Skip to main content

Support Period: Defining and Communicating It for Your Software Product

The Cyber Resilience Act (CRA) introduces a crucial concept: the "support period." This isn't just about customer service; it's the timeframe during which you, the software manufacturer, are obligated to handle vulnerabilities effectively as per Annex I, Part II.

Determining the Support Period

Article 13, Paragraph 8, dictates how you determine this period for your app, game, or software component. You must:

  • Reflect Expected Use Time: The support period should mirror how long the product is reasonably expected to be in use.
  • Consider User Expectations: What would a typical user of your software expect in terms of ongoing security support?
  • Nature of the Product: A quickly evolving mobile game might have different expectations than a long-lived software library.
  • Relevant EU Law: If other EU laws specify a lifetime for your type of product, that's a factor.
  • Proportionality: The determination must be proportionate.

Recitals 59 and 60 elaborate that factors like support for similar products, availability of the operating environment, and support for integrated third-party components can also be considered.

Minimum Duration

Crucially, Article 13, Paragraph 8, states the support period "shall be at least five years". However, if your software product is "expected to be in use for less than five years, the support period shall correspond to the expected use time". You'll need to justify this shorter period in your technical documentation. For many apps and games, especially those with ongoing services or user accounts, exceeding five years might be a reasonable expectation.

Communicating the Support Period

Transparency is key.

  • At Purchase: Article 13, Paragraph 19, requires you to clearly and understandably specify the end date of the support period (at least month and year) at the time of purchase in an easily accessible manner. This could be on your product page, in the app store listing, or packaging if applicable.
  • User Instructions: Annex II, point 7, mandates that user instructions include the type of technical security support offered and the end-date of the support period.
  • End of Support Notification: Where technically feasible, your software should notify users when it reaches the end of its support period (Article 13, Paragraph 19; Recital 56).

Key Takeway

You must define a support period for your software, generally at least five years, during which you'll manage vulnerabilities. This period must be clearly communicated to users at purchase and in the product documentation.