Deep Dive - CRA Requirement (2) Risk Management & Security Updates

The second vulnerability-handling requirement under the EU Cyber Resilience Act (CRA) creates a strict obligation: manufacturers must remediate vulnerabilities in their products and provide security updates promptly.

“(2) in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates.”

This requirement sets a clear expectation: security updates can no longer be bundled into long product release cycles or delayed until the next major version. The CRA explicitly requires that vulnerabilities be patched in accordance with their severity and that users receive those security updates quickly, independently of new features. This shift makes vulnerability response a central, ongoing responsibility of product manufacturers.

What this requirement means

Think of digital products like a house with a security system. If a weakness is discovered in the lock, you wouldn’t wait until you remodel the whole house to fix it. You would replace the lock right away to keep the house safe. In the same way, when vulnerabilities are found in connected products, manufacturers need to provide security fixes quickly and without waiting for feature upgrades or redesigns.

This requirement obliges manufacturers to fix vulnerabilities in their products, such as an IoT device or connected system, without delay. The product should be designed in a way that allows vulnerabilities to be addressed without unnecessary delay, and the manufacturer must provide security updates to users in a timely manner to fix the security issues and protect the product from cyber threats. Additionally, if it is technically possible, these security updates should be delivered separately from other updates that add new features or change the product's functionality. This separation helps ensure that important security updates can be installed quickly and reliably, without being delayed or blocked by unrelated changes.

Relevant Standards and Guidelines

Although the CRA does not prescribe specific technical standards, several established frameworks support compliance with this requirement:

• ISO/IEC 27001 provides a management framework for information security, including risk treatment and vulnerability management. It sets the governance baseline but does not go into detail on patch management or third-party updates.

• ISO/IEC 27002 offers best-practice controls for vulnerability classification, remediation, and risk assessment. However, it lacks prescriptive detail on patching libraries and third-party components.

• ISO/IEC 30111 specifies processes for vulnerability handling in software products, covering identification, analysis, remediation, and distribution of security updates.

• ISO/IEC 29147 complements 30111 by defining processes for receiving and disclosing vulnerabilities, including interactions with CERTs and external researchers.

• IEC 62443-4-1 is highly relevant for industrial and OT contexts, mandating timely delivery of security updates (SUM-1 and SUM-5 requirements), though it does not comprehensively cover vulnerability classification or third-party libraries.

Each standard addresses part of the picture, but as ENISA’s mapping highlights, no single framework covers all aspects end-to-end. Instead, manufacturers should build a composite approach, drawing on the strengths of multiple frameworks: governance and risk management from ISO 27001/27002, structured handling and disclosure processes from ISO 30111 and 29147, and sector-specific practices like timely security update delivery from IEC 62443-4-1. By integrating these complementary elements, organizations can create a comprehensive, end-to-end process that aligns with current standards, best practices and operational realities.

How to approach Implementation

To meet this requirement, the manufacturer should design the product’s update mechanism so that security updates can be deployed quickly and reliably. In line with essential cybersecurity requirement (c) of the CRA, this means ensuring that vulnerabilities are remediated without delay and that security updates are delivered separately from functionality updates where technically feasible. A dedicated update channel or process for security fixes helps minimize risks and ensures that critical patches are not delayed by unrelated feature releases.

From a technical perspective, it is recommended to structure the product firmware or software in a modular way, allowing critical components to be updated independently of feature changes. This modularity reduces the size and complexity of updates and enables faster response to newly identified vulnerabilities.

In addition, essential cybersecurity requirement (f) requires that the integrity of data, commands, programs, and configurations is protected against unauthorized modifications and that corruptions are reported. Applied to the update mechanism, this means all updates must undergo integrity verification to prevent tampering, and the system should maintain detailed logs of update activities. Such logging ensures traceability, supports incident investigations, and provides evidence of compliance with the regulation.

Strategic Considerations beyond Compliance

For many organizations, this requirement is more than a mandate to issue security updates faster, it’s a catalyst for changing how products are maintained. Historically, updates were tied to long release cycles, with security updates competing against new features for developer attention. This often led to delays, frustrated customers, and increased exposure.

The CRA demands a new operating model: security updates must be prioritized with streamlined processes for fast security update creation and distribution. This drives closer collaboration between development, operations, and security teams, embedding a culture where risk management is continuous and proactive.

Beyond compliance, this approach builds resilience and trust. Companies that can demonstrate rapid response to vulnerabilities not only reduce their regulatory risk but also strengthen customer confidence. In competitive markets, the ability to deliver timely, independent security updates is increasingly seen as a proof of a mature and trustworthy security posture.

In our next post, we will explore Requirement (3): Security Testing, which defines how manufacturers must apply effective and regular tests and reviews of the security of their products.

Previous Blog CRA Vulnerability Handling Requirement (1): https://tributech.io/blog/cra-vulnerability-handling-requirement-1-identify-document-vulnerabilities Next Blog CRA Vulnerability Handling Requirement (3): https://www.tributech.io/blog/cra-vulnerability-handling-requirement-3-security-testing