One example from the BSA (Business Software Alliance) statement on an earlier draft of CRA,
https://www.bsa.org/files/policy-filings/11012022eucra.pdf The CRA requires manufacturers to ensure vulnerabilities are handled effectively for the expected product lifetime or 5 years, whichever is shorter.