Technical documentation

Article 31(1) of Regulation (EU) 2024/2847:

"Before placing a product with digital elements on the market, the manufacturer shall draw up the technical documentation. The documentation shall enable an assessment of the product's conformity with the requirements set out in this Regulation and shall include, at the very least, the elements set out in Annex VII."

1. General description — product type, version/serial number range, intended purpose (including software environment), and identifiable security functions
2. Design and development documentation — including product components (drawings, diagrams, description), software architecture, and SBOM
3. Product security information — security properties, secure default configurations, attack surface analysis
4. Cybersecurity risk assessment — structured assessment of known attack scenarios
5. Known and addressed vulnerabilities — details of vulnerabilities addressed during development
6. Applied standards and common specifications — or how obligations were met otherwise
7. EU DoC — copy of the EU Declaration of Conformity
8. Post-market vulnerability handling documentation — processes used for identifying and remediating vulnerabilities
9. Software versions — at least those applicable at time of first market placement

Technical documentation must be kept for at least 10 years from market placement, or for the support period plus 10 years if longer (Art. 31(2)).

Technical documentation is not for public distribution. It must be provided to market surveillance authorities or notified bodies on request. For conformity assessment procedures requiring a notified body, the notified body examines the technical documentation as part of the Module B assessment.