Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Security update provision and defined support period

security-update-provisionDomain: cybersecurityType: process

Description

A published commitment to provide security updates for a defined period, plus the engineering pipeline that actually delivers them. The connectable-product regimes converge on the same two ideas: the manufacturer has to tell buyers how long the product will receive security updates (a minimum support period), and it has to actually ship those updates during that window. The UK PSTI regime requires the minimum support-period information to be published and kept current; the EU Cyber Resilience Act requires manufacturers to provide security updates free of charge for the support period and to ship products with a secure-by-default configuration. The control therefore has a disclosure leg (publish the support-period statement and the secure-default configuration) and an operational leg (a build-and-release pipeline that can push updates to fielded devices for the duration of the commitment). The recurring mistake is publishing a support period the organization cannot actually staff for; the statement is a binding representation, and an end-of-support date that arrives while the product is still on shelves is the kind of gap a market-surveillance authority is structured to find.

Required by (2 regulations)

  • EU CRA

    Manufacturers must ensure products with digital elements are made available with a secure-by-default configuration and provide security updates free of charge for the support period (Annex I Part I and Part II).

    Regulation (EU) 2024/2847 (Cyber Resilience Act), Annex I Parts I and II; main obligations apply 2027-12-11

    Source →

  • UK PSTI

    Manufacturers must publish the minimum length of time for which security updates will be provided for a relevant connectable product, and update that information if the period is extended.

    The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (SI 2023/1007), Schedule 1; in force 2024-04-29

    Source →

Evidence formats

  • published minimum support-period statement on the product or packaging
  • secure-by-default configuration documentation
  • release pipeline records showing security updates shipped during the support period
  • end-of-support communications plan

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn