Skip to main content

Annex I, Part I, Req 2c: Software Security Updates (and Automatic Updates)

Keeping software secure is an ongoing job, and the EU Cyber Resilience Act (CRA) emphasizes how vulnerabilities must be addressed. A key product property is that it must "ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them" (Annex I, Part I, Point 2c).

Addressing Vulnerabilities via Updates

Your software (app, game, component) must be designed so that security flaws can actually be fixed with updates. This is a fundamental design consideration.

Automatic Updates by Default (Where Applicable)

  • Enabled by Default: For many types of software, especially consumer-facing apps and games, the CRA expects automatic security updates to be the default behavior. The goal is to get patches deployed quickly to protect users.
  • Appropriate Timeframe: Updates should be installed "within an appropriate timeframe." This is not explicitly defined but implies a reasonably quick process once an update is available.
  • Opt-Out Mechanism: Users must have a "clear and easy-to-use opt-out mechanism" if they don't want automatic updates.
  • Notification and Postponement: Users should be notified of available updates and have the option to temporarily postpone them.

When is Automatic "Applicable"?

Recital 56 clarifies that automatic updates are not applicable to products primarily intended as components or for professional ICT networks, especially in critical/industrial settings where automatic updates could cause operational interference. For most self-assessed games and general-purpose apps, automatic updates are likely considered applicable.

User Instructions

You need to tell users how to manage these updates, including how to opt-out of automatic ones (Annex II, Item 8e).

Key Takeway

Your software must be updatable to fix security issues as per Annex I, Part I, Point 2c. For many products, automatic security updates should be on by default, but users need clear notifications and options to opt-out or postpone.