Regulating Smart Device Support Periods: User Expectations and the European Cyber Resilience Act

Supporting consumer IoT devices with updates is crucial to ensure their security. However, this support period is usually shorter than the device's actual lifespan, resulting in millions of unsupported and vulnerable devices. The upcoming European Cyber Resilience Act (CRA) addresses this by requiring manufacturers to support their products for the expected use time, which should be based on reasonable user expectations. In this work, we thus empirically explore the concept of user expectations regarding smart devices' use times and security provision by conducting a large-scale survey in five EU countries (n = 993). We find that respondents' smart device use times and lifetime expectations exceed the CRA's baseline of five years for a majority of device categories and vary substantially across device categories, their ""smartness"", and individuals. Respondents also consider different factors for the lifetimes of smart and conventional devices. Surprisingly, a majority of respondents expected update support to correspond with devices' full lifetimes, highlighting how the current market dynamics of short support times seem to contrast expectations. Our results provide novel insights for manufacturers and market authorities who will need to determine support periods for smart products in the coming years.