Skip to main content

User Control: How to Disable Automatic Software Security Updates

While automatic security updates are generally a good thing and often a default (as per Annex I, Part I, point 2c), users must have the option to turn them off. The Cyber Resilience Act mandates you provide clear instructions on how they can do this (Annex II, point 8e).

Providing the Opt-Out Path

Your software's user instructions must include:

  • How to Disable Default Automatic Security Updates:
    • Clearly explain the steps a user needs to take to turn off the automatic installation of security updates.
    • Where is this setting located within your app, game, or software? Make it easy to find.
    • The mechanism should be clear and easy-to-use (Annex I, Part I, point 2c).

Why This is Important (Even if Discouraged)

Even though automatic updates are recommended for most users to ensure timely patching, some users (especially in specific professional or controlled environments) might have legitimate reasons to manage updates manually. The CRA respects this need for user control.

However, you should also clearly communicate the risks of disabling automatic security updates, such as potential exposure to unpatched vulnerabilities. This is part of responsible user information.

This applies where your software has automatic updates enabled by default. If updates are always manual, this specific point is less directly applicable, but you should still be clear about the update process (as per Annex II, point 8c).

Key Takeaway

Instruct users on how they can disable the default setting for automatic security updates, as required by Annex II, point 8e. Balance this with information about the security benefits of keeping automatic updates enabled.