Skip to main content

Annex I, Part II, Req 2: Addressing & Remediating Software Vulnerabilities Promptly

Finding vulnerabilities is one thing; fixing them is another. The EU Cyber Resilience Act (CRA) is clear on this: manufacturers must, "in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates" (Annex I, Part II, Point 2).

"Without Delay"

This is the crucial phrase. While the CRA doesn't give an exact hour count for every type of vulnerability, "without delay" means you need to act quickly once a vulnerability is confirmed and understood, especially if it's being actively exploited or poses a significant risk.

  • Risk-Based Prioritization: The urgency will naturally be higher for critical vulnerabilities than for low-impact ones. Your risk assessment process helps here.
  • Efficient Processes: You need internal processes that allow for rapid development, testing, and deployment of security patches.

Providing Security Updates

The primary way to address and remediate vulnerabilities in software is through security updates (patches). These updates should effectively fix the vulnerability.

Separate Security and Functionality Updates

"Where technically feasible, new security updates shall be provided separately from functionality updates."

  • Purpose: This aims to ensure users can get critical security fixes without being forced to accept new features they might not want, or that might introduce instability. It also allows for quicker deployment of security patches if they aren't bundled with larger feature releases.
  • Technical Feasibility: For some architectures, this might be easier than others. The CRA acknowledges this with "where technically feasible."

Ongoing Obligation

This is not a one-off. This requirement applies throughout the support period of your software product (Article 13, Paragraph 8).

Key Takeway

Annex I, Part II, Point 2 of the CRA obligates you to fix vulnerabilities in your software promptly by providing security updates. These updates should ideally be separate from feature updates if technically possible, ensuring users can quickly receive critical security fixes.