Are automatic OTA updates expected for all product categories?
No.
Recital 56 says the automatic-update expectations do not apply to products primarily intended to be integrated as components into other products. It also says they do not apply to products for which users would not reasonably expect automatic updates, including products used in professional ICT networks and especially in critical and industrial environments where automatic updates could interfere with operations.
If a product has no screen, can CRA update notices or approval be handled through a paired app or companion device?
Potentially, yes.
The CRA requires notification of available updates to users and clear user information, but it does not prescribe one specific interface. ETSI TS 103 927 gives a concrete example for a screenless smart voice-controlled device: a paired phone or app can be used to notify the user about security updates, obtain consent, and display update-related information.
That means a paired app is one potentially compliant implementation pattern for screenless products. This is an inference from the CRA's interface-neutral wording together with the ETSI example.
If a product uses OTA updates, what does the CRA require from the security of that mechanism?
The CRA requires the OTA path to be secure enough to distribute updates so vulnerabilities are fixed or mitigated in a timely manner.
It does not prescribe one single technical architecture, but it does require secure update-distribution mechanisms. Read together with the CRA's requirements to protect commands, programs and configuration against unauthorised manipulation, the OTA channel and package handling cannot be left unsecured.
ETSI update-security standards make this more concrete for OTA implementations by pointing to secure channels, authenticated communication partners, and authenticity and integrity checks for updates.
Does the CRA allow an OTA release to bundle a security fix with a feature change?
Only where separation is not technically feasible.
The CRA's rule does not change just because the update is delivered OTA. Where technically feasible, new security updates must be provided separately from functionality updates. The Commission FAQ explains that bundling can still be acceptable where the security fix itself necessarily changes functionality.
Can an OTA security update itself amount to a substantial modification?
Sometimes, but not usually.
Draft Commission guidance says security updates are generally not substantial modifications where their purpose is to reduce cybersecurity risk and they do not change the product's intended purpose or introduce new cybersecurity risks. But a security-driven update can still become a substantial modification if it changes the intended purpose beyond what was foreseen or introduces new dependencies, new interfaces, or other new risks not covered by the original risk assessment.
For products placed on the market before 11 December 2027, do later OTA updates automatically bring those products into the full CRA regime?
No.
For legacy products, the question is whether the later update amounts to a substantial modification. Draft Commission guidance says security updates are generally not substantial modifications, and Article 69(2) makes substantial modification the trigger for bringing pre-11 December 2027 products into the CRA's full product regime.
The same draft guidance also says manufacturers should be able to demonstrate, if asked, that later updates do not amount to substantial modifications.
Is the manufacturer responsible under the CRA if a user refuses an OTA update or leaves the device unupdated?
No, not for the user's refusal or opt-out.
The manufacturer must design the product and its processes so that security updates can be notified, distributed, and installed as required. But the Commission FAQ says the manufacturer is not responsible under the CRA if the user does not install the update, including where the user opts out of automatic updates.
Must OTA security updates be free of charge and accompanied by user-facing messages?
Yes, unless the tailor-made exception applies.
The CRA requires security updates addressing identified security issues to be disseminated without delay and free of charge, unless otherwise agreed for a tailor-made product with a business user. It also requires advisory messages with the relevant information, including on potential action users should take.
Once an OTA security update has been released, must it remain available later?
Yes.
Article 13(9) applies to each security update made available during the support period. It must remain available for at least 10 years after issuance or for the remainder of the support period, whichever is longer.
Can a manufacturer stop patching older OTA software branches once users can move to the latest version?
Sometimes.
Article 13(10) allows the manufacturer, under strict conditions, to ensure compliance with the remediation obligation only for the latest substantially modified version it has placed on the market. That is allowed only if users of earlier versions can access the latest version free of charge and without additional costs to adjust their hardware or software environment.
So an OTA upgrade path can support that approach, but only if those Article 13(10) conditions are actually met.
If an OTA update cannot adequately fix the vulnerability or restore conformity, can the CRA require withdrawal or recall?
Yes, in exceptional cases.
The CRA does not assume that every vulnerability can always be solved through an OTA patch. If the product or the manufacturer's processes are not in conformity and the necessary corrective measures cannot adequately bring the product back into conformity, Article 13(21) allows the consequence to be withdrawal or recall, as appropriate.
The Commission FAQ makes the same point expressly: in exceptional cases, particularly for hardware products, a vulnerability may present such a significant risk of compromise that it cannot be adequately addressed and remediated, in which case withdrawal or recall may be required.
Can compromise of the OTA release channel itself trigger CRA reporting obligations?
Yes.
Recital 68 gives a direct example of a severe incident having an impact on the security of the product: an attacker successfully introducing malicious code into the release channel via which the manufacturer releases security updates to users. Once the manufacturer becomes aware of such an incident, Article 14 reporting and user-information duties become relevant.
Are OTA backends, CI/CD pipelines, or update-distribution systems automatically part of the CRA product or its remote data processing solution?
Not necessarily.
Draft Commission guidance says the CRA is not intended to treat the manufacturer's whole IT infrastructure as part of the product. It gives examples including CI/CD pipelines and the distribution of security updates to edge locations as systems that should not be considered RDPS.
But that does not make them irrelevant, and it does not transfer the manufacturer's CRA responsibilities away from the manufacturer. The same draft guidance says manufacturers must apply risk-based security measures and due diligence when relying on third-party cloud service providers. The draft guidance and the CRA's incident rules also show that compromise of those systems can still matter for the product's cybersecurity risk profile and can amount to a reportable severe incident where the security of the product is affected.
Can a locally delivered update path such as USB or a web-upload mechanism satisfy the CRA instead of OTA?
Potentially, yes.
The CRA requires that vulnerabilities can be addressed through security updates and that manufacturers provide mechanisms to securely distribute updates. It does not say that every compliant update path has to be wireless, cloud-delivered, or continuously remote.
ETSI consumer IoT guidance makes that practical point explicit: update mechanisms can range from direct download from a remote server to delivery through a mobile application or transfer over USB or another physical interface. ETSI examples also describe signed updates delivered from a manufacturer-prepared USB stick and constrained devices accepting firmware uploaded through a user interface after signature verification. So OTA is one compliant implementation pattern, not the only one. This is an inference from the CRA's functional wording together with the ETSI examples.
Can a gateway, controller, companion app, or associated service handle update checks or validation on behalf of the device?
Potentially, yes.
The CRA does not say that each individual device must itself poll update servers or personally validate every update package. What it requires is that vulnerabilities can be addressed through security updates and that update-distribution mechanisms are secure.
ETSI EN 303 645 says that, for some products, it can be more appropriate for an associated service rather than the device itself to check whether security updates are available. The same ETSI material also explains that, where updates are delivered over a network interface, authenticity and integrity can be verified through a trust relationship, and that for constrained devices verification can be performed by another trusted device. ETSI TR 103 621 gives a concrete example of a smart home controller that validates update signatures and then transmits the trusted update to sensors and actuators over a trustworthy channel. So gateway- or app-mediated update handling can fit the CRA, provided the trust model and security controls are robust enough. This is an inference from the CRA's functional wording together with the ETSI examples.
Does the CRA require default automatic installation for functionality updates too?
No.
The CRA's default-enable, opt-out, notification, and postponement rule is about automatic security updates where applicable. Separately, Annex I Part II point (2) says new security updates should, where technically feasible, be provided separately from functionality updates.
So the CRA does not create a general rule that feature or functionality changes must be installed automatically by default. If a functionality change is itself necessary to deliver the security fix, bundling may still be allowed, but that does not turn functionality updates as a category into mandatory default automatic updates.
Can CRA automatic security updates be postponed until a suitable maintenance window or unmetered network?
Yes.
Annex I Part I point (2)(c) expressly requires the option to temporarily postpone automatic security updates where automatic security updates are applicable. The CRA therefore does not require every automatic update to install at the first possible moment regardless of operational context.
ETSI implementation examples include user-defined installation times and postponing download or installation until the product is connected to an unmetered network, while still allowing an override for security updates. That does not remove the CRA's requirement that updates be disseminated without delay and that vulnerabilities be fixed or mitigated in a timely manner. It means the update flow can accommodate controlled postponement.
Must the manufacturer document how its OTA or other update-distribution mechanism is secured?
Yes.
The CRA technical-documentation rules do not treat secure update distribution as just an operational detail. Annex VII requires the technical documentation to include the necessary information and specifications of the manufacturer's vulnerability-handling processes, including a description of the technical solutions chosen for the secure distribution of updates.
So the manufacturer needs more than a working update channel. It also needs documentation showing what secure update-distribution approach it chose for the product.
Is using TLS or another protected transport channel by itself enough to make an OTA or update mechanism "secure"?
Not automatically.
The CRA itself speaks at a higher level and requires mechanisms to securely distribute updates. ETSI update-security guidance makes clear that protected transport can be one valid part of the trust model, but that secure update handling is about the overall mechanism resisting misuse and ensuring appropriate authenticity and integrity for the use case.
ETSI EN 303 645 explains that valid trust relationships can include authenticated communication channels, but it also points to verifying authenticity and integrity of updates and to anti-rollback measures. ETSI TS 103 701 says secure update mechanisms need security guarantees appropriate to the use case and that at least integrity and authenticity are required. ETSI TR 103 621 gives an example using TLS plus mutual authentication and digitally signed, versioned firmware packages. So a protected channel may be part of a compliant design, but it is not a shortcut that removes the need to ensure the update itself is trusted and protected against misuse.
Can a product that is mostly offline or only intermittently connected still comply with the CRA's update obligations?
Potentially, yes.
The CRA does not say that a product must be permanently online. It requires that vulnerabilities can be addressed through security updates and that manufacturers provide mechanisms to securely distribute those updates.
ETSI examples show several models that fit that basic pattern: a smart kitchen appliance that can be initialized and used offline and checks for updates when first connected; a limited-bandwidth device that is securely updated via a manufacturer-prepared USB stick; and a smart tracker that only downloads updates when in range of a paired mobile device. Intermittent connectivity does not by itself make a product non-compliant, provided the manufacturer still ensures an update path that is secure and suitable to timely remediation. This is an inference from the CRA's functional wording together with the ETSI examples.