The Cyber Resilience Act (Regulation (EU) 2024/2847) requires manufacturers to state the support-period end date in the information accompanying the product, before purchase. It is the user-facing counterpart to support-period planning and the point-of-purchase end-of-life duty. For duration mechanics, see CRA Support Period Basics. For patch delivery, see CRA Security Updates. For the parent overview see CRA support period.
Summary
- Pre-purchase requirement. The end-date disclosure must reach the user before the purchase completes, not afterwards.
- Where the buyer will see it before purchase. The end date must be clear and easily accessible at the time of purchase, and where applicable on the product, its packaging, or by digital means such as the product page. It should also appear in the instructions accompanying the product. The deciding point is that the buyer sees it before they commit, not afterwards in a post-sale email or terms of service.
- A reminder when support actually ends. Where it is technically feasible for the product, the manufacturer should also show users a notification once the product has reached the end of its support period, not only disclose the date up front.
- Reflects the actual end date. If the manufacturer relies on a shorter expected-use period, the user-facing disclosure must show the actual shorter end date, not a rounded five-year placeholder.
- Ties to technical-file retention. The technical file, including the user-information set, must be retained for 10 years from market placement, or for the support period if longer.
- Penalty exposure is separate. Non-disclosure can create enforcement risk, but the fine tiers belong in the penalties and enforcement guide, not in this checklist.
The four anchor points of the end-of-support disclosure: the disclosure moment, the channel, the retention floor, and the penalty model.
What users need to see before purchase
The required user information has two practical parts: the type of technical security support offered and the support-period end date. For the end-date part, the product page, packaging, datasheet, download page, or equivalent pre-purchase material should make four things clear:
- The end date is stated in the product documentation provided at or before the point of sale or download.
- It appears before the user completes the purchase, not in a post-purchase welcome email or in the terms of service.
- If the manufacturer uses a shorter expected-use period, the user-facing disclosure reflects the actual shorter end date, not a rounded five-year estimate.
- The same end date is recorded in the technical file and kept with the retained compliance evidence.
Practical implication: the support-period end date is a product specification, not a marketing commitment. It is recorded in the technical file, displayed to users pre-purchase, and updated whenever a product version is refreshed or the expected lifetime assessment changes.
Where the disclosure must appear, by channel
The end-date disclosure is satisfied only when the date reaches the user before money changes hands. Where it must appear depends on the channel; the table below maps each one to the placement that meets the obligation and the placement that does not.
| Channel | Disclosure must appear | Not sufficient |
|---|---|---|
| Physical retail | On packaging or pre-seal documentation | Label readable only after unboxing |
| E-commerce | Product detail page, lifecycle/specifications tab, or clearly labelled pre-purchase link before the buyer commits | Order confirmation, post-purchase email, or checkout-only placement after commitment |
| SDK / developer | Public API or component documentation page consulted before integration | README inside the downloaded package |
| B2B procurement | Spec sheet, datasheet, or RFP response evaluated before signing | Post-contract onboarding document |
| Downloadable software | Download page, or the installer's pre-installation summary | In-app screen visible only after first launch |
Placement by channel. The principle is consistent across all five: the end date is part of the buying decision and must be available at the moment the buyer is making it.
Worked example: per-version disclosure on a timeline
A manufacturer places product v1.0 on the EU market in January 2028 with a five-year support commitment, then refreshes to v1.1 in July 2028 with its own five-year commitment. The disclosure attaches to the version, not to the buyer's purchase date.
Connection to the technical file and the EU DoC
A disclosure that is accurate on the product page but absent from the technical file, or present in the technical file but not visible to the buyer, fails the obligation. Three pieces have to line up at once:
| Item | What must line up |
|---|---|
| Technical file | The retained technical file should contain the same user-facing support end date that appears on the product page, packaging, datasheet, or download page. See CRA Technical Documentation. |
| EU Declaration of Conformity | The DoC asserts conformity with the manufacturer's requirements, but it does not replace the pre-purchase end-date disclosure. See CRA Declaration of Conformity. |
| Security update delivery | Until the disclosed end date, the manufacturer still needs the vulnerability-handling and update delivery process covered in CRA Security Updates. For penalty tiers, use the penalties and enforcement guide. |
Frequently asked questions
What must appear in the user-facing product information about the support period?
The type of technical security support offered and the end date of the support period, stated in the information provided to users at or before the point of sale. The end date must be specific (e.g., "Security updates provided until 11 December 2032") and must reflect the actual commitment, including any shorter-lifetime carve-out. Post-purchase emails or terms-of-service blocks do not satisfy the rule. If the product is updated with a new version that resets the support clock, the user-facing disclosure must be updated to reflect the new end date.
Is "at least five years from purchase" enough, or must the disclosure be a specific date?
No, a specific end date is required. A relative formulation such as "security updates for at least five years from purchase" is not an end date and does not satisfy the disclosure. The level of precision can be month and year ("December 2032") rather than a full calendar day, but a fixed reference date is required so the buyer can compute the remaining support runway before paying. The end date is also what gets recorded in the technical file, so a relative phrase has nowhere to live in the documentation chain.
Where on an e-commerce product page must the end date appear?
On the product detail page itself, or reachable via one clearly labelled link from it (for instance a "Specifications", "Lifecycle" or "Support" tab). Placement only inside the terms of service, only inside an FAQ, or only on the post-checkout confirmation page does not satisfy the pre-purchase requirement. The principle is that a reasonable buyer assessing the product before clicking "buy" must be able to see the support-period end date without already having committed to the purchase.
If I extend the support period after launch, must I update the disclosure?
Yes. The user information forms part of the technical documentation and must reflect the actual commitment. If the manufacturer extends the support period, both the user-facing disclosure (product page, packaging, datasheet, installer summary) and the retained technical file must be updated to show the new end date. The original end date stays in the retained file as evidence of the disclosure that applied to earlier sales, so the audit trail remains intact for units already on the market.