Back to blogs

Blog | OCT 10, 2025

Deep Dive - CRA Requirement (7) Security Update Distribution

Cyber Resilience Act

What does it really mean to securely distribute updates? In this deep dive into CRA Requirement (7), we explore why simply creating a patch is not enough. The CRA requires manufacturers to ensure that updates are delivered securely. This is not only about speed but also about integrity, updates must reach users without tampering, ensuring that vulnerabilities are fixed in a timely and trustworthy manner.

The seventh vulnerability handling requirement under the EU Cyber Resilience Act (CRA) establishes a strict obligation: manufacturers must ensure that updates are distributed securely to fix or mitigate vulnerabilities.

“(7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;”

This requirement means that issuing updates is not enough, how those updates are delivered is just as critical. The CRA expects manufacturers to establish secure update mechanisms that protect users from supply chain attacks, tampering, or fake patches delivered through unofficial channels.

What this requirement means

This requirement is about making sure that when a fix is sent out, people can trust it completely. If updates are not delivered securely, someone could slip in a fake version that causes more harm instead of solving the problem. Imagine thinking your phone or smart speaker just got safer, but in reality, it was tricked into installing something dangerous. The CRA makes clear that updates must always come from the right source and reach people quickly, so problems are solved instead of made worse.

For manufacturers, this means ensuring that the path from creating an update to delivering it is protected against tampering or impersonation. Users must be able to trust that updates are authentic, unaltered, and provided in time to reduce exposure to vulnerabilities. Where appropriate, updates should also be installed automatically to make sure fixes are applied quickly without relying on user action.

In essence, Requirement (7) underlines that security is not only about producing patches but also about delivering them in a way that preserves integrity, authenticity, and timeliness.

Relevant Standards and Guidelines

Although the CRA does not mandate a single framework, several standards provide guidance relevant to secure update distribution:

  • ISO/IEC 27002: defines information security controls, including secure software distribution and cryptographic protections. However, it does not explicitly address publishing hashes or providing verification instructions.

  • IEC 62443-4-1: focuses on secure product development for industrial automation and includes update and patch management practices. While highly relevant, it does not explicitly require code signing or hash publication, and it is tailored primarily to IACS environments.

Taken together, these standards help build a baseline for secure update processes, but as ENISA highlights, gaps remain. To fully comply with CRA expectations, manufacturers should combine these with industry best practices, such as NIST SP 800-53, NIST SP 800-63B, OWASP SSDLC, or the EUCC patch management framework, which provide practical mechanisms for update integrity, distribution security, and verification transparency.

How to approach Implementation

To comply with this requirement, manufacturers must ensure that updates are distributed in a way that users can fully trust. This means updates must only come from official channels controlled by the manufacturer and must be protected from tampering, interception, or substitution. Users need confidence that what they install is authentic and safe. Where appropriate, updates should also be installed automatically so that security fixes are applied quickly and products are not left exposed longer than necessary.

This requirement does not stand alone. It is closely connected to two other essential cybersecurity requirements of the CRA. Requirement (c) obliges manufacturers to provide security updates and to offer users the option to opt out. This creates a balance: automatic updates should be the default to minimize exposure, but users must retain the ability to control them when justified. Requirement (f) requires the integrity of data, functions, and software to always be preserved. Secure distribution under requirement (7) directly supports this, ensuring that updates do not compromise the reliability of the product itself.

Together, requirements (c), (f), and (7) form the backbone of update security. They define what must be provided (security updates), how users interact with them (choice to opt out), and how the system ensures their trustworthiness (integrity and secure delivery). If one of these elements is missing, the whole process becomes weaker, either leaving users unprotected, undermining trust, or creating unnecessary risk.

For this reason, update mechanisms should be designed with all three requirements in mind from the very beginning. Treating them separately increases the chance of conflicts or gaps later in the lifecycle. Considering them together ensures that automatic updates, user control, and integrity protection work as one coherent system.

Strategic Considerations beyond Compliance

End users increasingly expect updates to be seamless, automatic, and secure. A failure in update mechanisms can damage not just security but also brand reputation.

The CRA makes secure update distribution a legal necessity, but companies that treat it as a strategic priority will gain a competitive advantage. Demonstrating robust, transparent update practices reassures customers, builds trust, and signals that the manufacturer takes security seriously.

In a landscape where attackers actively target supply chains, a secure update process is not just compliance, it is a cornerstone of resilience.

In our next post, we will explore Requirement (8): Provide and Retain Security Updates.

Previous Blog CRA Vulnerability Handling Requirement (6): https://www.tributech.io/blog/cra-vulnerability-handling-requirement-6-sharing-and-reportingNext Blog CRA Vulnerability Handling Requirement (8): https://www.tributech.io/blog/cra-vulnerability-handling-requirement-8-update-distribution-and-user-guidance

CRA Learning Path

Get the CRA Newsletter and unlock everything you need to stay compliant with CRA regulations: