex IVCritical Products with Digital Elements — Highest-Risk Classification

Browse the full CRA Compliance Checklist

See how Patch Management fits into your complete CRA compliance programme.

View checklists →