How does the end of the support period in an integrated component impact a product’s compliance with the CRA?

When determining the support period, manufacturers may also take into account the support periods of products with digital elements offering a similar functionality placed on the market by other manufacturers, the availability of the operating environment, the support periods of integrated components that provide core functions and are sourced from third parties […] (Article 13.8)

Manufacturers need to comply with the vulnerability handling obligations for the duration of the support period, for their products in their entirety, including all integrated components, but are able to rely on the vulnerability handling obligations to which component manufacturers are also subject, as discussed in entry 4.3.6 How should vulnerabilities in integrated components be addressed and remediated?

The support period of integrated components is a consideration that manufacturers may take into account when determining their product’s support period, to ensure that they are able to leverage the support period of key components to address and remediate the product’s vulnerabilities. See also section 4.5 Support period.

Nonetheless, it can occur that a product with an active support period contains a vulnerability in an integrated component that is no longer covered by that component’s support period, and that vulnerability cannot be addressed and remediated adequately via various forms of mitigation measures (see also entry 4.3.1 Are manufacturers required to patch all vulnerabilities that are discovered during the support period?). In that case, the manufacturer of the product is required to remediate the vulnerability via other means, for example by switching out the integrated component or developing a patch autonomously.