Skip to main content

Information on Software Support Period Determination

Under the Cyber Resilience Act (CRA), you can't just pick a support period for your app, game, or software out of thin air. You need a rationale, and you need to document it. This information is a required element of your Technical Documentation.

The Documentation Mandate

Annex VII, point 4, of the CRA requires that your Technical Documentation contains "relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements".

What Information Did You Consider?

Article 13, Paragraph 8, provides the criteria you must take into account when setting the support period, which is the time you are obligated to provide security updates. Your documentation should explain how you considered these factors for your software:

  • Reasonable User Expectations: What would a user paying for your app or investing time in your game reasonably expect?
  • Nature of the Product: Is it a subscription service, a one-off purchase, a game with a short fad-cycle, or a long-term utility?
  • Relevant EU Law: Are there other laws that imply a certain lifetime for your type of product?
  • Other Factors (Recitals 59 & 60): You can also take into account things like support periods for similar software on the market, the lifecycle of the operating systems your app runs on, or the support periods for critical third-party components (like your game engine).

Justifying Your Decision

Your documentation should summarize this analysis. For example: "The support period for 'PixelPioneer Photo Editor' was set to 7 years. This was based on the average user upgrade cycle for creative software, the support lifecycles of the target Windows and macOS operating systems, and a competitive analysis of similar products. This exceeds the 5-year minimum set by the CRA."

This shows authorities that your support period is the result of a deliberate, reasoned process, not an arbitrary decision.

Key Takeway

Your Technical Documentation must include your rationale for how you determined the support period for your software, referencing the criteria laid out in Article 13 of the CRA.