Find the exact question, open the source answer card, and copy a direct link to the anchored sub-FAQ response.
Yes.
The end date of the support period, at least month and year, must be clearly and understandably specified at the time of purchase in an easily accessible manner.
Article 13(19)
Yes, where technically feasible in light of the nature of the product.
The CRA requires a notification informing users that the product has reached the end of its support period where that is technically feasible.
Article 13(19), recital 56
point 116
Yes.
The CRA requires the information and instructions to the user to remain at users' and authorities' disposal for at least 10 years after placing on the market or for the support period, whichever is longer. If they are provided online, they must stay accessible and available online for the same period.
Article 13(18)
Yes.
The technical documentation and EU declaration of conformity must be kept at the disposal of market surveillance authorities for at least 10 years after placing on the market or for the support period, whichever is longer.
Article 13(13)
Yes.
Annex I Part II point (4) requires the manufacturer, once a security update has been made available, to share and publicly disclose information about fixed vulnerabilities, including the affected product, impacts, severity, and information helping users remediate the issue. In duly justified cases, publication may be delayed until users have had the possibility to apply the patch.
Annex I Part II point (4)
Yes.
The March 2026 draft guidance says that where remediation of earlier versions is discontinued, users who have not upgraded to the newest version are expected to be informed. That sits alongside the CRA rule requiring end-of-support notifications where technically feasible.
points 118-120 and footnote 14
Article 13(19)
No.
Article 13(11) treats public software archives as a way to enhance access to historical versions. It does not convert unsupported software back into supported software, and it requires users to be warned about the risks of using unsupported software.
Article 13(11)
section 1.5
Yes.
Article 13(10) allows a manufacturer of a software product with subsequent substantially modified versions to comply with the remediation obligation only for the latest placed version, but only if users of the earlier versions can access that latest version free of charge.
That means the CRA does not let the manufacturer stop remediating older versions while putting the fix path behind a paid upgrade.
Article 13(10), recital 40
point 118
No.
Recital 40 says the manufacturer may shift remediation to the latest placed software version only if users of the previous versions can access that latest version free of charge and do not incur additional costs to adjust the hardware and software environment in which they use the original version.
The March 2026 draft guidance adds that this should be interpreted practically and proportionately, but it does not cover costs such as buying new hardware or making fundamental infrastructure changes.
Article 13(10), recital 40
points 118-120
No.
Recital 40 and the March 2026 draft guidance both make the same point: Article 13(10) gives flexibility only for the obligation to address and remediate vulnerabilities for earlier versions. The manufacturer remains subject to the other vulnerability-handling requirements for the support period, such as coordinated vulnerability disclosure and measures to facilitate information sharing about potential vulnerabilities.
Article 13(10), Annex I Part II point (2), recital 40
points 118-120
No.
Article 13(9) creates a mandatory duty to keep each security update made available during the support period available after issuance. Article 13(11) is a separate, optional rule that allows manufacturers to maintain public software archives to enhance access to historical versions. The Commission FAQ describes those archives as a way to provide access to historical versions of products that are no longer made available on the market.
Article 13(9), Article 13(11)
section 1.7
No.
The mandatory rule in Article 13(9) applies to each security update made available during the support period. By contrast, Article 13(11) says manufacturers may maintain public software archives for historical versions. So the CRA imposes a mandatory retention rule for issued security updates, but it does not impose a general duty to keep every historical software version downloadable as such.
Article 13(9), Article 13(11)
section 1.7
Yes.
Article 13(10) gives flexibility only for the obligation in Annex I Part II point (2) to address and remediate vulnerabilities for earlier versions. Article 13(9) separately requires each security update that was made available during the support period to remain available after issuance. The March 2026 draft guidance treats Article 13(10) as a limited exception for remediation of earlier versions, not as a cancellation of the separate update-retention rule.
Article 13(9), Article 13(10), Annex I Part II point (2)
points 118-120
No.
Recital 40 says that where a hardware product, such as a smartphone, is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer should continue to provide security updates at least for the latest compatible version for the support period. So Article 13(10) does not let the manufacturer point users to an upgrade path that the hardware cannot actually use and then stop supporting the compatible branch.
recital 40
points 118-120
Not necessarily.
Inference from Articles 13(9) and 13(11): the mandatory rule is to keep security updates available to users, while public software archives are only an optional way to enhance access to historical versions. The CRA therefore does not state that every retained security update must be published in a public archive open to anyone, even though a manufacturer may choose to make updates available that way.
Article 13(9), Article 13(11)
section 1.7
Yes.
Article 13(18) requires manufacturers to accompany products with the Annex II information and instructions to the user, in paper or electronic form. Those materials must be clear, understandable, intelligible, legible, and sufficient for secure installation, operation, and use.
Article 13(18), Annex II
It must be in a language that can be easily understood by users and market surveillance authorities.
Article 13(16), Article 13(18)
Yes.
The CRA allows the information and instructions to be provided in paper or electronic form. If they are provided online, the manufacturer must ensure they are accessible, user-friendly, and remain available online for at least 10 years after placing on the market or for the support period, whichever is longer.
Article 13(18)
Annex II requires, at minimum:
- manufacturer identity and contact details
- the single point of contact for vulnerability reporting and the location of the coordinated vulnerability disclosure policy
- product identification information
- intended purpose, essential functionalities, and security properties
- known or foreseeable circumstances that may lead to significant cybersecurity risks
- the declaration-of-conformity web address where applicable
- the type of security support offered and the end date of the support period
- instructions for secure commissioning, use, updates, and decommissioning
- instructions on how to turn off automatic security updates where applicable
- integration information for integrators where applicable
- SBOM access information if the manufacturer decides to make the SBOM available to users
Annex II
Yes.
Article 13(19) requires the end date of the support period, at least month and year, to be clearly and understandably specified at the time of purchase in an easily accessible manner.
Annex II also requires the product to be accompanied by information on the type of technical security support offered and the end date of the support period.
Article 13(19), Annex II, point 7
point 116