Skip to main content

Timeline for Addressing Software Vulnerabilities: "Without Delay"

The Cyber Resilience Act (CRA) uses the term "without delay" when it talks about your obligations to fix and provide updates for vulnerabilities in your app, game, or software. But what does that actually mean in practice?

The "Without Delay" Mandate

  • Addressing and Remediating: Annex I, Part II, point (2), states manufacturers shall "address and remediate vulnerabilities without delay, including by providing security updates".
  • Disseminating Updates: Annex I, Part II, point (8), requires that "where security updates are available to address identified security issues, they are disseminated without delay".

No Hard Deadlines, But Expect Prompt Action

The CRA doesn't give you a fixed 24-hour or 7-day clock for all vulnerability fixes (unlike the specific reporting timelines in Article 14 for actively exploited vulnerabilities or severe incidents). "Without delay" is a principle that implies:

  • Prompt Attention: You can't just sit on a reported vulnerability, especially a critical one. Assessment and triage should begin quickly.
  • Prioritization: Higher-risk vulnerabilities in your software will demand faster remediation than lower-risk ones.
  • Reasonable Effort: You are expected to act as quickly as is reasonably possible given the complexity of the vulnerability, the development and testing of a fix, and the process of deploying the update.
  • No Unjustified Delays: You can't postpone a critical security patch for your game simply to bundle it with a new feature release months down the line if it exposes users to significant risk. In fact, Annex I, Part II, point (2) states that where technically feasible, new security updates shall be provided separately from functionality updates.

Market surveillance authorities will likely interpret "without delay" based on the context, the severity of the vulnerability, and industry best practices. Documenting your remediation timeline and the reasons for any perceived delays will be important.

Key Takeway

While the CRA doesn't set a universal stopwatch for all software vulnerability fixes, "without delay" means you must act promptly and diligently to assess, fix, and deploy security updates, prioritizing based on risk, without unnecessary postponement.