Information and Instructions to Users Required Under the CRA

Annex II specifies the categories of information that manufacturers must provide to users. At minimum, the following must be included:

1. Manufacturer identity and contact details: Name, registered trade name, address, and contact point (email or website) for the manufacturer. Where an authorised representative is appointed, their details must also be included.

1. Product identification: The product's name, type, batch or serial number, or other identifier enabling unambiguous product identification.

1. Intended purpose and conditions of use: A clear description of the product's intended purpose, including the environment for which it is designed (for example, residential, commercial, or industrial use).

1. CVD contact information: The address or URL where vulnerability reports can be submitted — this is typically the security contact in the security.txt file, a dedicated security email, or a vulnerability submission portal.

1. Support period: The expected duration during which the manufacturer will provide security updates, expressed as a specific date or as a period from the date of purchase.

1. Instructions for secure operation: Guidance on how to configure the product securely, including how to change default credentials, how to enable automatic updates, and any security-relevant settings the user should be aware of.

Among the most operationally important Annex II requirements is the obligation to provide users with a clear, accessible means of reporting vulnerabilities. This CVD contact information must be:

• Accurate and functional: The email address, URL, or other contact mechanism must be monitored and operational throughout the product's support period.
• Easily discoverable: The contact information should be provided in the product's packaging, quick start guide, and user manual, and should be findable online through the manufacturer's website.
• Accompanied by the CVD policy: Ideally, the CVD contact points directly to the manufacturer's full CVD policy, which outlines the disclosure process, timelines, and safe harbour commitments.

A security.txt file at /.well-known/security.txt on the manufacturer's website is the technical standard for publishing security contact information and is strongly recommended as the primary means of fulfilling this requirement. CVD Portal can generate and host your security.txt file.

Manufacturers must communicate the support period to users clearly — ideally before purchase, so users can make informed decisions. The support period disclosure must state either:

• A specific end date (for example, 'Security updates provided until 31 December 2031'), or
• A period calculated from the purchase or first use date (for example, 'Security updates provided for five years from date of purchase')

Ambiguous or conditional support period statements (such as 'We will provide updates as long as it is commercially viable') do not meet the Annex II requirement. Users must be able to determine a concrete timeframe.

Where a manufacturer extends the support period beyond the original commitment, they should update their documentation and notify users. Where a manufacturer shortens the support period (which should only occur in exceptional circumstances), they must notify users with sufficient advance notice and provide information on alternative products.

Annex II requires that user information be provided in a form that users can easily understand and access. Key format requirements include:

Language: Information must be in a language easily understood by users in the member state where the product is sold. For products sold across multiple member states, multi-language information packages are typically required.

Accessibility: Information should be available in physical form with the product (in the packaging or user manual) and also accessible online (on the manufacturer's website) for the duration of the support period. Digital-only information provision may not be adequate for all product categories.

Plain language: Technical security information must be expressed in terms comprehensible to the intended user audience. Consumer products must use plain consumer language; professional products may use technical terminology appropriate to the professional user base.

Durability: Physical documentation included with the product should be printed on materials that remain legible throughout normal product use.

Annex II requires that user documentation include information about the CE marking and how to access the EU Declaration of Conformity. Users must be informed that the CE marking signifies compliance with applicable EU requirements, and they must be provided with a means to access the full EU Declaration of Conformity.

For most products, the DoC is made available online at a stable URL that the manufacturer maintains throughout the product's active life. The user documentation must include this URL or otherwise clearly indicate where the DoC can be obtained.

For products using the simplified declaration format (Annex IX), the abbreviated declaration included with the product must direct users to the full online declaration. The URL referenced in the simplified declaration must remain accessible for as long as the product is on the market.