Use this CRA FAQ to understand how long issued security updates must remain available, when historical software archives are optional, and what Article 13(10) does and does not allow.
Built for release, product, engineering, and compliance teams managing retained updates, historical versions, and archive policies under the CRA.
Structured answer sets in this page tree.
Cited legal and guidance references.
The CRA separates vulnerability-support duties from retained-update availability and from optional public software archives. This FAQ explains Article 13(9), Article 13(10), and Article 13(11), including how long issued security updates must remain available, when historical versions may appear in archives, and why optional archives do not replace mandatory update-retention rules.
Yes.
The CRA requires each security update that was made available during the support period to remain available after issuance for at least 10 years or for the remainder of the support period, whichever is longer.
Article 13(9)
No.
The support period is the period during which the manufacturer must handle vulnerabilities effectively. Update availability is a separate rule that keeps already-issued security updates accessible for a minimum period after issuance.
Article 3(20), Article 13(8), Article 13(9)
Yes.
Article 13(9) applies to each security update that has been made available to users during the support period.
Article 13(9)
No.
Article 13(9) is framed at the level of each security update made available during the support period, not only the latest one.
Article 13(9)
Yes.
A product might have a shorter support period, but a security update issued during that period may still need to remain available for at least 10 years after issuance if that is longer.
Article 13(8), Article 13(9)
Not necessarily.
The obligation to handle vulnerabilities runs through the support period. Article 13(9) separately preserves access to security updates that were already issued during that period.
Article 13(8), Article 13(9)
No.
The CRA says manufacturers may maintain public software archives. That means archives are allowed, not required.
Article 13(11)
The CRA allows archives that enhance user access to historical versions. The Commission FAQ explains this as historical versions of products with digital elements that are no longer made available on the market.
Article 13(11)
section 1.5
Users must be clearly informed, in an easily accessible manner, about the risks associated with using unsupported software.
Article 13(11)
section 1.5
Yes.
The end date of the support period, at least month and year, must be clearly and understandably specified at the time of purchase in an easily accessible manner.
Article 13(19)
Yes, where technically feasible in light of the nature of the product.
The CRA requires a notification informing users that the product has reached the end of its support period where that is technically feasible.
Article 13(19), recital 56
point 116
Yes.
The CRA requires the information and instructions to the user to remain at users' and authorities' disposal for at least 10 years after placing on the market or for the support period, whichever is longer. If they are provided online, they must stay accessible and available online for the same period.
Article 13(18)
Yes.
The technical documentation and EU declaration of conformity must be kept at the disposal of market surveillance authorities for at least 10 years after placing on the market or for the support period, whichever is longer.
Article 13(13)
Yes.
Annex I Part II point (4) requires the manufacturer, once a security update has been made available, to share and publicly disclose information about fixed vulnerabilities, including the affected product, impacts, severity, and information helping users remediate the issue. In duly justified cases, publication may be delayed until users have had the possibility to apply the patch.
Annex I Part II point (4)
Yes.
The March 2026 draft guidance says that where remediation of earlier versions is discontinued, users who have not upgraded to the newest version are expected to be informed. That sits alongside the CRA rule requiring end-of-support notifications where technically feasible.
points 118-120 and footnote 14
Article 13(19)
No.
Article 13(11) treats public software archives as a way to enhance access to historical versions. It does not convert unsupported software back into supported software, and it requires users to be warned about the risks of using unsupported software.
Article 13(11)
section 1.5
Yes.
Article 13(10) allows a manufacturer of a software product with subsequent substantially modified versions to comply with the remediation obligation only for the latest placed version, but only if users of the earlier versions can access that latest version free of charge.
That means the CRA does not let the manufacturer stop remediating older versions while putting the fix path behind a paid upgrade.
Article 13(10), recital 40
point 118
No.
Recital 40 says the manufacturer may shift remediation to the latest placed software version only if users of the previous versions can access that latest version free of charge and do not incur additional costs to adjust the hardware and software environment in which they use the original version.
The March 2026 draft guidance adds that this should be interpreted practically and proportionately, but it does not cover costs such as buying new hardware or making fundamental infrastructure changes.
Article 13(10), recital 40
points 118-120
No.
Recital 40 and the March 2026 draft guidance both make the same point: Article 13(10) gives flexibility only for the obligation to address and remediate vulnerabilities for earlier versions. The manufacturer remains subject to the other vulnerability-handling requirements for the support period, such as coordinated vulnerability disclosure and measures to facilitate information sharing about potential vulnerabilities.
Article 13(10), Annex I Part II point (2), recital 40
points 118-120
No.
Article 13(9) creates a mandatory duty to keep each security update made available during the support period available after issuance. Article 13(11) is a separate, optional rule that allows manufacturers to maintain public software archives to enhance access to historical versions. The Commission FAQ describes those archives as a way to provide access to historical versions of products that are no longer made available on the market.
Article 13(9), Article 13(11)
section 1.7
No.
The mandatory rule in Article 13(9) applies to each security update made available during the support period. By contrast, Article 13(11) says manufacturers may maintain public software archives for historical versions. So the CRA imposes a mandatory retention rule for issued security updates, but it does not impose a general duty to keep every historical software version downloadable as such.
Article 13(9), Article 13(11)
section 1.7
Yes.
Article 13(10) gives flexibility only for the obligation in Annex I Part II point (2) to address and remediate vulnerabilities for earlier versions. Article 13(9) separately requires each security update that was made available during the support period to remain available after issuance. The March 2026 draft guidance treats Article 13(10) as a limited exception for remediation of earlier versions, not as a cancellation of the separate update-retention rule.
Article 13(9), Article 13(10), Annex I Part II point (2)
points 118-120
No.
Recital 40 says that where a hardware product, such as a smartphone, is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer should continue to provide security updates at least for the latest compatible version for the support period. So Article 13(10) does not let the manufacturer point users to an upgrade path that the hardware cannot actually use and then stop supporting the compatible branch.
recital 40
points 118-120
Not necessarily.
Inference from Articles 13(9) and 13(11): the mandatory rule is to keep security updates available to users, while public software archives are only an optional way to enhance access to historical versions. The CRA therefore does not state that every retained security update must be published in a public archive open to anyone, even though a manufacturer may choose to make updates available that way.
Article 13(9), Article 13(11)
section 1.7
Research Copilot can turn EU Cyber Resilience Act FAQ Update Availability and Archives into a reusable cited workflow for teams implementing EU Cyber Resilience Act FAQ.
Start from EU Cyber Resilience Act FAQ Update Availability and Archives and move to source-backed decisions and evidence workflows.
Review evidence gaps, ownership, and next steps for EU Cyber Resilience Act FAQ.