Communicating "End of Support" for Your Software Product
Under the Cyber Resilience Act (CRA), you must define a "support period" for your app, game, or software, during which you provide security updates. Just as important is clearly communicating when that support will end.
Why Communication is Mandatory
Letting a product's security support silently lapse leaves users unknowingly vulnerable. The CRA prevents this by mandating clear communication about the end of the support period.
How to Communicate End of Support
-
At the Time of Purchase (Article 13, Paragraph 19):
- You must "clearly and understandably" specify the end date of the support period (at least the month and year) when the user buys or acquires your software.
- This information must be "easily accessible". Good places for this include your product's page on your website, its listing in an app store, or on its physical packaging if applicable.
-
In User Information and Instructions (Annex II, point 7):
- Your user manual or help files must state the type of technical security support offered and the "end-date of the support period".
-
In-App Notification (Article 13, Paragraph 19):
- "Where technically feasible in light of the nature of the product", you must display a notification to users informing them that their product has reached the end of its support period.
- For an app or game, this could be a one-time startup message or a persistent banner in the settings menu once the date is passed. Recital 56 adds this notification should not have a negative impact on user experience.
Clear communication manages user expectations and helps them make informed decisions about when to migrate to a newer, supported version or stop using the software.
Key Takeway
The CRA requires you to be transparent about your software's support period. You must communicate the end date at purchase, in the user instructions, and, where feasible, with a direct notification within the software itself when support ends.