The EU correction from July 2025 clarifies that security updates are required only during the support period. Micro and small enterprises are exempt from fines for certain missed deadlines.
Vulnerability management only during the support period
In Article 13(8) the erratum corrected a drafting but crucial error. The original text referred to "[...] during the expected product lifetime and the support period [...]". It now correctly reads:
> "[...] during the support period [...]"
This makes it clear: the obligation to address vulnerabilities exists only during the support period defined by the manufacturer, not beyond it.
This clarification matters especially for long-lived products, for example in industry, mechanical engineering or medical technology. Manufacturers can define the length of the support period themselves - taking into account the product’s intended purpose, user expectations and comparable products. They are not obliged to provide security updates beyond the product’s realistic lifetime.
No sanctions for certain reporting obligations of small companies
Even more practically relevant is the change in Article 64(10). The introductory sentence was amended as follows:
> From: "Contrary to paragraphs 3 to 9 [...]" > > To: "Contrary to paragraphs 2 to 9 [...]"
Why does that matter? Paragraph 2 of the Cyber Resilience Act lays down the harshest sanctions: fines of up to EUR 15 million or 2.5% of global turnover for breaches of central manufacturer duties (e.g., secure development, vulnerability management, risk analysis).
With the amendment it is now clear: these sanctions do not apply to micro or small enterprises when they only fail to meet the following deadlines:
- Article 14(2)(a): deadline for submitting an early warning on an actively exploited vulnerability
- Article 14(4)(a): deadline for submitting an early warning on a serious security incident
In addition: maintainers of open-source software are in principle exempt from all sanctions in Article 64(2) to (9).
Practical implications
The Cyber Resilience Act places high demands on manufacturers of products with digital elements - from IoT devices to industrial installations. The recent amendments provide important clarifications:
- Obligations to address vulnerabilities apply only for the duration of the promised support. That avoids unrealistic requirements.
- Micro and small enterprises get more time and leeway to set up processes for reporting vulnerabilities - without immediate exposure to fines.
- The amendments do not prevent sanctions for gross breaches of duty, but they ensure that minor failures in new reporting processes are not punished disproportionately.
Conclusion
The erratum of 2 July 2025 is more than editorial precision - it creates legal certainty, especially for medium-sized manufacturers and start-ups. The changes make clear that the European Commission takes proportionality in the implementation of the Cyber Resilience Act seriously.