Draw up and maintain technical documentation containing all Annex VII elements
- Applies to
- Manufacturer
- Source citations
- Art. 31Art. 13(12)Art. 13(13)Annex VII
- Product classes
- DefaultImportant — Class IImportant — Class IICritical
Plain language
Technical documentation is your proof file — the collection of records that shows regulators and auditors exactly how your product meets all the CRA requirements. You must prepare it before launch, keep it updated throughout the product's support period, and store it for at least 10 years. It should include your design description, risk assessment, test reports, a copy of the EU DoC, details of how you determined the support period, and lists of standards applied.
Legal text
Article 31(1) of Regulation (EU) 2024/2847:
The technical documentation shall contain all relevant data or details of the means used by the manufacturer to ensure that the product with digital elements and the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Annex I. It shall at least contain the elements set out in Annex VII.
Article 31(2):
The technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, at least during the support period.
Required content — Annex VII
The technical documentation must contain at least the following elements (as applicable):
| # | Element |
|---|---|
| 1 | A general description of the product, including intended purpose, key functionalities, basic design, development and production elements, and a list of hardware/software versions in scope |
| 2 | A description of the design, development, production, and vulnerability handling processes, including architecture diagrams, security controls, and documented processes |
| 3 | A cybersecurity risk assessment against which the product is designed, developed, produced, delivered and maintained (Art. 13(2)–(4)), including how each Annex I Part I requirement is addressed or justified as not applicable |
| 4 | Information taken into account to determine the support period (Art. 13(8)) |
| 5 | A list of applied harmonised standards, common specifications, or EUCC certification schemes; where not applied in full, descriptions of alternative solutions adopted |
| 6 | Test reports demonstrating conformity with Annex I Parts I and II |
| 7 | A copy of the EU declaration of conformity |
| 8 | Where applicable, the software bill of materials (SBOM), available to market surveillance authorities on reasoned request |
Update obligation
Technical documentation is a living document. It must be updated at least during the support period, including after:
- Security updates or patches that affect Annex I compliance
- Changes to manufacturing or development processes
- New or updated harmonised standards applied
- Changes in the product's intended purpose
Storage obligation
The manufacturer must keep the technical documentation available to market surveillance authorities for at least 10 years after the product is placed on the market, or for the support period, whichever is longer (Art. 13(13)).
SME simplified format
Microenterprises and small enterprises may provide the technical documentation elements in a simplified format specified by Commission implementing act (Art. 33(5)).
Related obligations
- Cybersecurity risk assessment: OBL-ART13-02
- SBOM requirement: OBL-ART13-06
- Support period determination: OBL-ART13-08
- EU DoC: OBL-ART28-01