When we look closer at the support period, we'll find more and more interesting questions.

  • Does the support period start, when the end user buys a product or when a product is released, manufactured or sold for the first time?
  • Can manufacturers set the length of the support period as they see fit?
  • Can manufacturers terminate the support period as they see fit?
  • What obligations do manufacturers have to satisfy during the support period? What after the support period?
  • Are there special rules for products released in the transitional period from 11 December 2024 to 10 December 2027?
  • Does the EU CRA apply to products released before 11 December 2024?

To answer these questions we need to understand terms like making available on the market, placing on the market and substantial modification. When a manufacturer places a product on the EU market, the support period starts. The length of the support period must be five years or the typical lifetime of the product, whichever is longer. The product must satisfy all the essential requirements related to product properties and to vulnerability handling during its support period. The manufacturer must provide security updates for ten years after the end of the support period. These are the rules for products that are placed on the market after 11 December 2027 (the penalty date), when the CRA is in full effect and the EU commission can punish manufacturers with heavy penalties.

There is a special rule for products placed on the market in the transitional period from 11 December 2024 to 10 December 2027. If the manufacturer doesn't modify the product substantially after 11 December 2027, the EU CRA doesn't apply to the product. The EU CRA doesn't apply to products that were placed on the market before 11 December 2024, that is, before the EU CRA came into effect.

Clarifying Relevant Terms

Article 3 provides definitions of terms like making available on the market, placing on the market, support period and substantial modification. These definitions give us an idea but still leave some questions open. The ‘Blue Guide’ on the implementation of EU product rules 2022 answers the open questions. Let us clarify the terms one by one.

Making Available on the Market

Making available on the market means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge.

EU CRA Article 3.22

Section 2.2 of the Blue Guide explains the term in more detail. Any transfer of ownership or possession like sale, loan, hire, leasing or gift is a commercial activity. Let us look at selling an agricultural machine:

  • A manufacturer (Article 3.13) produces 100 forage harvesters in Germany (a member of the EU).
  • The manufacturer sells six harvesters to a dealer of agricultural machines - the distributor (Article 3.17) - in France (another member of the EU).
  • The dealer sells one harvester to Paul, a farmer in France.

As a consequence of a commercial activity (sale), ownership is transferred twice: once from the manufacturer to the distributor and once from the distributor to the farmer (the end user). In this case, the manufacturer and distributor are legal persons, whereas the farmer may be a natural or legal person. A commercial activity happens between natural or legal persons and implies a transfer of ownership (e.g., sale, gift) or possession (e.g., leasing, rental, subscription). As the end use of the harvester by Paul takes place in an EU country, the harvester is made available on the EU market and must satisfies the EU CRA.

If a manufacturer had produced the harvesters in Mexico, which is not in the EU, the Paul's harvester would still fall under the EU CRA. Whether the manufacturer is based in the EU or not, doesn't matter. The manufacturer would sell the harvesters to an importer (Article 3.16). The importer would sell the harvesters to a distributor, which would sell one harvester to the farmer. The importer would make the harvester available on the EU market for the first time and the distributor for the second time. Of course, the importer and the distributor could be a single company.

Let us tweak the example a bit. Ali, a farmer from Tunisia, buys another harvester from the same dealer in France as Paul. He transports the harvester to Tunisia, where will use the harvester from now on. The manufacturer or the importer would make the harvester available on the EU market. However, the dealer would not make the harvester available on the EU market, as Tunisia is not in the EU.

Whereas Paul's harvester is made available on the EU market, Ali's harvester is not. Making a harvester available on the market is a per-harvester decision and applies to an individual harvester. It does not apply to all harvesters of the same model or to a production batch of harvesters. The Blue Guide states tersely: "The concept of making available refers to each individual product."

Placing on the Market

Placing on the market means the first making available of a product with digital elements on the Union market.

EU CRA Article 3.21

One product can be made available on the market multiple times. In our example above, the manufacturer or the importer make the harvesters available on the Union market for the first time, when they sell harvesters to the dealer. The dealer makes the harvester available on the Union market a second time, when it sells the harvester to Paul.

Placing on the market denotes the first time a product is made available on the market. It is normally done by the manufacturer or the importer. Paul's harvester is placed on the EU market when the manufacturer or its importer sells the harvester to the dealer. The date for placing Paul's harvester on the market does not change, no matter how often it changes its owner. The date for placing a product on the market marks the start of the support period.

As Ali uses his harvester outside the EU, his harvester is not placed on the EU market. The support period doesn't start.

Substantial Modification

substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed.

EU CRA Article 3.30

A manufacturer substantially modifies a product,

  • if the modification affects the essential requirements of Annex I, or
  • if the modification changes the "intended purpose" of the product.

The definition leaves open, whether manufacturers shall only consider negative effects on the essential requirements or also positive effects. If positive effects like fixing a vulnerability were considered, every security update would be a substantial modification. This would run counter to the goal of the EU CRA of reducing cybersecurity risks. The Blue Guide allows security updates in general and functional updates in certain contexts.

[...] a product should be considered as substantially modified by a software change where: i) the software update modifies the original intended functions, type or performance of the product and this was not foreseen in the initial risk assessment; ii) the nature of the hazard has changed or the level of risk has increased because of the software update; and iii) the product is made available [...]

The Blue Guide, Section "2.1 Product Coverage: Software"

A product is substantially modified, if all three conditions are satisfied: I && ii && iii. If one condition doesn't hold, there was no substantial modification. Condition iii) is a given: Whether a modification is substantial only matters if the manufacturer makes the modification available for the product.

A security update like fixing a vulnerability decreases the risk. Hence, condition ii) is violated and the security update doesn't constitute a substantial modification.

Condition i) allows functional or performance updates as long as the risks have already been considered in the initial risk assessment. Updates are OK, if they don't increase already known risks and if they don't add new risks.

Changing the appearance of the user interface (UI) is not a substantial modification, as the risk stays the same. However, adding an input field to the UI (see Recital 39) is a substantial modification, as user input always requires validation. If an invalid input causes a crash or undefined behaviour, bad actors can exploit this vulnerability.

Forage harvesters can have several front implements for cutting maize in small pieces, for collecting grass and for cutting the whole plant. The manufacturer performs a risk assessment for the first and second implement. Initially, it places the harvester on the market equipped only with the first implement. As the manufacturer foresaw the second implement in the initial risk assessment, making the second implement available doesn't modify the harvester substantially. The manufacturer didn't, however, foresee the third implement. Hence, the harvester is substantially modified when the manufacturer starts selling the third implement. The manufacturer must also amend its risk assessment.

If a manufacturer addresses future functional or performance changes in its risk assessment, it can release these changes without substantially modifying the product.

Changing the "intended purpose" of the product is the second reason for a substantial modification (see Article 3.30).

intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation

EU CRA Article 3.23

The original intended purpose of a forage harvester is cutting maize in small pieces for silage fodder. When the manufacturer adds the implement for picking up grass, the intended purpose of the harvester changes: grass instead of maize; picking up instead of cutting; multiple harvests from spring to autumn instead of a single harvest in autumn. The "specific context and conditions of use" differ for the two implements.

Does a harvester with an implement for cutting maize in small pieces have a different purpose than a harvester with an implement for cutting the whole plant? Probably not, because they both cut maize once in autumn for silage fodder. Looking at condition i) again helps:

i) the software update modifies the original intended functions, type or performance of the product and this was not foreseen in the initial risk assessment

The Blue Guide, Section "2.1 Product Coverage: Software"

"intended type" is the same as "intended purpose". The product is modified substantially, only if the intended type change and this change was not addressed in the initial risk assessment. The two implements have different risk characteristics: one has a cutting drum with knives rotating at high speed, the other one large disc rotating at lower speeds. If the risk assessment for one implement is missing or incomplete, the manufacturer faces a substantial modification - no matter whether the purpose changed or not.

My rule of thumb is: If a change increases known risks or introduces new risks, it constitutes a substantial modification.

Support Period: The Normal Case

We speak of the normal case for the support period, when a product is placed on the Union market after the penalty date (11 December 2027), that is, when the EU CRA is in full effect.

Start and Length of the Support Period

Manufacturers shall ensure, when placing a product with digital elements on the market, and for the support period, that vulnerabilities of that product, including its components, are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I.

EU CRA Article 13.8 (Paragraph 1)

The support period starts when a manufacturer or importer places a product (e.g., a reverse vending machine, harvester, excavator, measurement device) on the Union market.

The second paragraph of Article 13.8 gives some criteria that manufacturers shall apply when determining the length of the support period.

  • What is the average lifetime of products of this type?
  • How long do users expect the product to be in use?
  • How long are the support periods of crucial third-party hardware and software components like SoCs, modems, touch displays, operating systems, GUI frameworks and multimedia libraries?
  • What are the legal requirements for minimum support periods of products of this type?

Article 13.8, Paragraph 3, mandates a support period of at least five years - except in very rare cases. Recital 60 gives two examples for exception:

  • The support period for a contact-tracing application ends when the pandemic ends, which is hopefully much shorter than five years.
  • If software is used on a subscription basis, the support period ends when the subscription ends.

In most cases, the support period will be longer than five years. Recital 60 explicitly lists PCBs, microprocessors, modems, routers, switches, operating systems and video editors. Recital 60 also emphasises that "products used in industrial settings" have lifetimes much longer than five years. For example, agricultural machines are often in use for 15-20 years. NXP grants 15 years support for their automotive-grade iMX8M SoCs. At the end of their life in 2035, iMX6 SoCs will have enjoyed nearly 20 years of support. The Raspberry Pi Compute modules are officially supported for 10-12 years.

According to Article 13.8, Paragraph 5, manufacturers must explain their reasoning how they came up with the length of the support period in the technical documentation demanded by Annex VII. The reasoning must be sound. An arbitrary length will get manufacturers in trouble.

Requirements During the Support Period

During the support period defined by Article 13.8, products must satisfy the essential requirements related to vulnerability handling (Annex I Part II). In short, manufacturers must set up a process that finds, remediates and documents vulnerabilities. They must publish exploitable vulnerabilities once they have been fixed. They must provide security updates fixing the vulnerabilities in a timely fashion.

Every violation of an essential requirement related to product properties (Annex I Part I) is without doubt a vulnerability that must be handled according to Annex I Part II. Therefore, any product must satisfy both the essential requirements related to product properties and to vulnerability handling during its support period. Article 13 corroborates this interpretation.

  • Article 13.1: When the support period starts for a product, the manufacturer must satisfy all essential requirement related to product properties (Annex I Part I).
  • Article 13.2: Manufacturers must perform an initial risk assessment for complying with Article 13.1 - at the start of the support period.
  • Article 13.3: Manufacturers must document and update the initial risk assessment from Article 13.2. The risk assessment must cover the essential requirements related to product properties and to vulnerability handling, that is, all the requirements from Annex I.
    When - during the support period - a risk covered in the previous assessment changes or when a new risk not previously covered is detected, manufacturers must update the risk assessment. Updating the risk assessment is a continuous and regular activity. This implies an update of the technical documentation described in Annex VII - including an update of the conformity assessment.

Let us go back to our example of selling forage harvesters.

  • We assume a support period of 15 years for forage harvesters.
  • When the manufacturer sells a harvester to an EU-based dealer, the distributor, on 5 March 2028, the support period for this harvester starts on 5 March 2028 and runs until 5 March 2043. The date, when the dealer sells the harvester to Paul, doesn't matter. The support period just keeps on running.
  • When the manufacturer sells another harvester to an EU-based dealer on 7 May 2031, the support period for this harvester starts on 7 May 2031 and ends on 6 May 2046.

ADCO (an administrative cooperation group established to help the EU Commission) will determine and publish the average support periods for different product categories. The support periods of similar products should be similar all over the EU (see Recital 62). If the support periods for similar products differ too much, the EU Commission may stipulate a "minimum support period for specific product categories where the market surveillance data suggests inadequate support periods" (Article 13.8, Paragraph 4 and Recital 62). Manufacturers of networking gear like to end support suddenly or offer short periods of three years. Such practices will come to an end.

Manufacturers must display the end of the support period (month and year) prominently on the packaging, in the GUI, in the sales contract, or in any easily accessible place. If feasible, they should notify users about the end of support (see Article 13.9).

Requirements After the Support Period

Manufacturers' obligations do not end with the end of the support period. Each security update made available during the support period must remain available for at least 10 years or for the remainder of the support period, whichever is longer (see Article 13.9). If the manufacturer issues a security update for Paul's harvester on 5 September 2042 - six months before the end of support, it must keep the security update around until 5 September 2053. That's nearly 25 years after the harvester was placed on the market! A logistic challenge for manufacturers!

Article 13.10 relieves the availability requirement for security updates a little bit. Manufacturers must only keep around the security updates for the last substantially modified software version, which satisfies all essential requirements of Annex I and hence is free of known exploitable vulnerabilities. They can only do so, if users can update from earlier versions to the last substantially modified version free of charge. Users must always have a way to reach a software version without any known exploitable vulnerabilities by performing a couple of security updates.

Security updates are triggered by changes in the risk assessment for a product. A new risk was found or a known risk got worse. Hence, manufacturers must update the technical documentation demanded by Annex VII. The technical documentation includes the EU declaration of conformity (better known as the CE marking) and the conformity assessment. Manufacturers shall keep the technical documentation "at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer" (see Article 13.13).

This is a bit odd. Security updates must be available for longer than the technical documentation describing them. Well, that's how it is decreed.

Support Period: The Transitional Case

The support period is handled differently, if a product is placed on the market in the transitional period from 11 December 2024 to 10 December 2027.

Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification.

EU CRA Article 69.2

Here is the scenario, where the product receives updates with substantial modifications after 11 December 2027 (the penalty date).

  • The German manufacturer sells several harvesters to a French dealer on 12 August 2025. The manufacturer places these harvesters on the market before the penalty date (11 December 2027).
  • The dealer sells one harvester to Noah, a French farmer, who will use the harvester in the EU.
  • The manufacturer releases several updates with substantial modifications for Noah's harvester after the penalty date.

The manufacturer must satisfy all the obligations of the EU CRA for the complete support period of 15 years until 12 August 2040. Noah's harvester must adhere to the same rules as any harvester placed on the market after the penalty date.

If Noah's harvester doesn't undergo any substantial modifications after the penalty date, the manufacturer must not satisfy the EU CRA. Especially, it can ignore the essential requirements related to product properties and to vulnerability handling. The manufacturer can still provide security updates, bug fixes or updates with a facelift for the GUI. These updates must neither increase existing risks nor introduce new risks. The manufacturer should not mix functional changes into the updates.

Manufacturers could even provide functional updates, as long as they have already addressed the new functionality in the risk assessment. Adding the implement for picking up grass wouldn't be a substantial modification, if the manufacturer had foreseen its addition and had already performed a thorough risk assessment for it. I am pretty sure that the manufacturer would find some more risks while developing the implement. It is far too easy to increase the risk with a functional update as the example of adding an input field with a broken or no validation shows. Releasing functional updates is playing with fire.

Article 69.2 is the only loophole to avoid the EU CRA and its penalties for products placed on the market from now until 11 December 2027. I can't think of a good reason why a manufacturer should place a product on the market now and stop its improvement in less than 2.5 years. What would be the value for the manufacturer? Which customer would buy such a product?

A final note: The EU CRA does not apply to products placed on the market before 11 December 2024.