Support period
The period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are effectively handled in accordance with Annex I Part II. The support period must be at least five years, unless the product's expected useful life is shorter. Manufacturers must display the support end date at point of purchase.
Source citations
Regulation text
Article 3(20) of Regulation (EU) 2024/2847 defines the support period as:
"the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I".
Article 13(8) establishes the minimum:
"Without prejudice to the second subparagraph, the support period shall be at least five years. Where the product with digital elements is expected to be in use for less than five years, the support period shall correspond to the expected use time."
Determining the support period
Manufacturers must take into account:
- Reasonable user expectations about how long the product will be used
- Nature of the product and its intended purpose
- Relevant Union law determining the lifetime of the product
- Support periods of comparable products on the market
- Availability of the operating environment and third-party support
- Support periods of core integrated components
Key obligations during the support period
- Provide security updates without undue delay and (for standard products) free of charge (Annex I Part II §8)
- Ensure each security update remains available for a minimum of 10 years or the remainder of the support period, whichever is longer (Art. 13(9))
- Continue to document and address newly discovered vulnerabilities
- Display the support end date (at minimum month and year) at the time of purchase and, where technically feasible, notify users when the period ends (Art. 13(19))