The 5 year clock should start from the last time a consumer purchased the product new, though. I can't find anything concrete but some poking around on wayback machine indicates it was likely discontinued late 2018. Which probably still means they are in the clear in this instance even if you assume it takes a year for the inventory in the channel to sell through.
The manufacturer can't control or even predict purchase dates, so that leaves potentially unbounded support lifetimes. I'd be comfortable with the 10-year timer starting from date of last manufacturer though
If this works like a warranty, the manufacturer can stop 10 years after selling to the shop. The shop is the one providing the warranty to the user. The shop can oblige their warranty by replacing with a (more recent) equivalent model, even from another manufacturer.
> The 5 year clock should start from the last time a consumer purchased the product new...
Obvious problem - how could the manufacturer determine (let alone control) when, literally, that happened? They might tell when their major distributors and online retailers ran out of stock...but small distributors and bottom-feeding resellers and mom-and-pop retail? Impossible.
On-package labeling ("Software security updates for this thingie will be available until at least Dec. 31, 2029; also check our web site at https://support...") would be the only fool-proofish method.
I think on-package labelling is a good approach. You could also make the retailer liable for a lack of updates - just as they typically already are with defective products in most jurisdictions.
Yeah, this isn’t that different than the food “best by date” requirements, and in most cases (despite popular belief) the likely consequences of eating old packaged food is not even getting sick, just staleness. Arguably, having exploitable electronics that are “expired” is a greater danger.