Skip to main content

Free Security Updates vs. Paid Feature Updates for Software Under CRA

The Cyber Resilience Act (CRA) draws an important line when it comes to how you charge for updates to your app, game, or software. Security is not meant to be a premium add-on.

Security Updates Must Be Free

Annex I, Part II, point (8), is very clear: when security updates are available to address identified security issues in your software, "they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge".

Recital 64 reinforces this, stating manufacturers should "provide security updates to users free of charge". This applies to all software within the scope, whether it’s a free-to-play game with in-app purchases, a one-time purchase app, or a subscription-based software service. The core security patching to address vulnerabilities identified during the support period must not come at an extra cost to the user.

Functionality Updates Can Be Separate (and Potentially Paid)

The CRA also acknowledges the difference between security fixes and new features. Annex I, Part II, point (2), notes that "where technically feasible, new security updates shall be provided separately from functionality updates". Recital 57 supports this by stating manufacturers should ensure, where technically feasible, that new security updates are provided separately from functionality updates, to improve transparency and ensure users are not required to install new functionality for the sole purpose of receiving security updates.

This separation allows you to:

  • Continue your normal business model for releasing new paid features, DLCs for your game, or major version upgrades for your app that add new capabilities.
  • Ensure users can receive critical security patches without being forced to upgrade to a new paid version or accept unwanted features.

Key Takeway

Under the CRA, you must provide security updates for your software free of charge throughout its support period. New features or significant functional upgrades can still be part of your paid model, but security cannot be paywalled. Strive to keep security patches separate from feature updates.