Google now requires two years of regular security patches for popular Android devices
The Google Pixel 3
Moving forward, Android manufacturers will need to provide a minimum of four updates during the first year of release, which equates to at least one patch every three months, and an unspecified number during the second year of release. Moreover, by the end of each calendar month, any vulnerability discovered over 90 days ago must be patched. This same rule is valid with newly-released devices, regardless of when they were announced.
On a related note, if manufacturers fail to comply with this latest set of rules, Google reserves the right to stop approving future phones which means the companies in question may no longer be able to release Android-powered smartphones.
These specifics can be found inside Google’s updated licensing agreement for the European Union and, while it’s likely that some small details may be changed, very similar terms are expected in other regions of the world.
source: The Verge
Things that are NOT allowed: