EU Cyber Resilience Act FAQ Support Period

The CRA defines the support period as the period during which the manufacturer must ensure that vulnerabilities of a product with digital elements are handled effectively and in line with Annex I, Part II.

This obligation applies to the product in its entirety, including integrated components.

No.

Five years is the minimum in normal cases, not the automatic answer for every product. The CRA says the support period must be at least five years unless the product is expected to be in use for less than five years. If the product is reasonably expected to remain in use for longer than five years, the support period should be longer.

The CRA requires manufacturers to consider:

- reasonable user expectations

- the nature of the product, including its intended purpose

- relevant Union law determining the product's lifetime

The CRA also allows manufacturers to take into account:

- support periods of similar products

- availability of the operating environment

- support periods of third-party integrated components that provide core functions

- guidance from ADCO and the Commission

These factors must be applied proportionately.

Not in one sentence using the words "the support period starts on X date". But the combined reading of the CRA, the Commission FAQ, the draft guidance, and the Blue Guide points to placing on the market as the operative starting point.

Why:

- Article 13(8) requires vulnerability handling when placing the product on the market and for the support period.

- Article 13(19) requires the end date to be disclosed at the time of purchase.

- The Commission FAQ gives a hardware example counting from units placed on the market in January 2028 to January 2033.

- The draft guidance gives an example of eight years from the date of placement on the market.

For physical products, it is tied to each individual product, not to the abstract model or type.

The Blue Guide says placing on the market refers to each individual product, not to a type of product, whether it is manufactured individually or in series. The Commission FAQ then applies that logic to CRA support periods for hardware.

Yes.

The Commission FAQ gives this directly. Units of a hardware model placed on the market in January 2028 with a five-year support period can remain supported until January 2033. If more units of the same model are placed on the market on 1 January 2030, the manufacturer must set the support period for those newly placed units too.

Yes.

The Commission FAQ says products already placed on the market can continue to be made available after the support period expires. But if new units of that product are placed on the market later, the manufacturer must set the support period for those newly placed units.

No.

For physical products, manufacturing must be complete before placing on the market can happen, but manufacturing completion alone is not enough. There must also be a first supply for distribution or use on the Union market.

For standalone software supplied digitally, the draft guidance also rejects manufacturing completion alone as enough. Placement occurs when the completed software is first supplied for distribution or use on the EU market.

No.

The Blue Guide says placing on the market requires an offer or agreement for transfer of ownership, possession, or another property right after manufacturing is complete. It expressly says physical handover is not required.

Usually yes.

The Blue Guide says that when a manufacturer or importer first supplies a product to a distributor or an end-user, that first supply is placing on the market. Later transactions further down the chain are making available, not a new placing event.

No.

Once that individual unit has already been placed on the market, later distributor-to-distributor or distributor-to-end-user transactions are only later instances of making the product available on the market.

No.

The CRA support-period logic is anchored to placing on the market, not first use. The Blue Guide treats placing on the market and putting into service as different concepts. The CRA materials on support periods use placing on the market as the reference point.

No.

The Blue Guide treats them as distinct concepts. Some Union legislation uses both concepts, or treats own use as equivalent. The CRA support-period rules and the available Commission materials are built around placing on the market, not putting into service.

No.

The Blue Guide says placing on the Union market can happen only once for each individual product across the EU and does not happen separately in each Member State.

Generally no.

The Blue Guide says placing on the market does not occur where a product is manufactured for one's own use, unless the relevant Union legislation also covers own use.

No.

The Blue Guide says an offer or agreement concluded before manufacture is finalised cannot be treated as placing on the market. Manufacturing must be complete first.

That can be the placing-on-the-market event.

The Blue Guide explains that for direct distance sales from outside the EU to an EU end user, the product is placed on the market when the order is placed and confirmed for a specific product that is already manufactured and ready to be shipped.

They can change the answer.

The Blue Guide says:

- products offered online to EU end users are deemed made available if the offer targets the Union

- but the actual placing-on-the-market event depends on the distribution chain

- if products are shipped into the EU and stored with a fulfilment service provider for EU delivery, they are considered placed on the market when released for free circulation

- if a specific already-manufactured product is sold directly from outside the EU to an EU end user, placement occurs when the order is placed and confirmed for that specific product

No.

The Blue Guide treats those situations as different from placing on the Union market. Compliance with Union product rules applies when the product is actually placed on the market.

Not always.

The Blue Guide distinguishes between:

- being deemed made available for market-surveillance purposes when the offer targets EU end users, and

- the actual placing-on-the-market event for the individual product, which depends on the distribution chain

So the targeted offer matters, but the placement date still depends on how that individual product reaches the EU market.

That does not delay the placement date.

The Commission FAQ recognizes this situation directly. A product may sit in the manufacturer's distribution branch, in fulfilment arrangements, or on a retailer shelf before reaching the user. It was still placed on the market earlier.

No.

The Commission FAQ says the Article 13(1) obligation to deliver products without known exploitable vulnerabilities applies at the moment of placement on the market. Once the product has already been placed on the market, the manufacturer is not expected to fix newly discovered vulnerabilities before the product reaches the final user. But the manufacturer still has vulnerability-handling obligations during the support period and may need to provide a security update as soon as the product is put into operation by its user.

Usually per combined product, not by a separate software-delivery date.

The draft guidance says that where software is necessary for the hardware to perform its intended functions, the hardware and that software together constitute the product placed on the market. The key question is not how or when the software is delivered, but whether it is necessary for the product's intended functions.

Yes, if it is necessary to operate, configure, control, or meaningfully use the device.

The draft guidance expressly says necessary software remains part of the same product even if it is obtained later through an app store, a download link, or another digital channel after the hardware has already been placed on the market.

No.

The draft guidance says the special rule for standalone software supplied digitally applies only to standalone software. It does not apply where software is supplied on physical media or where software forms part of a combined hardware-software product.

Current Commission draft guidance says a standalone software product supplied digitally should be considered placed on the market when:

- its manufacturing phase is complete, and

- that software is first supplied for distribution or use on the EU market in the course of a commercial activity

Current Commission draft guidance says no.

The draft says all copies of the same unchanged version are considered placed on the market at the same time, namely when that version is first offered on the EU market. Later downloads or remote access to that unchanged version are later instances of making it available.

No.

The draft guidance says iterations that do not qualify as substantial modifications do not require a new conformity assessment and do not modify the software's placement date.

Yes.

Where a modification qualifies as a substantial modification, the modified product is treated as a new product for CRA purposes. That means a new placing-on-the-market event and a new support-period determination for that substantially modified version.

Current Commission draft guidance says yes.

The draft guidance says each substantially modified version placed on the market must have a declared support period that complies with Article 13(8).

Sometimes, but only within the conditions of Article 13(10).

If the manufacturer has placed subsequent substantially modified versions of a software product on the market, it may comply with the remediation obligation in Annex I, Part II, point (2) only for the latest placed version, provided that users of earlier versions can access the latest version:

- free of charge

- without additional costs to adjust their hardware or software environment

This does not remove the manufacturer's other vulnerability-handling obligations for the support period.

Not automatically.

Recital 40 says that where a hardware product is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer must continue to provide security updates at least for the latest compatible version for the support period.

Yes, but only where the product is expected to be in use for less than five years.

This is an exception, not a business preference. The Commission materials give examples such as a contact-tracing application for a pandemic and some software that is no longer available and no longer in use once a subscription expires.

No.

The Commission FAQ and the draft guidance both say five years is only a safeguard. It is not the default for products reasonably expected to be used longer. The Commission materials specifically mention longer-lived hardware components, network devices, software such as operating systems or video-editing tools, and industrial systems.

No.

The support period of integrated core components is only one factor the manufacturer may take into account. It does not automatically cap the manufacturer's support obligation for the finished product.

The finished-product manufacturer still remains responsible for the finished product.

The Commission FAQ says the finished product must comply in its entirety during its own support period. If an integrated component is no longer supported and a vulnerability cannot be adequately handled by mitigations, the manufacturer of the finished product may need to switch out the component, develop a patch itself, disable compromised functions, or otherwise remediate by other means.

It covers the product in its entirety, including integrated components.

The CRA and the Commission FAQ are explicit on this point. The manufacturer must handle vulnerabilities affecting the whole product, including vulnerabilities found in integrated third-party components.

Partly, but not completely.

The Commission FAQ says the finished-product manufacturer may benefit from the component manufacturer's own CRA obligations, for example where the component manufacturer develops a security update. But the finished-product manufacturer still remains responsible for its own product's compliance and vulnerability handling.

No.

The Commission FAQ says that even where the component maker is not subject to CRA vulnerability-handling obligations, the integrating manufacturer must still ensure its own product complies in its entirety and must remediate vulnerabilities by other means if necessary.

The manufacturer must clearly and understandably specify the end date of the support period, at least month and year, at the time of purchase, in an easily accessible manner. Where appropriate, this may also be shown on the product, the packaging, or by digital means.

Where technically feasible, the manufacturer must also notify users when the product has reached the end of its support period.

Yes.

The CRA requires the manufacturer to include in the technical documentation the information taken into account to determine the support period. Annex VII expressly requires this information.

Yes.

The CRA requires the technical documentation to be drawn up before placement on the market and to be continuously updated where appropriate, at least during the support period.

They must be kept, but this is a separate retention rule.

The CRA says technical documentation and the EU declaration of conformity must be kept for at least 10 years after placement on the market or for the support period, whichever is longer. It applies the same 10-years-or-support-period rule to user instructions and their online availability.

This does not mean the support period is always 10 years.

Yes.

This is a separate rule from the length of the support period itself. Each security update made available during the support period must remain available for at least 10 years after issuance or for the remainder of the support period, whichever is longer.

Yes.

Article 13(9) is separate from Article 13(8). A product might have a five-year support period, but updates issued during that period may still need to remain available for longer.

As a rule, they are subject to the CRA only if they undergo a substantial modification on or after 11 December 2027.

Article 14 reporting obligations are the main express exception and apply more broadly.

No.

The Commission FAQ says the CRA applies to individual units placed on the market after the application date. Old product types or models are not grandfathered for newly placed units.

Generally no.

If those units were already placed on the market before 11 December 2027, they are not subject to the CRA cybersecurity requirements merely because they remain in distribution afterward, unless they are substantially modified. Reporting obligations are the main exception.

Yes.

Article 69(3) makes Article 14 apply to in-scope products placed on the market before that date as well. The Commission FAQ says manufacturers must notify actively exploited vulnerabilities and severe incidents for those legacy products even though other CRA obligations may not apply to them.

Yes.

The CRA and the Commission FAQ allow support periods below five years where the product is genuinely expected to be in use for less than five years. Recital 60 gives software that becomes unavailable and no longer in use once the subscription expires as an example of that kind of case.

Use this rule set:

- For physical products, including hardware plus software that is part of that product, determine the support period at the level of each individual unit when that unit is first placed on the EU market.

- Do not use manufacturing date as the support-period start date.

- Do not use later distributor sale, activation, installation, or first use as the support-period start date.

- Treat stock already in the distribution chain as already placed if the first EU supply event has already occurred.

- For direct online sales, determine the placement date from the actual distribution model, not from marketing language alone.

- For standalone software delivered digitally, the current Commission draft guidance points to the first EU offering of the unchanged version as the placement date.

- If a software or product change is a substantial modification, treat the modified product as a new product with a new placement event and a new support-period determination.

- Track component support periods, but do not treat them as automatic caps on the finished product's support period.

- Track Article 13(9) separately: each security update issued during the support period must remain available for at least 10 years after issuance or for the remainder of the support period, whichever is longer.

- Record in the technical documentation exactly what factors were used to justify the support period.

Yes.

The Blue Guide says the transfer can be for payment or free of charge and gives sale, loan, hire, leasing, and gift as examples. What matters is the first making available on the Union market after manufacture is complete.

No.

The Blue Guide says repeated renting of the same product does not create a new placing-on-the-market event. The relevant compliance moment remains the first placing-on-the-market event for that unit.

No.

The Blue Guide expressly says placing on the market does not take place where a product is transferred from the manufacturer in a third country to an authorised representative in the Union engaged to help ensure compliance.

No, not if they have not yet been supplied for distribution, consumption, or use.

The Blue Guide says products in those stocks are not yet placed on the market where they are not yet made available.

No.

The Blue Guide says products displayed or operated under controlled conditions at trade fairs, exhibitions, or demonstrations are not placed on the market. The same is true for transfers for testing or validating pre-production units that are still in the stage of manufacture.

No.

Under the CRA, the support period is a cybersecurity support obligation: it is the period during which vulnerabilities must be handled effectively. It is not simply another label for abstract product lifetime, physical durability, or a general commercial warranty period.

But the manufacturer must set the support period so that it reflects how long the product is expected to be in use. Expected use and product lifetime therefore matter because they are inputs into the support-period decision.

It affects both.

Article 13(3) requires the cybersecurity risk assessment to take into account the length of time the product is expected to be in use. The Commission FAQ then links that same expected-use analysis to the support period under Article 13(8).

Yes.

The Commission FAQ says the manufacturer should consider the product's lifetime during design and development and prepare the product so that vulnerabilities, including component vulnerabilities, can be handled effectively throughout the support period.

Yes, where appropriate.

The CRA requires the risk assessment to be documented and updated where appropriate during the support period. The Commission FAQ adds that where the risk assessment relies on information and instructions to users to address certain risks, those materials should be updated accordingly.

Yes.

Article 13(8) expressly requires the manufacturer to take into account relevant Union law determining the lifetime of products with digital elements. So the support-period analysis is not based only on internal policy or market preference.

The CRA does not let the manufacturer stay silent.

If a manufacturer ceases operations and therefore cannot comply with the CRA, it must inform the relevant market surveillance authorities before the cessation takes effect and must also inform users of the affected products, by any available means and to the extent possible.

Yes.

The CRA says market surveillance authorities must monitor how manufacturers applied the Article 13(8) criteria when determining support periods.

Yes.

The CRA says ADCO must publish relevant statistics on categories of products with digital elements, including average support periods determined by manufacturers, and provide guidance with indicative support periods for product categories.

Yes.

Article 13(8) allows the Commission to adopt delegated acts specifying minimum support periods for specific product categories where market-surveillance data suggests inadequate support periods.

No.

Article 13(19) requires the end date of the support period to be specified at the time of purchase, including at least the month and year. So the disclosure has to give users an actual end date, not only a relative formula such as "five years from purchase" or "five years from activation".

No.

Article 13(8) says the support period must reflect the length of time during which the product is expected to be in use, but the January 2026 Commission FAQ adds that manufacturers are not expected to apply that as a simple one-factor shortcut. Except where the expected use time is less than five years, the manufacturer must determine the support period by taking the Article 13(8) criteria into account proportionately.

No.

The January 2026 Commission FAQ says that where the product is expected to be in use for less than five years, the support period must correspond to that expected use time without further consideration of the other criteria listed in Article 13(8). That is the CRA's specific exception to the normal five-year minimum.

No.

Article 52(16) says ADCO publishes statistics, including average support periods, and guidance with indicative support periods for product categories. Those are not themselves the same thing as binding minimum support periods. Binding category-specific minimums arise only if the Commission later adopts a delegated act under Article 13(8).

The January 2026 Commission FAQ treats that as a specific support-period scenario.

The FAQ says that some free and open-source software placed on the market may be monetised only through paid support services offered on a subscription basis. Because that software may remain in use after the user stops paying for support, the FAQ says the manufacturer is required to ensure a support period equal to the duration of the active subscription.

Yes.

The March 2026 draft guidance says that for continuously evolving software, the manufacturer may rely on Article 13(10) to stop addressing and remediating vulnerabilities for earlier substantially modified versions once users can upgrade to a later version free of charge and without additional costs. The guidance expressly notes that this may result in a shorter effective support period for those earlier versions, while the other vulnerability-handling obligations still continue.