CRA Secure Update Mechanism — OTA Requirement

Three update properties the regulation actually requires

(2)(c)

Annex I, Part I — automatic security updates by default, with opt-out

(7)

Annex I, Part II — secure distribution mechanism

(8)

Annex I, Part II — free, without delay, with advisory messages

Seven concrete OTA rules — mapped to article text

Each rule below is taken from Annex I or from a recital. The article reference is the operative one for the technical documentation under Annex VII.

Rule 1 — Vulnerabilities must be addressable through security updates

Annex I, Part I, point (2)(c): ‘ensure that vulnerabilities can be addressed through security updates’. The update path must exist as a product property, not as an optional add-on. Without it, the product cannot be placed on the market in the relevant configuration.

Rule 2 — Automatic security updates, default-on, with opt-out

Annex I, Part I, point (2)(c): ‘where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them’. Recital 56 confirms the design — a default-on regime with a frictionless opt-out path.

Rule 3 — Carve-out for components and professional environments

Recital 56: the automatic-update requirement does not apply to products primarily intended to be integrated as components into other products, nor to products for which users would not reasonably expect automatic updates — in particular professional ICT networks and critical and industrial environments where an automatic update could cause interference with operations. The MANUAL update obligation still applies.

Rule 4 — Secure update distribution mechanism

Annex I, Part II, point (7): ‘provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner’. Authenticity, integrity and confidentiality of the update channel (TLS, code signing) are implicit in ‘securely’.

Rule 5 — Free security updates, without delay, with advisory

Annex I, Part II, point (8): security updates are disseminated without delay and, unless otherwise agreed between manufacturer and business user for a tailor-made product, free of charge, accompanied by advisory messages providing users with relevant information including potential action to be taken.

Rule 6 — Separation of security and functionality updates

Annex I, Part II, point (2) + Recital 57: where technically feasible, new security updates shall be provided separately from functionality updates. The user must not be forced to install a feature update to receive a security update. This connects to the substantial-modification analysis under Art. 3(30): a separate security update is generally not substantial; a bundled feature update may be.

Rule 7 — End-of-support notification on the device

Article 13(19), second subparagraph + Annex II point 7: where technically feasible in light of the nature of the product, manufacturers shall display a notification to users informing them that their product has reached the end of its support period. The support-period end date (at least month and year) must also be clearly visible at the time of purchase (Art. 13(19) first subpara).

Rule 8 — Updates available for 10 years

Article 13(9): each security update made available during the support period shall remain available after it has been issued for a minimum of 10 years, or for the remainder of the support period, whichever is longer.

Common mistakes

❌

OPT-OUT ABSENCE

“We will make automatic updates mandatory — safer for users”

Annex I, Part I, point (2)(c) is explicit: ‘with a clear and easy-to-use opt-out mechanism’. Removing the opt-out makes the product non-compliant. Recital 56 reinforces: ‘Users should retain the ability to deactivate automatic updates, with a clear and easy-to-use mechanism, supported by clear instructions on how users can opt out.’ Mandatory automatic updates are a Tier 1 (Article 64(2)) fine exposure.

❌

PAID SECURITY UPDATES

“Security updates are part of our paid maintenance contract”

Annex I, Part II, point (8) requires security updates to be free of charge, with one narrow exception — a tailor-made product for a specific business user under a bilateral agreement. Outside that narrow case, charging for security updates is a Tier 1 fine under Article 64(2).

❌

BUNDLED RELEASES

“Our release model bundles security fixes with feature updates”

Annex I, Part II, point (2) + Recital 57 require separation where technically feasible. The burden is on the manufacturer to demonstrate that separation is technically infeasible. If feasible and the manufacturer still bundles — with the effect that users must install a feature update to get a security fix — the practice violates point (2) and may also trigger substantial-modification analysis under Art. 3(30).

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Does your product support a path for vulnerabilities to be addressed through security updates?

Annex I, Part I, point (2)(c) — mandatory

Where applicable, are automatic security updates enabled by default with a clear opt-out and user notification?

Annex I, Part I, point (2)(c)

Is your update channel itself secure (authenticity, integrity, code signing)?

Annex I, Part II, point (7) — secure distribution

Are security updates disseminated without delay AND free of charge (outside the tailor-made business carve-out)?

Annex I, Part II, point (8)

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT

149 €

/ product

8-document CRA dossier (ZIP)
Product Classifier + Technical Documentation
Risk Assessment + User Information
10 regenerations · 30 days
1 licence = 1 product

Buy licence →

PROFESSIONAL PACK

1,199 €

70 generations · 1 key

For multi-product catalogues

70 generations with a single key
70 complete dossiers (8 documents each)
Switch product between generations
Ideal for importers with large catalogues
For consultants billing CRA compliance

Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🔄 BUILD A COMPLIANT OTA INFRASTRUCTURE FROM SCRATCH

€50,000–€250,000

Code-signing PKI, signed-update verification on the device, staged rollout, opt-out UI, postponement UI, advisory message infrastructure, 10-year update archive. Engineering-heavy.

CRACHECK — SAME OUTPUT

€149

CRACheck does not build the OTA pipeline. It documents your existing or planned pipeline against Annex I, Part I (2)(c) and Annex I, Part II (7) and (8), and includes the design in the Annex VII technical-documentation file.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

→ Full text on EUR-Lex (CELEX 32024R2847)
→ HTML version (article-by-article)
→ Official PDF (81 pages)
→ All 24 EU language versions

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

Are automatic updates always mandatory under the CRA?

No — only where applicable. Annex I, Part I, point (2)(c) qualifies the obligation: ‘where applicable, through automatic security updates’. Recital 56 carves out products primarily integrated as components into other products, and products for which users would not reasonably expect automatic updates (in particular professional ICT networks, critical and industrial environments). For consumer products, automatic-by-default is the strong norm; for B2B industrial control systems, the manual route with timely notification is acceptable.

Can I charge for security updates to enterprise customers?

Only in the tailor-made-product / business-user scenario explicitly carved out by Annex I, Part II, point (8): ‘unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements’. For standard products sold to enterprises, security updates must be free of charge. The pricing model can charge for feature updates and support — not for security fixes.

What about end-of-support? Can my product just stop updating after 5 years?

The support period must be at least 5 years under Article 13(8), but can and should be longer when the product is reasonably expected to be in use longer — hardware components, motherboards, network gear, operating systems, video-editing tools (Recital 60). At end of support, two things happen: (a) the support-period end date must have been clearly displayed at the time of purchase (Art. 13(19)); (b) where technically feasible, a device-side notification informs the user of end of support (Art. 13(19) + Recital 56). Updates already issued must remain available for 10 more years (Art. 13(9)).

Do I have to use code signing for OTA updates?

The regulation is technology-neutral on this point. Annex I, Part II, point (7) requires that you ‘provide for mechanisms to securely distribute updates’ — ‘securely’ covers authenticity and integrity, which in practice means code signing or an equivalent cryptographic mechanism. Annex I, Part I, point (2)(f) separately requires protection of the integrity of stored, transmitted or otherwise processed data, commands, programs and configuration against any non-authorised manipulation. A signed-update verifier on the device is the conventional way to meet both.

Is this a subscription?

No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.

What if the regulation changes before I file my dossier?

Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.

Secure update mechanisms under Regulation (EU) 2024/2847: automatic security updates by default per Annex I Part I (2)(c), secure distribution per Annex I Part II (7), and free dissemination per Part II (8)