Provide security updates throughout the support period
- Applies to
- Manufacturer
- Source citations
- Art. 13(9)Art. 13(8)Annex I Part I §8
- Product classes
- default, important-class-i, important-class-ii, critical
Plain language
You must fix security bugs in your product for at least five years after it goes on sale — and tell customers upfront how long that support lasts. Security patches must be free. Ship them apart from new features so customers can apply them quickly without worrying about regressions.
Legal text
Article 13(8) of Regulation (EU) 2024/2847 requires that the support period for products with digital elements shall be at least five years from the date of placing on the market, unless the expected use period of the product is shorter.
Article 13(9) requires that during the support period, manufacturers shall ensure that vulnerabilities are handled effectively, including by providing security updates without charge.
Key requirements
- Minimum 5-year support period (or expected use period if shorter — see note)
- Free-of-charge security updates — no paid update plans for security fixes
- Timely delivery — updates proportionate to severity and risk
- Separate delivery — security updates must be distinguishable from feature updates
- Support-period disclosure — end date must appear in product documentation and at the point of sale
Notes on the 5-year floor
The Commission's March 2026 draft guidance (§ on support period) clarifies that five years is a floor, not a default. For products with expected use periods exceeding five years (e.g. industrial control systems, smart meters), the support period must match that longer expected use period.
Evidence you may need
- Declared support period (in product documentation and on the sales page)
- Security update release records with timestamps
- Vulnerability-handling process documentation
- Evidence of no paywalled security updates