How should manufacturers deal with known exploitable vulnerabilities discovered after a product has been placed on the market but before reaching its final user?

Products with digital elements may be placed on the market and enter the distribution chain some time before they reach their final user. This is often the case, for example, when a product is sent to the distribution branch of a manufacturer; or it is offered for sale online or through other means of distance selling and is transferred to fulfilment service providers for delivery, reaching its final user days or months after placement on the market. For example, a laptop may stay on the shelf of an electronics shop for some time before being reaching its user.

In the period between placement on the market and transaction to the intended final user, known exploitable vulnerabilities affecting that product may be discovered. However, the obligation to deliver, on the basis of the risk assessment, products without known exploitable vulnerabilities applies at the moment of placement on the market (Article 13(1)). As the product has already been placed on the market, manufacturers are therefore not expected to fix newly discovered vulnerabilities while their products have not yet reached their user.

Nonetheless, as the CRA also establishes vulnerability handling requirements that apply during a product’s support period, manufacturers shall, in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, in accordance with Annex I, Part II, point (2). For example, given the risks posed by the newly discovered exploitable vulnerabilities, the laptop manufacturer establishes that a security update is necessary to address those vulnerabilities. The manufacturer may be required to provide a security update for the laptop, as soon as it is put into operation by its user.