← CRA Glossary
CRA Legal Terms

Support Period (CRA)

The support period is the duration for which a manufacturer commits to providing security updates, vulnerability remediations, and related security support for a product. Under the EU Cyber Resilience Act, the support period must be at least five years (or the product's expected lifetime) and must be communicated to users before purchase.

The support period is the duration for which a manufacturer commits to providing security updates, vulnerability remediations, and related security support for a product. Under the EU Cyber Resilience Act, the support period must be at least five years (or the product's expected lifetime) and must be communicated to users before purchase.

CRA Legal Terms
Free CVD portal →

What Is the Support Period Under the CRA?

The support period is the timeframe during which a manufacturer is obligated to maintain the security of a product: developing patches for newly discovered vulnerabilities, making security updates available, and operating the CVD process. The EU Cyber Resilience Act sets the minimum support period at five years from the date the product is placed on the market — i.e., first made available to the EU market — or the expected product lifetime if shorter. For products with long expected operational lives (such as industrial control systems designed for 20-year deployment), the support period may need to extend beyond five years to reflect real-world usage.

CRA reference:Article 13(3), Annex I Part II(2)

Why the Support Period Is a Critical CRA Concept

The support period is the regulatory mechanism by which the CRA ensures that products do not become permanently vulnerable after manufacturers lose commercial interest in supporting them. Prior to the CRA, it was common for manufacturers to cease security updates for connected products within 1–2 years of sale, leaving millions of devices with no remediation path for subsequently discovered vulnerabilities. The CRA's five-year minimum support period directly addresses this market failure. Market surveillance authorities can enforce against manufacturers who cease providing security updates before the support period expires, and against those who fail to communicate the support period to buyers.

CRA reference:Article 13(3), Annex I Part II(2)

How Manufacturers Define and Communicate Their Support Period

Manufacturers must determine and document the support period for each product before market placement. The period must be stated in: product packaging or printed materials; the manufacturer's website product page; and technical documentation. The communication must be clear and accessible to consumers — not buried in a legal agreement. The support period runs from the date of first market placement, not from the date of individual purchase. Manufacturers selling a product through a distribution chain must ensure their support commitment extends to cover the full five-year period even when the product has been in the distribution channel for some time before retail sale.

CRA reference:Annex I Part II(2), Article 13(3)

Common Mistakes

A frequent error is calculating the support period from the date of individual sale rather than from the date of first market placement. A product placed on the market in 2025 and sold at retail in 2026 must still be supported until at least 2030 — a full five years from 2025, not from 2026. Manufacturers also sometimes treat 'support period' as applying only to the latest hardware revision, leaving earlier revisions without adequate support. Another mistake is offering different support periods in different markets and providing the EU-mandated minimum only when specifically requested rather than as the default communicated position.

CRA reference:Article 13(3)

CVD Portal makes Support Period (CRA) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Does the CRA support period apply from the date a consumer buys the product or from the date it is first sold?+

The five-year support period runs from the date the product is first **placed on the market** — when it is first made commercially available in the EU — not from the date any individual consumer purchases it. This is an important distinction: a product placed on the market in January 2025 but purchased by a consumer in December 2026 still only receives security support until January 2030, not until December 2031.

What happens if the expected product lifetime is less than five years?+

The CRA's minimum support period is five years or the expected product lifetime, whichever is shorter. If a product is designed for a single-use application or has a clearly documented operational lifetime of under five years — for example, a product that is physically consumable — the manufacturer may apply the shorter period. However, the expected lifetime must be documented and justifiable. Manufacturers cannot artificially designate a short expected lifetime to evade the five-year requirement.

Can manufacturers charge for security updates during the support period?+

The CRA requires manufacturers to make security updates available but does not explicitly address whether they may be provided at cost. The clear legislative intent is that security updates should be accessible to users who have purchased the product. Placing security updates behind a paid subscription or charging upgrade fees for critical patches would likely be considered non-compliant with the spirit of the regulation, and national market surveillance authorities could take enforcement action. Manufacturers should seek legal advice if considering any commercial model for security update delivery.

Related terms

End-of-Life PolicyAn end-of-life (EOL) policy defines the date on which a manufacturer will cease providing security updates, technical support, and vulnerability fixes for a product. Under the EU Cyber Resilience Act, manufacturers must clearly communicate EOL dates and ensure they meet the minimum support period requirements before they can terminate update obligations.Manufacturer Obligations (CRA)Manufacturer obligations under the EU Cyber Resilience Act are the comprehensive set of cybersecurity duties that apply to any entity that designs, develops, or produces a product with digital elements for the EU market. These obligations span product design, vulnerability handling, market surveillance cooperation, and post-market security support.Firmware Update & OTA SecurityA firmware update delivers new software to a device's embedded systems — microcontrollers, bootloaders, and operating environments — to fix vulnerabilities, add features, or address hardware behaviour. Over-the-air (OTA) updates deliver firmware remotely. The CRA requires manufacturers to implement and maintain a secure update mechanism throughout a product's support period.Products with Digital Elements (PDE)A 'product with digital elements' (PDE) is the CRA's term for any hardware or software product that has the ability to process, store, or transmit data and that connects, directly or indirectly, to another device or network. This definition determines whether the CRA applies to a given product.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 10Obligations of Manufacturers — Product Security by Design

Browse the full CRA Compliance Checklist

See how Support Period (CRA) fits into your complete CRA compliance programme.

View checklists →