Blackfort TechnologyBlackfort Technology

Technical Documentation and EU Declaration of Conformity under the CRA

Blackfort Technology · Cyber Resilience Act knowledge

Note: This article provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and is not legal advice. The applicable text of the Regulation always prevails; this article does not replace a binding assessment of your individual case. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services within the meaning of the German RDG.

The Cyber Resilience Act (Regulation (EU) 2024/2847) requires manufacturers not only to make their products with digital elements secure — it requires evidence of that security. Two document packages carry this evidence: the technical documentation under Annex VII and the EU Declaration of Conformity under Article 28 in conjunction with Annex V. Both are prerequisites for CE marking (Art. 30) and therefore for lawfully placing a product on the EU market. This article explains, in general and practice-oriented terms, what to prepare and keep — it is not legal advice.

From when? The core manufacturer duties — including the Annex I requirements, conformity assessment and CE marking — apply from 11 December 2027 (general application, Art. 71(2)). Entry into force on 10 December 2024 is not a compliance date. Setting up the documentation early avoids rework.

Why these documents are the backbone of CRA compliance

The technical documentation is the internal evidence that a product meets the essential cybersecurity requirements set out in Annex I. The EU Declaration of Conformity is the externally visible, legally binding assurance by the manufacturer that this is indeed the case. Market surveillance authorities may request the technical documentation on a reasoned request; it is the basis of any inspection. Missing, incomplete or misleading information can attract fines — providing incorrect information to authorities or notified bodies sits within the tier of up to €5m or 1% of worldwide annual turnover (Art. 64).

What the technical documentation must contain (Annex VII)

Annex VII sets out the substantive components. The documentation must be comprehensive enough to demonstrate conformity with the requirements; its scope and depth depend on the nature and risk of the product. Core components:

Component (Annex VII)What it concretely includes
Product descriptionGeneral description incl. intended purpose, versions, supported environments, photos/diagrams
Design, development, productionArchitecture, system design, data flows, security functions applied
Vulnerability-handling processesSBOM, CVD policy (coordinated disclosure), secure update-distribution path, contact address for reports
Cybersecurity risk assessmentThe assessment, mapped to the requirements of Annex I
Support periodInformation on the support period (at least 5 years, unless a shorter expected use)
Standards/specifications appliedHarmonised standards, common specifications or certification schemes — or a description of alternative solutions
Test and inspection reportsReports on the tests and security reviews performed
Copy of the EU DoCThe complete EU DoC as part of the documentation

The SBOM — with no mandated format

The Software Bill of Materials is anchored in Annex I Part II: in a commonly used, machine-readable format covering at least the top-level dependencies. Importantly, the Regulation mandates no specific format. Established formats such as CycloneDX, SPDX (ISO/IEC 5962) or SWID satisfy the requirement as recognised options — this is practical guidance, not statutory text. Art. 13(24) empowers the Commission to specify a format later; no such implementing act has been adopted so far. The SBOM is a compliance artefact disclosed to authorities on a reasoned request — it is not necessarily public. For more depth, see our article on the SBOM requirements under the CRA.

The CVD policy and the update-distribution path

The technical documentation must show that you have established a coordinated vulnerability disclosure (CVD) policy — this is mandatory under the CRA, not optional. It includes a contact address for reports, a process to remediate without undue delay, and a secure distribution path for security updates, which must be provided free of charge. These processes run throughout the entire support period.

The EU Declaration of Conformity (Art. 28, Annex V)

With the EU Declaration of Conformity (EU DoC), the manufacturer assumes sole responsibility that the product meets the applicable requirements. The minimum content follows from Annex V:

  • Product identification (name, type, version/batch — for unambiguous traceability)
  • Name and address of the manufacturer or its authorised representative
  • Statement that the DoC is issued under the sole responsibility of the manufacturer
  • Object of the declaration (identification of the product)
  • Statement of conformity: the product meets the relevant requirements of the Regulation
  • Standards, common specifications or certification schemes applied
  • Where applicable, the notified body: name, number, procedure performed, certificate
  • Place and date of issue, signature of the responsible person

Whether a notified body must be involved depends on the product class: most products undergo a self-assessment; a notified body is mandatory only for the higher classes (important Class II and critical). Clarify your specific situation via our applicability check.

CE marking (Art. 30)

Only once the technical documentation, risk assessment, conformity assessment and EU DoC are in place may the CE marking be affixed. It is the visible signal that the manufacturer declares conformity with the CRA (and, where relevant, further applicable EU legislation). CE marking is a prerequisite for placing on the market — without the underlying documentation, it is not permitted.

Retention: at least 10 years

Manufacturers must retain the technical documentation and the EU Declaration of Conformity for at least 10 years after the product has been placed on the market — or for the duration of the support period, whichever is longer. Both documents must be kept available for market surveillance authorities.

Practical checklist: preparing the technical documentation

  • Product description incl. intended purpose, versions and supported environments created
  • Architecture and data-flow documentation in place
  • SBOM in a commonly used, machine-readable format (at least top-level dependencies) maintained and versioned
  • CVD policy documented, contact address for vulnerability reports established
  • Secure update-distribution path described; security updates free of charge and without delay
  • Cybersecurity risk assessment carried out and mapped to Annex I
  • Support period defined (≥ 5 years or expected use) and documented
  • Standards/specifications/schemes applied named
  • Test and inspection reports filed
  • EU Declaration of Conformity per Annex V drawn up and added to the documentation
  • CE marking affixed only after complete conformity assessment
  • Retention process for ≥ 10 years / support period established

For an overview of the entire regulatory framework, see our CRA overview.

Frequently asked questions

Does the technical documentation have to be publicly accessible?
No. The technical documentation under Annex VII is an internal evidence document to be made available to market surveillance authorities on a reasoned request. The SBOM, too, is disclosed to authorities on a reasoned request, not necessarily published publicly.
Does the CRA mandate CycloneDX or SPDX for the SBOM?
No. Annex I Part II merely requires a commonly used, machine-readable format covering at least top-level dependencies. The Regulation names no specific format. CycloneDX, SPDX (ISO/IEC 5962) and SWID are recognised options; under Art. 13(24) the Commission may specify a format later but has not done so yet.
How long must I retain the documentation and the EU Declaration of Conformity?
At least 10 years after the product has been placed on the market — or for the duration of the support period, whichever is longer. Both must remain available for market surveillance authorities.
Do I need a notified body for the EU Declaration of Conformity?
It depends on the product class. Most products are assessed via self-assessment (Module A); a notified body is mandatory only for important Class II and critical products. Where a notified body is involved, its name, number, procedure and certificate must be stated in the declaration.
From when must the technical documentation, EU DoC and CE marking be in place?
The general application of the CRA — with Annex I requirements, conformity assessment and CE marking — takes effect from 11 December 2027 (Art. 71(2)). Entry into force on 10 December 2024 is not a compliance date. Building the documentation early reduces later rework.

Let's talk about your CRA readiness

Unsure which Annex VII components your product concretely needs and whether a notified body is required? Blackfort Technology supports you in building CRA-compliant technical documentation and your EU Declaration of Conformity — start with the applicability check.

Request a first call Check eligibility
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.