Skip to main content

Annex I, Part II, Req 8: Free and Timely Software Security Updates with Advisories

Security is not a premium feature under the EU Cyber Resilience Act (CRA). When security updates are needed for your software, they must be accessible. Annex I, Part II, Point 8 requires manufacturers to "ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages...".

No Paywalls for Security

  • Free of Charge: You cannot charge users for security updates that fix identified vulnerabilities in your app, game, or software component. This ensures all users can benefit from critical security patches.
  • Exception for Tailor-Made Business Products: The only exception is for products specifically customized for a business user where different terms have been contractually agreed upon. This is unlikely to apply to general consumer software or widely distributed components.

"Without Delay"

This echoes Annex I, Part II, Point 2. Once a security update is ready and tested, get it out to your users promptly. The speed of dissemination is critical to minimize the window of opportunity for attackers.

Accompanied by Advisory Messages

Users need to know about the updates and why they are important. Your security updates should be accompanied by:

  1. Advisory Messages: Clearly communicate that a security update is available.
  2. Relevant Information:
    • What the update fixes (can be a general description for security reasons, linking to more details as per Annex I, Part II, Point 4 disclosure).
    • The importance of installing it.
    • Any potential action users need to take (though ideally, updates are seamless).
    • Guidance on how to install the update if it's not fully automatic.

This information should be clear, accessible, and understandable to your users.

Key Takeway

Under Annex I, Part II, Point 8 of the CRA, security updates for your software must be provided to users promptly and free of charge. You must also accompany these updates with clear advisory messages explaining their importance and any necessary user actions.