CRA Compliance

Drafting the EU Declaration of Conformity: A Field-by-Field Walkthrough

By CRA Portal Team
8 min read

Every product with digital elements placed on the EU market from 11 December 2027 needs a signed EU Declaration of Conformity. It is a short document, usually a single page, and it is the one artifact in the conformity chain where a named person at your company assumes responsibility for compliance with the Cyber Resilience Act in writing. Article 28 requires it, Annex V dictates its structure, and market surveillance authorities read it first when they open a file on your product.

The declaration asserts what your technical documentation proves, so it is drafted last, after the assessment work is done. If the route and the evidence behind the declaration are still open questions for you, start with the four conformity assessment routes and the technical documentation evidence requirements. This post walks the document itself, element by element.

The Annex V structure, element by element

Annex V prescribes the content in a fixed order. A conformant declaration contains the following.

  • Product identification. The name, type and any additional information enabling unique identification of the product with digital elements. Use the same identifiers that appear on the product, its packaging and the technical file, including version or model numbers, so the three cannot drift apart.
  • Manufacturer name and address. The manufacturer or, where one is appointed, the authorised representative.
  • Sole responsibility statement. The declaration that it is issued under the sole responsibility of the manufacturer. This sentence is what shifts the legal weight onto you.
  • Object of the declaration. An identification of the product allowing traceability, which may include a photograph for hardware. For software, state the exact distributed artefact and version.
  • The conformity statement. The statement that the object of the declaration is in conformity with the relevant Union harmonisation legislation, naming the CRA and any other acts the declaration covers.
  • References to standards or specifications. The harmonised standards, common specifications or European cybersecurity certification schemes applied, with dated references. Where none were applied, this element records the conformity was demonstrated against the essential requirements directly.
  • Notified body details, where applicable. Where a notified body performed the assessment, its name and number, a description of the procedure performed and the certificate reference.
  • Signature block. Place and date of issue, the name and function of the signatory, and the signature, issued for and on behalf of the manufacturer.

Who signs, and what the signature means

The regulation does not name a required job title, but the signatory must have authority to bind the manufacturer, because the declaration is issued under the company's sole responsibility. In practice that means a director, a managing officer or a person holding delegated authority documented internally. What it should not be is an engineer signing informally, because the signature converts a technical position into a legal undertaking. Companies that treat the signature as a governance event, with an internal review of the technical file before the signatory commits, produce declarations that hold up. Companies that treat it as an export formality discover the difference during market surveillance.

When the declaration must exist, and for how long

The declaration is drawn up before the product is placed on the market, and drawing it up is what completes the conformity assessment. From that moment the manufacturer keeps the declaration at the disposal of market surveillance authorities for ten years after the product has been placed on the market or for the support period, whichever is longer. The ten-year clock runs per product, so a product family shipping over several years carries overlapping retention windows. Version the declaration alongside the product, and when a substantial modification triggers a new conformity assessment, issue a new declaration rather than amending the old one, because the old one remains the record for units already shipped.

The simplified declaration and the web link

Annex IX provides a simplified form. Instead of shipping the full declaration with every unit, the manufacturer may include a simplified EU Declaration of Conformity stating that the product conforms to Regulation (EU) 2024/2847 and giving the exact internet address where the full declaration can be obtained. The full document still has to exist in the Annex V structure. For software distributed through app stores or package registries, the simplified form plus a stable URL is usually the workable pattern. Two cautions apply. The URL must stay live for the full retention period, and the document behind it must be the versioned declaration matching the shipped release, so a generic compliance page does not satisfy the requirement.

One declaration across several Union acts

Where a product falls under more than one Union act requiring a declaration, radio equipment or machinery legislation alongside the CRA for instance, the manufacturer draws up a single EU Declaration of Conformity covering all of them. The single document must identify each act, including its publication reference, and satisfy the content requirements of each. Most manufacturers extend their existing declaration rather than issuing a parallel CRA-only document. If you take that route, check that the CRA-specific elements, particularly the standards references for the Annex I essential requirements, are actually present, because an unmodified legacy declaration silently fails the new regulation.

Translations and formalities that get missed

The declaration must be translated into the language or languages required by the member states in which the product is placed or made available. A product sold across the single market therefore needs the declaration available in multiple languages, and authorities can request the version for their market. Keep the master in one language, generate controlled translations, and treat them as part of the versioned record. The other commonly missed formality is consistency. The product identifiers, the standards list and the notified body details must match the technical file and the CE marking exactly. Mismatches between the declaration and the file are the fastest way to turn a routine documentation request into a full investigation.

What this means for manufacturers

Draft the declaration from your technical file rather than from a template alone, because every element either restates an identifier or asserts something the file must prove. A practical drafting sequence takes an hour per product once the assessment is complete. Pull the identifiers from the technical documentation, list the standards you actually applied, confirm the route and any notified body involvement, have the file reviewed, then sign. Start from the Annex V template, keep the Annex V explainer beside it for the element definitions, and version the result with the product. The declaration is the cheapest document in your CRA chain to produce and the most expensive one to get wrong.

Stay compliant with the Cyber Resilience Act

Check your readiness with the CRA Readiness Checklist, or compare plans on pricing.

Get Started for Free

CRA deadline briefing

A short email on the Cyber Resilience Act reporting obligations and the run-up to 11 September 2026.

We use your email only to send the briefing. Unsubscribe any time with one click.