Is there a minimum support period?

Without prejudice to the second subparagraph, the support period shall be at least five years. Where the product with digital elements is expected to be in use for less than five years, the support period shall correspond to the expected use time (Article 13(8), third subparagraph).

The support period for which the manufacturer ensures the effective handling of vulnerabilities should be no less than five years, unless the lifetime of the product with digital elements is less than five years, in which case the manufacturer should ensure the vulnerability handling for that lifetime. Where the time the product with digital elements is reasonably expected to be in use is longer than five years, as is often the case for hardware components such as motherboards or microprocessors, network devices such as routers, modems or switches, as well as software, such as operating systems or video-editing tools, manufacturers should accordingly ensure longer support periods. In particular, products with digital elements intended for use in industrial settings, such as industrial control systems, are often in use for significantly longer periods of time. A manufacturer should be able to define a support period of less than five years only where this is justified by the nature of the product with digital elements concerned and where that product is expected to be in use for less than five years, in which case the support period should correspond to the expected use time. For instance, the lifetime of a contact tracing application intended for use during a pandemic could be limited to the duration of the pandemic. Moreover, some software applications can by nature only be made available on the basis of a subscription model, in particular where the application becomes unavailable to the user and is consequently not in use anymore once the subscription expires (Recital 60)

The support period needs to be set to at least five years, but that is not sufficient where products with digital elements are reasonably expected to be in use for longer than five years. In such circumstances, manufacturers should consider all relevant factors (see entry 4.5.1 Which criteria should the manufacturer take into account when determining a product’s support period?) which may result in a need to provide for a support period longer than five years.

A support period of less than five years is only justified in situations where the lifetime of the product with digital elements is less than five years. In these cases, the support period shall correspond to the expected use time, without further consideration for the other criteria listed in Article 13(8). This is the case for products that fulfil a very specific purpose (e.g. a contact tracing app to be used during a pandemic), but also for some software applications that can, by nature, only be made available on the basis of a subscription model, particularly where the application becomes unavailable to the user once the subscription expires. For example, some enterprise antivirus software only works for users with an active subscription, as users rely on the availability of up-to-date antivirus definitions, and is no longer accessible when that subscription expires. Similarly, some free and open-source software that is placed on the market can be monetised by its manufacturer only through the sale of paid support services offered on a subscription basis. Therefore, due to its nature of being free and open-source, that software may remain in use after its user stops paying for the support services; in such circumstance, the manufacturer is required to ensure a support period that is equal to the duration of the active subscription.