Android OEMs to provide at least 5 years of security updates, as per EU's Cyber ​​Resilience Act

Google recently surprised many of us with the promise to provide at least 7 years of Android OS and security updates for the Pixel 8 and Pixel 8 Pro. This not only keeps the devices fresh with new features, but also protects them from security threats occasioned by the use of dated software. And in line with this, the EU has recently agreed on a policy that will mandate manufacturers of all smart devices sold in the region, not just Android smartphones, to provide at least 5 years of software updates.

In a landmark decision aimed at bolstering consumer protection and enhancing cybersecurity practices, the European Union (EU) now wants manufacturers to conduct thorough assessments of the cybersecurity risks associated with their products. This move underscores a commitment to ensuring the safety and longevity of smart devices, especially in an era marked by increasing digital interconnectivity.

Under the new ruling, christened the “Cyber ​​Resilience Act,” manufacturers must provide declarations of conformity, outlining the cybersecurity measures embedded in their hardware and software products. This initiative aims to equip users with crucial information about the security protocols in place for better decision-making. According to the ruling, OEMs will be mandated to implement cybersecurity measures throughout the entire life cycle of their products. This spans from the initial design and development stages to post-market placement. Notably, products meeting the Regulation’s requirements will feature the CE marking, signifying their compliance and eligibility for sale within the European Union.

In addition to these measures, the Act will require manufacturers of Android smartphones and other products sold in the EU to provide regular security updates for a specified duration following their purchase. This timeframe is expected to align with the anticipated lifespan of the products, ensuring that cybersecurity protections remain current and effective throughout the relevant usage period. Although I couldn’t find any specific period in the official documentation, Reuters says the support window is at least 5 years, which is in line with what the likes of Apple, Google and Samsung already have in place for their smartphones and other smart products.

Chinese smartphone vendors like Xiaomi, Oppo, and HONOR have been making inroads across Europe. But given their poor track record with software updates, this legislation could deal a blow to their relentless progress especially with respect to budget devices. But from a consumer perspective, it’s a win since devices will remain secure and up to date in their entire lifespan. This makes even more sense given that people are holding onto their devices much longer than before for various reasons.

Although technically through, the Cyber Resilience Act is still subject to formal approval by both the European Parliament and the Council. Once in place, it will be enforced from the 20th day after publication in the Official Journal. OEMs will then be required to adopt the new regulations within 36 months, but the obligation to report incidents and vulnerabilities will get a more limited 21-month grace period.

Below is a timeline of how events will unfold once the act is signed into law.