Fendora
← All CRA articles

CRA Article 13: Security Updates

Manufacturers must provide security updates for products with digital elements for a defined support period.

Last updated 2026-03-01

What Article 13 requires

Article 13 obliges manufacturers to:

  1. Provide security updates for the product's defined support period.
  2. Make updates available free of charge where the product was sold commercially.
  3. Inform users about update availability through documented channels.

Who it applies to

Any manufacturer placing a product with digital elements on the EU market, including integrators who ship third-party open-source components in commercial products.

Practical steps

  1. Maintain an SBOM for every supported product version.
  2. Monitor CVE feeds for components in your SBOM.
  3. Publish security advisories when critical fixes ship.
  4. Document your support lifecycle and end-of-support dates.