CRA Support Period Basics: Five-Year Floor

The EU Cyber Resilience Act makes support-period planning a product-launch decision, not an afterthought. A manufacturer must decide how long users can expect vulnerabilities to be handled, publish the support end date at purchase, and keep security updates available for the required period. This guide covers the duration mechanics: when the clock starts, how the shorter expected-use exception works, how multi-version portfolios stack, and what upstream supply contracts must cover. For delivery cadence see CRA security updates. For the user-facing support period end date see end-of-support disclosure. For the parent overview see CRA support period.

What the CRA requires for the support period

A support period is the window during which the manufacturer must keep the product's vulnerability-handling process alive. It covers the product and its components, starts from EU market placement, and must be long enough to match how users can reasonably expect the product to be used. The manufacturer should set it from practical evidence: product type, intended purpose, comparable products, relevant Union lifetime rules, operating-environment availability, core third-party component support, and ADCO or Commission guidance. The practical result is simple: support planning has to be set before launch and kept alive across the declared support window.

The obligation has three components:

When the five-year clock starts

The support clock starts when the product enters the EU market, not when the end customer buys it. In EU product-law terms, that is the first making available of the product on the Union market for distribution or use. For support planning, the market-placement date is the date that matters.

Clock starts: The date the product is first made available to a distributor, retailer, importer, or user for distribution or use on the EU market.

Clock does not start at: customer purchase, customer activation, shipment of a specific unit, or the date a customer installs the product.

Practical example:

1. January 2028. Product v1.0 placed on the EU market. The five-year support period begins. The manufacturer owes security updates until at least January 2033.
2. June 2029. A customer purchases v1.0 from a retailer. The customer has approximately 3.5 years of support remaining, not five years from purchase.
3. January 2033. Support period ends. The baseline vulnerability-handling commitment for v1.0 ends. Further user notifications or regulatory engagement depend on the facts.

Best practice: Track market placement dates per product version, not per individual unit. A single placement-date record per SKU is usually the practical evidence base for calculating support end dates.

The shorter expected-use exception

The five-year floor can be shortened only when the product is genuinely expected to be used for less than five years. That exception is narrower than it appears and comes from the support-period rule:

• "Expected product-in-use period" is assessed from the perspective of reasonable user expectations based on the nature of the product, how similar products are typically used, and what the manufacturer communicates.
• The shorter period must be documented in the technical documentation and disclosed to users at purchase, including at least the month and year of the support end date.
• A manufacturer cannot invoke the carve-out after a vulnerability is discovered. The assessment must be made before market placement and recorded in the technical file.
• For most software products, IoT devices, and connected hardware, five years is the practical minimum. The carve-out applies to products with an objectively short useful life, such as single-use or limited-cycle hardware, rather than products where the manufacturer simply prefers a shorter obligation.

Multi-version support

Most manufacturers have multiple product versions on the market simultaneously. Hardware products and independently maintained software versions can create overlapping support windows. Software products also have a limited latest-version-only route for later substantially modified versions, but only if users of previous versions can move to the latest version free of charge and without additional hardware or software-environment costs.

Staggered support periods create overlapping obligations:

Version	Market placement	Support ends (5y)
v1.0	Jan 2028	Jan 2033
v1.1	Jul 2028	Jul 2033
v2.0	Jan 2029	Jan 2034

From January 2029 to January 2033 (four years), the manufacturer may owe security updates to all three versions simultaneously unless an eligible latest-version-only software route applies. Each version has its own CVE exposure, its own dependency tree, and potentially its own customer base. Patch backporting across major versions is technically complex and expensive.

Strategies for reducing multi-version burden:

1. Shared codebase. Where possible, maintain a single security-patched core that all versions build on. Security fixes applied once propagate to all versions.
2. Aggressive migration incentives. Shorter gaps between customers on old versions reduce the active support matrix. Upgrade pricing, free migration tooling, and support credits accelerate version consolidation.
3. Explicit version EOL schedule. Publish the support end date for each version at market placement. Customers who know v1.0 ends in January 2033 have time to plan migration without emergency pressure.
4. Latest-version-only route for eligible software. If using the latest-version-only route, document how previous-version users receive the latest version free of charge and without environment adjustment costs.

Supplier and upstream contract obligations

The manufacturer owns the support-period obligation even when a vulnerability comes from an upstream component. If the product cannot be patched because a component vendor has discontinued support, the manufacturer still needs a remediation path. The upstream contract gap is not a defence under the support-period rule.

What this means in practice:

• If a product includes a third-party operating system, middleware, or chipset firmware, the manufacturer must secure a supply agreement that covers the full support period. An upstream vendor who provides security patches for three years forces the manufacturer to either maintain the patches themselves after year three or stop placing the product on the EU market after the upstream EOL.
• SBOM-based dependency tracking (see the SBOM cluster guide) is the operational mechanism: the manufacturer cannot monitor upstream vulnerabilities without knowing what is in the product.
• Supply contracts should specify: upstream patch commitment duration, notification obligations for newly discovered vulnerabilities, access to source code or patch tooling if the upstream vendor discontinues the component, and indemnification terms for vulnerabilities originating in upstream components.

Importers and distributors who place a product on the market under their own name or trademark, or substantially modify a product already placed on the market, are treated as manufacturers and inherit the manufacturer obligations, including upstream contract risk. See the importer obligations guide for the role-escalation decision flow.

End-of-life planning and responsible product transitions

When the support period ends, the baseline vulnerability-handling commitment for that product version ends, but a set of responsibilities remains.

What remains at end-of-support:

• The support period end date disclosed at purchase stands as the user-facing commitment.
• The technical documentation and EU Declaration of Conformity must be retained for at least 10 years from market placement or for the support period, whichever is longer.
• Information and instructions to users must remain available to users and market surveillance authorities on the same 10-year-or-support-period basis, whatever the delivery channel; where they are provided online, they must also stay accessible online for that period.
• Where it is technically feasible for the product, the manufacturer should display a notification telling users that the product has reached the end of its support period.
• Unsupported-product vulnerabilities still require careful handling. The CRA does not give a blanket safe-harbour sentence for every incident-reporting question at EOL, and market surveillance authorities can still act where a product presents significant cybersecurity risk. Penalty exposure is covered in the penalties and enforcement guide; support expiry is not a blanket shield if the product presents significant cybersecurity risk.

Communication obligations at end-of-support:

The CRA does not specify a statutory notice period for end-of-support. The purchase-time disclosure of the support period end date means that users who purchased the product after the disclosure was in place were already on notice. For products where the original disclosure was absent or unclear, advance notice is an operational risk control rather than a CRA-numbered deadline.

Post-EOL: the manufacturer should maintain a security contact for responsible vulnerability disclosure, keep product documentation accessible, and cooperate with any market surveillance authority investigation.

Common mistakes

• Not tracking market placement dates. Without a per-version placement date record, the manufacturer cannot calculate when support obligations start or end, cannot produce the user-facing support end date, and cannot demonstrate compliance to market surveillance authorities.

• Failing to plan for upstream EOL. If a chipset, OS, or middleware vendor ends support before the manufacturer's support period expires, the manufacturer must have a plan. Reactive discovery of upstream EOL with no supply agreement in place is a common and expensive failure mode.

• Coupling security patches to feature releases. Bundling security fixes into major version upgrades forces customers to accept new features and new risk surface to receive a security fix. Security fixes should be delivered as security fixes, without forcing paid tiers or major feature upgrades.