Google now requires two years of regular security patches for popular Android devices : Back in May, it was revealed that Google would soon start requiring regular security patches for Android devices in the hope of better protecting the ecosystem. Today, The Verge has obtained a copy of Google’s latest contract which provides all of the details that were previously unknown.

Moving forward, Android manufacturers will need to provide a minimum of four updates during the first year of release, which equates to at least one patch every three months, and an unspecified number during the second year of release. Moreover, by the end of each calendar month, any vulnerability discovered over 90 days ago must be patched. This same rule is valid with newly-released devices, regardless of when they were announced.

This latest agreement centers around smartphones launched after January 31st, 2018. However, not all are subject to the contract. Instead, Google is focusing on popular devices and will only require manufacturers to regularly update smartphones that have been activated by 100,000 users or more. As of July 31, 2018, these patch requirements were applied to 75% of “security mandatory models” but starting January 31, 2019, the rules will cover every one.

On a related note, if manufacturers fail to comply with this latest set of rules, Google reserves the right to without approval of future phones which means the companies may no longer be able to release Android-powered smartphones.

These specifics can be found inside Google’s updated licensing agreement for the European Union and, while it’s likely that some small details may be different in other regions of the world, very similar terms are expected.