EU Declaration of Conformity: Required Fields and Structure

Annex V specifies the following mandatory fields for every EU Declaration of Conformity under the CRA:

1. Product identification: Product name, model number, type, batch number, or serial number sufficient to uniquely identify the product covered by the declaration.

1. Manufacturer name and address: Full legal name and registered address of the manufacturer. For non-EU manufacturers, the authorised representative's name and address must also appear.

1. Declaration statement: A clear statement that the manufacturer (named above) takes sole responsibility for this declaration of conformity, and that the product described meets the relevant requirements.

1. Regulatory references: An explicit reference to the CRA — Regulation (EU) [number] — and to the specific articles and annexes that the declaration covers. This typically means a reference to Article 5 and Annex I.

1. Harmonised standards or specifications applied: References to the specific harmonised standards, common specifications, or other technical specifications applied to demonstrate conformity. Include standard number and version/date.

1. Conformity assessment procedure: Identification of the assessment module used (for example, 'Module A — Internal Control' or 'Module B + Module D').

1. Notified body reference: Where a notified body was involved, its name, notification number, and the number of the certificate issued.

1. Other applicable EU legislation: References to other CE marking regulations applicable to the same product, if a combined declaration is used.

1. Date, place, and signature: Date and place of issue, name and function of the authorised signatory, and their signature.

The product identification section must enable unambiguous identification of the product covered by the declaration. For physical products, this typically means including the model name, model number, hardware version, and firmware version at the time of the declaration.

For software products, the declaration should cover a specific software version or version range. A declaration for 'version 2.x' covering the entire 2.x product line is acceptable only if all versions in the range genuinely comply with the essential requirements covered by the declaration. If a specific release introduces a security feature that brings a previously non-compliant version into compliance, separate declarations covering each compliant version range may be appropriate.

Where a product has multiple hardware variants (for example, different form factors or connectivity options), the declaration should either cover each variant explicitly or clearly define the scope of coverage in a way that avoids ambiguity.

The standards reference section of the declaration is important evidence of how compliance was demonstrated. Manufacturers should reference:

• The specific harmonised standard number and date/version (for example, 'EN 303 645 V2.1.1 (2020-04)')
• Any common specifications adopted by the Commission
• Relevant ISO/IEC standards applied as supporting evidence (these do not provide formal presumption of conformity but are relevant to the technical assessment)

Vague references such as 'applicable ETSI standards' or 'industry best practices' are not adequate — the declaration must be specific enough to enable a market surveillance authority to independently assess whether the referenced standards cover the essential requirements claimed.

Where the manufacturer has not applied any harmonised standard — perhaps because none exists for their product category — the declaration should reference the internal testing and risk assessment methodology used, and the technical documentation must contain the detailed evidence.

The EU Declaration of Conformity must be signed by a person with the legal authority to commit the manufacturer. This is typically a director, a senior compliance officer, or a legally designated responsible person. The signature should be accompanied by the printed name and function title of the signatory.

The declaration must also indicate the place and date of issue. Electronic signatures are generally accepted under EU electronic identification regulations (eIDAS), but manufacturers should verify the specific requirements of national market surveillance authorities and any applicable sector-specific guidance.

For combined declarations covering multiple regulations, a single signature from the same authorised person is typically sufficient, but some member states or notified bodies may require additional signatories for specific regulatory modules. Legal review before finalising the signature process is advisable for complex products.

The DoC drawn up under Annex V must be maintained throughout the product's active market life and for 10 years after the last unit is placed on the market. Manufacturers must be able to retrieve and provide the DoC to national market surveillance authorities within a short timeframe (typically 10 working days under comparable EU product regulations).

When a product is updated in a way that affects its compliance — for example, a major firmware update that introduces new security features or changes the product's architecture — a revised DoC should be issued. The revised DoC should reference the updated product version and, where applicable, updated standards or assessment procedures.

Version control of declarations is important: each version should be clearly dated and should state which product version or firmware version it covers. Old versions should be archived, not deleted, as they may be relevant to market surveillance investigations concerning historical product versions.