CRA End-of-Support Disclosure: Pre-Purchase Duty

Annex II point 7 of the Cyber Resilience Act (Regulation (EU) 2024/2847) requires manufacturers to state the support period end date in the information accompanying the product, before purchase. It is the user-facing counterpart to the duration rules in Article 13(8) and the point-of-purchase end-of-life duty in Article 13(19). For duration mechanics, see CRA Support Period Basics; for patch delivery, see CRA Security Updates.

Summary

  • Pre-purchase requirement. The Annex II point 7 end-date disclosure must reach the user before the purchase completes, not afterwards.
  • In product documentation specifically. The disclosure belongs in the instructions and information accompanying the product, not in a separate marketing channel, post-sale email, or terms of service document.
  • Reflects the actual end date. If the manufacturer relies on the shorter-lifetime carve-out under Article 13(8), the Annex II disclosure must show the actual (shorter) end date, not a rounded five-year placeholder.
  • Ties to Annex VII technical-file retention. Under Article 13(13), the technical file (which includes the Annex II information) must be retained for 10 years from market placement, or for the support period, whichever is longer.
  • Penalties for non-disclosure. Breach of the essential requirements in Article 13, including the support-period disclosure, can attract fines of up to €15,000,000 or 2.5% of global turnover under Article 64.
Annex II
Point 7
Pre-purchase disclosure requirement
13(19)
Article 13 paragraph
EOL disclosure at point of purchase
10y
Technical file retention
Article 13(13), from market placement
€15M / 2.5%
Article 64 max fine
Whichever is higher

The four anchor points of the CRA end-of-support disclosure: the Annex II line item, the related Article 13 paragraph, the retention floor, and the penalty ceiling.

What Annex II point 7 requires

Annex II of the Regulation (EU) 2024/2847 lists the information the manufacturer must provide to users. Point 7 requires the manufacturer to include "the end date of the support period" in the instructions and information accompanying the product. In practice this means four things at once:

  • The end date is stated in the product documentation provided at or before the point of sale or download.
  • It appears before the user completes the purchase, not in a post-purchase welcome email or in the terms of service.
  • If the manufacturer uses the shorter-lifetime carve-out under Article 13(8), the Annex II disclosure reflects the actual (shorter) end date, not a rounded five-year estimate.
  • The disclosure is part of the Annex VII technical file and is retained for at least 10 years from market placement under Article 13(13).

Practical implication: the support period end date is a product specification, not a marketing commitment. It is recorded in the technical file, displayed to users pre-purchase, and updated whenever a product version is refreshed or the expected lifetime assessment changes.

Where the disclosure must appear, by channel

The Annex II point 7 requirement is satisfied only when the end date reaches the user before money changes hands. Where the disclosure must appear depends on the channel; the table below maps each one to the placement that meets the obligation and the placement that does not.

Channel Disclosure must appear Not sufficient
Physical retail On packaging or pre-seal documentation Label readable only after unboxing
E-commerce Product detail page, or a one-click link from it, before add-to-cart Checkout page, order confirmation, post-purchase email
SDK / developer Public API or component documentation page consulted before integration README inside the downloaded package
B2B procurement Spec sheet, datasheet, or RFP response evaluated before signing Post-contract onboarding document
Downloadable software Download page, or the installer's pre-installation summary In-app screen visible only after first launch

Annex II point 7 placements by channel. The principle is consistent across all five: the end date is part of the buying decision and must be available at the moment the buyer is making it. This sits alongside the Article 13(19) point-of-purchase end-of-life duty.

Worked example: per-version disclosure on a timeline

A manufacturer places product v1.0 on the EU market in January 2028 with a five-year support commitment, then refreshes to v1.1 in July 2028 with its own five-year commitment. The Annex II disclosure attaches to the version, not to the buyer's purchase date.

End-of-support disclosure timeline for v1.0 and v1.1 Two parallel support-period bars showing that the Annex II end-date disclosure is fixed at market placement and does not move with the buyer's purchase date. Jan 2028 Jul 2028 Jun 2029 Jan 2033 Jul 2033 v1.0 support period, disclosure: "until Jan 2033" customer buys v1.0; disclosure unchanged v1.1 support period, disclosure: "until Jul 2033" Annex II point 7 end-date disclosure is fixed at market placement, per version
Disclosure is per-version, not per-purchase-date. A buyer who acquires v1.0 in June 2029 still sees the original January 2033 end date, putting the customer on notice that roughly 3.5 years of support remain, not five years from purchase. The v1.0 disclosure also remains in the retained technical file under Annex VII after support ends, as evidence the user was informed pre-purchase.

Connection to the technical file and the EU DoC

A disclosure that is accurate on the product page but absent from the technical file, or present in the technical file but not visible to the buyer, fails the obligation. Three pieces have to line up at once:

Annex VII technical file

The Annex II user information forms part of the technical documentation. See CRA Technical Documentation for the file structure (Article 31 / Annex VII) and the Article 13(13) retention rule.

EU Declaration of Conformity

The DoC asserts conformity with Article 13. Article 13(20) allows a full or simplified DoC, but the user-facing Annex II end-date disclosure is not optional in either case. See CRA Declaration of Conformity.

Security update delivery

Until the disclosed end date, the manufacturer owes the patching mechanics covered in CRA Security Updates. The disclosure and the delivery obligation expire together.

Frequently asked questions

What must appear in the Annex II product information about the support period?

The end date of the support period, stated in the information provided to users at or before the point of sale. The end date must be specific (e.g., "Security updates provided until 11 December 2032") and must reflect the actual commitment, including any shorter-lifetime carve-out. Post-purchase emails or terms-of-service blocks do not satisfy the rule. If the product is updated with a new version that resets the support clock, the Annex II disclosure must be updated to reflect the new end date. (Annex II point 7; Article 13(8); Annex VII.)

Is "at least five years from purchase" enough, or must the disclosure be a specific date?

No, a specific end date is required. A relative formulation such as "security updates for at least five years from purchase" is not an end date and does not satisfy the disclosure. The level of precision can be month and year ("December 2032") rather than a full calendar day, but a fixed reference date is required so the buyer can compute the remaining support runway before paying. The end date is also what gets recorded in the Annex VII technical file, so a relative phrase has nowhere to live in the documentation chain. (Annex II point 7; Annex VII.)

Where on an e-commerce product page must the end date appear?

On the product detail page itself, or reachable via one clearly labelled link from it (for instance a "Specifications", "Lifecycle" or "Support" tab). Placement only inside the terms of service, only inside an FAQ, or only on the post-checkout confirmation page does not satisfy the pre-purchase requirement. The principle is that a reasonable buyer assessing the product before clicking "buy" must be able to see the support-period end date without already having committed to the purchase. (Annex II point 7; Article 13(19).)

If I extend the support period after launch, must I update the disclosure?

Yes. The Annex II information forms part of the technical documentation and must reflect the actual commitment. If the manufacturer extends the support period, both the user-facing disclosure (product page, packaging, datasheet, installer summary) and the retained Annex VII technical file must be updated to show the new end date. The original end date stays in the retained file as evidence of the disclosure that applied to earlier sales, so the audit trail remains intact for units already on the market. (Annex II point 7; Article 13(13); Annex VII.)

What to do before you ship

  1. Audit every product page, packaging artwork, datasheet, and download page for the support-period end date. Anywhere it is missing, you are in breach.
  2. Add the end date to the master spec sheet, e-commerce product schema, and in-box documentation template so no future product can ship without it.
  3. Tie the disclosure to product version. When v1.1 supersedes v1.0, show the v1.1 end date for new sales and keep the v1.0 disclosure on file.
  4. Translate the surrounding wording (e.g. "Security updates provided until ...") into every Member State language where you place the product. The date is a fact; the prose is not.
  5. Match every disclosed end date to the date in your technical file. A mismatch is itself a compliance defect; user-facing copy and retained file must agree.
  6. Display the end date pre-purchase, before the buyer commits. Post-purchase emails, terms-of-service blocks, and confirmation pages do not satisfy the rule.