The EU correction of July 2025 clarifies that security updates are required only during the support period. SMEs are exempt from fines for certain missed deadlines.
Vulnerability management only during the support period
In Article 13 paragraph 8 the correction fixed an editorial but decisive error. Originally the text referred to "[… ] during the expected product lifetime and the support period [… ]". It now correctly reads:
> "[… ] during the support period [… ]"
This makes clear: the obligation to address vulnerabilities exists only during the support period defined by the manufacturer, not beyond that period.
This clarification matters especially for long-lived products in sectors such as industry, mechanical engineering or medical technology. Manufacturers may define the length of the support period themselves - taking into account the intended purpose, user expectations and comparable products. They are not obliged to provide security updates beyond the realistic lifetime of the product.
No sanctions for certain reporting obligations for small businesses
Even more practically relevant is the amendment to Article 64 paragraph 10. The introductory sentence was changed as follows:
> From: "By way of derogation from paragraphs 3 to 9 [… ]"
> To: "By way of derogation from paragraphs 2 to 9 [… ]"
Why does this matter? Paragraph 2 of the Cyber Resilience Act contains the harshest sanctions: fines of up to 15 million EUR or 2.5% of global turnover for breaches of central manufacturer obligations (for example secure development, vulnerability management, risk analysis).
With this change it is now clear: these sanctions do not apply to micro or small enterprises when they only miss the following deadlines:
- Article 14(2)(a): deadline for submitting an early warning about an actively exploited vulnerability
- Article 14(4)(a): deadline for submitting an early warning about a serious security incident
In addition, maintainers of open-source software are in principle exempt from all sanctions under Article 64 paragraphs 2 to 9.
Practical implications
The Cyber Resilience Act imposes high requirements on manufacturers of products with digital elements - from IoT devices to industrial installations. The recent amendments provide important clarifications:
- Obligations to address vulnerabilities apply only for the duration of the promised support. This prevents unrealistic demands.
- Micro and small enterprises get more time and leeway to build processes for reporting vulnerabilities - without immediately facing fines.
- The changes do not prevent sanctions for serious breaches of duties, but they ensure that simple oversights in new reporting processes are not punished disproportionately.
Conclusion
The correction of 2 July 2025 is more than editorial precision - it creates legal certainty, in particular for medium-sized manufacturers and startups. The amendments show that the EU Commission takes proportionality in the implementation of the Cyber Resilience Act seriously.
The clarifications bring greater legal certainty but also raise new boundary questions. If you want to understand which obligations apply to your company and where there is room for manoeuvre, this can be clarified in a non-binding conversation.