Technical Documentation and EU Declaration of Conformity under the CRA
The Cyber Resilience Act (Regulation (EU) 2024/2847) requires manufacturers not only to make their products with digital elements secure — it requires evidence of that security. Two document packages carry this evidence: the technical documentation under Annex VII and the EU Declaration of Conformity under Article 28 in conjunction with Annex V. Both are prerequisites for CE marking (Art. 30) and therefore for lawfully placing a product on the EU market. This article explains, in general and practice-oriented terms, what to prepare and keep — it is not legal advice.
From when? The core manufacturer duties — including the Annex I requirements, conformity assessment and CE marking — apply from 11 December 2027 (general application, Art. 71(2)). Entry into force on 10 December 2024 is not a compliance date. Setting up the documentation early avoids rework.
Why these documents are the backbone of CRA compliance
The technical documentation is the internal evidence that a product meets the essential cybersecurity requirements set out in Annex I. The EU Declaration of Conformity is the externally visible, legally binding assurance by the manufacturer that this is indeed the case. Market surveillance authorities may request the technical documentation on a reasoned request; it is the basis of any inspection. Missing, incomplete or misleading information can attract fines — providing incorrect information to authorities or notified bodies sits within the tier of up to €5m or 1% of worldwide annual turnover (Art. 64).
What the technical documentation must contain (Annex VII)
Annex VII sets out the substantive components. The documentation must be comprehensive enough to demonstrate conformity with the requirements; its scope and depth depend on the nature and risk of the product. Core components:
| Component (Annex VII) | What it concretely includes |
|---|---|
| Product description | General description incl. intended purpose, versions, supported environments, photos/diagrams |
| Design, development, production | Architecture, system design, data flows, security functions applied |
| Vulnerability-handling processes | SBOM, CVD policy (coordinated disclosure), secure update-distribution path, contact address for reports |
| Cybersecurity risk assessment | The assessment, mapped to the requirements of Annex I |
| Support period | Information on the support period (at least 5 years, unless a shorter expected use) |
| Standards/specifications applied | Harmonised standards, common specifications or certification schemes — or a description of alternative solutions |
| Test and inspection reports | Reports on the tests and security reviews performed |
| Copy of the EU DoC | The complete EU DoC as part of the documentation |
The SBOM — with no mandated format
The Software Bill of Materials is anchored in Annex I Part II: in a commonly used, machine-readable format covering at least the top-level dependencies. Importantly, the Regulation mandates no specific format. Established formats such as CycloneDX, SPDX (ISO/IEC 5962) or SWID satisfy the requirement as recognised options — this is practical guidance, not statutory text. Art. 13(24) empowers the Commission to specify a format later; no such implementing act has been adopted so far. The SBOM is a compliance artefact disclosed to authorities on a reasoned request — it is not necessarily public. For more depth, see our article on the SBOM requirements under the CRA.
The CVD policy and the update-distribution path
The technical documentation must show that you have established a coordinated vulnerability disclosure (CVD) policy — this is mandatory under the CRA, not optional. It includes a contact address for reports, a process to remediate without undue delay, and a secure distribution path for security updates, which must be provided free of charge. These processes run throughout the entire support period.
The EU Declaration of Conformity (Art. 28, Annex V)
With the EU Declaration of Conformity (EU DoC), the manufacturer assumes sole responsibility that the product meets the applicable requirements. The minimum content follows from Annex V:
- Product identification (name, type, version/batch — for unambiguous traceability)
- Name and address of the manufacturer or its authorised representative
- Statement that the DoC is issued under the sole responsibility of the manufacturer
- Object of the declaration (identification of the product)
- Statement of conformity: the product meets the relevant requirements of the Regulation
- Standards, common specifications or certification schemes applied
- Where applicable, the notified body: name, number, procedure performed, certificate
- Place and date of issue, signature of the responsible person
Whether a notified body must be involved depends on the product class: most products undergo a self-assessment; a notified body is mandatory only for the higher classes (important Class II and critical). Clarify your specific situation via our applicability check.
CE marking (Art. 30)
Only once the technical documentation, risk assessment, conformity assessment and EU DoC are in place may the CE marking be affixed. It is the visible signal that the manufacturer declares conformity with the CRA (and, where relevant, further applicable EU legislation). CE marking is a prerequisite for placing on the market — without the underlying documentation, it is not permitted.
Retention: at least 10 years
Manufacturers must retain the technical documentation and the EU Declaration of Conformity for at least 10 years after the product has been placed on the market — or for the duration of the support period, whichever is longer. Both documents must be kept available for market surveillance authorities.
Practical checklist: preparing the technical documentation
- Product description incl. intended purpose, versions and supported environments created
- Architecture and data-flow documentation in place
- SBOM in a commonly used, machine-readable format (at least top-level dependencies) maintained and versioned
- CVD policy documented, contact address for vulnerability reports established
- Secure update-distribution path described; security updates free of charge and without delay
- Cybersecurity risk assessment carried out and mapped to Annex I
- Support period defined (≥ 5 years or expected use) and documented
- Standards/specifications/schemes applied named
- Test and inspection reports filed
- EU Declaration of Conformity per Annex V drawn up and added to the documentation
- CE marking affixed only after complete conformity assessment
- Retention process for ≥ 10 years / support period established
For an overview of the entire regulatory framework, see our CRA overview.
Frequently asked questions
Does the technical documentation have to be publicly accessible?
Does the CRA mandate CycloneDX or SPDX for the SBOM?
How long must I retain the documentation and the EU Declaration of Conformity?
Do I need a notified body for the EU Declaration of Conformity?
From when must the technical documentation, EU DoC and CE marking be in place?
Let's talk about your CRA readiness
Unsure which Annex VII components your product concretely needs and whether a notified body is required? Blackfort Technology supports you in building CRA-compliant technical documentation and your EU Declaration of Conformity — start with the applicability check.
Request a first call Check eligibility