The Cyber Resilience Act (Annex I, Part II(8)) requires that security patches and updates are made available to users without undue delay and free of charge, accompanied by advisory messages providing relevant information including on potential actions to be taken. Annex I, Part I(2)(c) further requires that the product supports the secure installation of updates through an appropriate mechanism. While patching and updating (PU) focuses on maintaining the product's runtime environment, secure deploy is concerned with how security updates actually reach the product and its users.
Establish a delivery mechanism that guarantees the integrity and authenticity of every security update before it is applied to the product. This means cryptographically signing updates and verifying signatures on the receiving end, ensuring that neither the update content nor its origin can be spoofed or tampered with during transit. The product must support timely application of security updates, whether through automated deployment, user initiated installation, or a combination of both, depending on the product's design and operating context.
Where user action is required to apply an update, or where the vulnerability being addressed carries significant risk, notify users of the available update and clearly communicate its importance and any actions they should take. Ensure the deployment process is documented, tested, and capable of rolling back in the event of a failed update. Retain evidence of update delivery and deployment as part of the product's operational records, supporting traceability and the ability to demonstrate that security updates were made available to users without undue delay as required by the regulation.