Kurzinformation

ENISA Technical Advisory on Secure Update Mechanisms

Secure update mechanisms according to ENISA – requirements for CRA-compliant products


Share this article
Share Button LinkedinShare Button XShare Button FacebookShare Button Instagram  Share Button E-Mail

The document “ENISA Technical Advisory on Secure Update Mechanisms” (Draft v0.1, May 2026) addresses the secure development, deployment and management of software and firmware updates throughout the entire product lifecycle. 

It is aimed in particular at manufacturers of products with digital elements and supports the implementation of requirements from the Cyber Resilience Act (CRA). The recommendations are also in line with the “Secure by Design” and “Secure by Default” principles promoted by ENISA. In our short information, we have summarised key information about the document.
 

Objective of the document

The main objective is to ensure a consistently secure and trustworthy update process. This involves ensuring that updates provided are authentic, complete and unaltered at all times, and originate exclusively from authorised and verified sources. Furthermore, updates must be distributed, transmitted and installed securely to prevent tampering or unauthorised interference. 

At the same time, it must be ensured that updates do not introduce any new security risks, vulnerabilities or compromises to system integrity. The entire update and support process must also be reliable, traceable and continuously available throughout the entire support period.
 

Requirements for manufacturers regarding the provision of security updates

The Technical Advisory describes requirements for secure update mechanisms for products with digital elements. The aim is to prevent tampering along the supply chain and to reliably provide security updates throughout a product’s entire lifecycle. 

To this end, manufacturers should establish a secure and resilient update infrastructure. This includes, amongst other things, cryptographically signed updates, secure transmission channels, authentication mechanisms and integrity checks to ensure the authenticity and integrity of updates. In addition, ENISA calls for appropriate protective measures for the entire update process, such as secure development and build environments, the protection of cryptographic signature keys, and traceable approval and release processes. 

Another key focus is on operational security during and after the update. Failed updates must not render a product or system unusable. Secure rollback and recovery mechanisms are therefore recommended. In addition, update activities should be logged and monitored using monitoring and alerting functions to enable the early detection of errors or attempts at manipulation. Security-related updates should be made available promptly, with automatic updates being regarded as an essential component of a secure default state (‘Secure by Default’). 

Furthermore, update mechanisms must be closely linked to vulnerability management. Manufacturers should systematically identify, assess and prioritise vulnerabilities, develop appropriate security updates, and inform users transparently about available patches and their relevance. 

Additional requirements arise particularly in the machine and industrial sectors. In these environments, the availability of systems is a high priority, which is why unplanned downtime must be avoided at all costs. Updates must therefore take maintenance windows into account, be sufficiently testable prior to deployment, and be capable of being installed in a controlled manner. For this reason, a controlled update process is often preferred over fully automated updates in industrial environments. 

Transparent documentation of supported software versions, resolved vulnerabilities, changes included, and defined support periods supports both the compliance requirements of the Cyber Resilience Act and clear communication with customers and operators. Overall, ENISA’s recommendations thus provide concrete technical and organisational guidance for implementing the requirements of the Cyber Resilience Act in the areas of security updates, vulnerability management, and secure-by-design and secure-by-default.
  

Seminar tip

Efficient CE marking and risk assessment of machines


Our 2-day seminar Efficient CE marking and risk assessment of machinery and plants deals with requirements for safe design of machinery – and covers both the Machinery Directive 2006/42/EC and the new Machinery Regulation (EU) 2023/1230.

Conclusion

The ENISA Technical Advisory considers the update mechanism to be one of the key security components of modern digital products. Updates should not only fix bugs, but should themselves be developed, distributed and installed in accordance with the highest security standards. 

For manufacturers of machinery and equipment, the document provides specific technical measures for the practical implementation of CRA requirements regarding security updates, vulnerability management and secure-by-design. Particular emphasis is placed on cryptographically secured updates, secure rollback procedures, controlled update processes in OT environments, and transparent communication with users.

 

Download the draft from May 2026

You can open and download version 0.1 of the Technical Advisory on Secure Update Mechanisms via the following link.


ENISA Technical Advisory on Secure Update Mechanisms


Posted on: 5 June 2026

Author: Wolfgang Reich

Wolfgang Reich
CE marking and safety expert HTL electrical engineering, specialising in power engineering (Dipl.-HTL-Ing.),  20 years of experience in CE marking, machine safety, conversion of machines, electrical engineering and explosion protection, 10 years of which at TÜV Austria and Intertek Deutschland GmbH. Chairman of the master craftsman examination commission in the Styrian Chamber of Commerce for mechatronics (automation technology and electronics).

E-Mail: wolfgang.reich@ibf-solutions.com

CE-Infoservice – register now!

We will inform you free of charge by e-mail about new technical articles, important standard publications or other news from the field of mechanical and electrical equipment safety or product compliance.


Share this article
Share Button LinkedinShare Button XShare Button FacebookShare Button Instagram  Share Button E-Mail

Support by IBF

CE Software Safexpert

CE software for systematic and professional safety engineering

Seminars

Practical seminars on aspects of risk assessment and ce marking

Stay Up-to-Date!

With the CE InfoService you stay informed about important developments in the field of product safety.