Back to blogs

Blog | OCT 12, 2025

Deep Dive - CRA Requirement (8) Update Distribution and User Guidance

Cyber Resilience Act

Security updates only work if users can access and understand them. In this deep dive into CRA Requirement (8), we explore why the CRA makes free updates and advisory messages mandatory. This requirement strengthens trust by ensuring users receive fixes without barriers and with clear guidance on how to respond.

The eighth vulnerability handling requirement under the EU Cyber Resilience Act (CRA) establishes a strict obligation: security updates must be disseminated promptly, free of charge, and accompanied by guidlines that provide users with the information they need to take action.

β€œ(8) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.”

This means that patches are not an add-on or optional service but a legal obligation. Users should never face extra costs to secure their products, and they should always be informed about what an update does and whether they need to take action, such as restarting a device or changing a setting. At the same time, the obligation to provide updates free of charge does not mean that broader managed services to keep products secure must also be free. Manufacturers may still charge for monitoring, support, or managed update deployment services, as long as the security updates themselves remain accessible without cost. The only exception applies to tailor-made products delivered to a specific business user, where manufacturer and customer may agree on different terms.

What this requirement means

Think of this requirement like a product recall in the physical world. If a car has a safety defect, the manufacturer does not charge the owner to fix it, nor do they simply say the issue has been solved without explanation. Instead, they provide the repair free of charge, explain what was wrong, and tell the owner what steps to take to make sure the car is safe again. The CRA brings the same principle to digital products.

For manufacturers, this means that security updates must always be distributed without additional costs. Users should never be asked to pay to protect their products from known vulnerabilities. At the same time, providing updates for free does not mean that broader managed services, such as monitoring or professional support, must also be free. The law is clear: the updates themselves must be accessible to everyone at no charge.

Every update must also be accompanied by advisory messages that explain what has been fixed, which products are affected, how severe the issue was, and what action, if any, the user should take. The goal is not just to push out a patch but to ensure that users understand its relevance and feel confident in applying it. The only exception applies to tailor-made products provided to specific business users, where the terms for updates can be negotiated directly between manufacturer and customer.

Relevant Standards and Guidelines

While the CRA does not specify exact technical standards for this requirement, several existing frameworks provide useful guidance:

  • EN ISO/IEC 30111: defines processes for vulnerability handling, including the remediation and distribution of updates and advisories. However, it does not explicitly address free-of-charge updates or user notification methods.

  • ISO/IEC 27002: offers best practices for vulnerability management and patching, including timely update dissemination, but it also lacks guidance on free updates or specific communication requirements.

  • EN IEC 62443-4-1: (industrial automation) requires timely delivery of patches (SUM-5) and disclosing security-related issues (DM-5), but does not mandate that updates must be free.

As ENISA highlights, these standards contribute to the process but leave gaps. Manufacturers must therefore supplement them with internal policies mandating free updates and well-structured user notifications. Best practices can be drawn from industry initiatives such as NIST SP 800-61 and real-world CERT/CSIRT coordination.

How to approach Implementation

Meeting this requirement starts with embedding the principle of free security updates into product lifecycle policies and contracts. Manufacturers must make sure that no additional cost is tied to applying patches, while at the same time clarifying the distinction between free updates and optional paid services such as monitoring or managed deployment.

Updates should always be paired with clear advisory messages. To implement this in practice, manufacturers need workflows that link update release processes with communication teams, ensuring that every patch is accompanied by guidance written in accessible language. These messages must reach users through channels they actually use, whether that is device notifications, customer portals, or direct email.

Finally, implementation requires reliable record-keeping. Updates and their advisories should be logged in changelogs, knowledge bases, or vulnerability databases so that users, partners, and auditors can verify how issues were addressed. Building this into the update management process ensures consistency and provides long-term transparency.

Strategic Considerations beyond Compliance

This requirement is more than a mandate to issue free updates; it’s about reshaping the relationship between manufacturers and users. By proactively delivering updates with clear, actionable information, manufacturers build confidence that their products remain secure over time.

Clear, user-focused communication reduces uncertainty, prevents mistakes during patching, and improves adoption rates. Free updates also remove friction for users, eliminating excuses for not applying critical fixes. Together, these practices create stronger trust relationships with customers, regulators, and partners.

Ultimately, companies that treat advisory-driven, free updates as a strategic opportunity will gain more than compliance. They will improve product resilience, strengthen customer loyalty, and position themselves as trustworthy leaders in a market that increasingly values transparency and responsibility in cybersecurity.

With this post, we conclude our deep dive into the 8 vulnerability handling requirements of Annex I. If you have not already, you can continue with our deep-dive blog post series on the 13 essential cybersecurity requirements of the CRA.

Previous Blog CRA Vulnerability Handling Requirement (7): https://tributech.io/blog/cra-vulnerability-handling-requirement-7-security-update-distribution

CRA Learning Path

Get the CRA Newsletter and unlock everything you need to stay compliant with CRA regulations: