← CRA Glossary
CRA Regulatory

Annex VII Technical Documentation File

Annex VII of the EU Cyber Resilience Act specifies the contents of the technical documentation that manufacturers must compile and maintain to demonstrate CRA compliance. This file must be available to market surveillance authorities on request and retained for ten years after the product is placed on the market.

Annex VII of the EU Cyber Resilience Act specifies the contents of the technical documentation that manufacturers must compile and maintain to demonstrate CRA compliance. This file must be available to market surveillance authorities on request and retained for ten years after the product is placed on the market.

CRA Regulatory
Free CVD portal →

What Is the Annex VII Technical File?

Annex VII of the Cyber Resilience Act specifies the technical documentation that every manufacturer of a product with digital elements must compile before placing the product on the market. This 'technical file' or 'technical documentation' is the primary evidence package that demonstrates the product was designed, developed, and tested in conformity with the CRA's essential requirements. Unlike user-facing documentation (Annex II) or the declaration of conformity (a short formal statement), the Annex VII file is a comprehensive internal record intended for regulatory scrutiny. It must be kept up to date throughout the product's market life and for ten years after the last unit is placed on the market.

CRA reference:Annex VII

Contents of the Technical Documentation File

Annex VII requires the technical file to include:

  • General description: Product name, version, intended use, and supply chain description including significant third-party components.
  • Design and development records: Architecture diagrams, data flow maps, design specifications, and records of security design decisions.
  • Risk assessment: A documented cybersecurity risk assessment identifying threats, vulnerabilities, and mitigation measures.
  • Security testing evidence: Test reports, penetration test results, code review findings, and fuzz testing outcomes.
  • Standards and specifications applied: List of harmonised standards, common technical specifications, or other technical references used.
  • Conformity declaration: A copy of the declaration of conformity.
  • SBOM: A software bill of materials identifying all software components, their versions, and origins.
  • Vulnerability handling procedures: Documentation of the CVD policy, PSIRT processes, and security advisory publication mechanism.
CRA reference:Annex VII

Retention and Availability Obligations

The Annex VII technical file must be retained for the longer of ten years after the product is placed on the market, or the entire support period of the product. Manufacturers must make the file available to national market surveillance authorities on request, typically within a defined response period (often 30 days). The file need not be submitted proactively but must be readily accessible — not stored in a way that makes rapid retrieval impractical. For products undergoing Notified Body assessment, the relevant portions of the technical file are submitted to the body as part of the assessment process. Importers and authorised representatives also have obligations to ensure the technical file is accessible to MSAs in their jurisdiction.

CRA reference:Annex VII, Article 13

Maintaining a Living Technical File

The Annex VII file must reflect the current state of the product. When a significant product update is released — for example a new hardware version, a major firmware release, or a change in a significant third-party component — the technical file must be updated to reflect the new design, updated risk assessment, and any new test evidence. Version control is essential: the file should clearly track which product versions are covered by which documentation versions. Manufacturers that maintain their technical file as a set of static documents created once at launch are common non-compliance targets when products evolve over time. Integrating technical file updates into the standard release management process is the recommended approach.

CVD Portal makes Annex VII Technical Documentation File compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Does the Annex VII technical file need to be submitted to any authority proactively?+

No. The Annex VII technical file is an internal document that manufacturers must maintain but do not proactively submit to regulators. It is produced on request by market surveillance authorities during an investigation or audit. However, for products requiring Notified Body assessment, portions of the technical file are submitted to the Notified Body as part of the conformity assessment procedure. Some member states may require submission as part of national product registration schemes for certain product categories.

Is the SBOM part of the Annex VII technical file?+

Yes. Annex VII explicitly requires the technical documentation to include a software bill of materials identifying the software components integrated into the product. The SBOM does not need to be in a specific machine-readable format to satisfy the Annex VII requirement, but using CycloneDX or SPDX formats is strongly recommended as it enables automated vulnerability correlation and is consistent with emerging regulatory expectations.

What happens if a manufacturer cannot produce the Annex VII file when requested by an MSA?+

Failure to make technical documentation available to an MSA on request is itself a violation of the CRA. MSAs can treat this failure as evidence of non-compliance, enabling them to take immediate precautionary measures including product restriction. Persistent failure to cooperate with an MSA investigation can result in fines of up to €5 million or 1% of global annual turnover, in addition to any sanctions for underlying product non-compliance.

Related terms

Technical Documentation (CRA)Technical documentation under the CRA is the comprehensive set of records a manufacturer must compile and maintain to demonstrate that a product with digital elements meets the Annex I essential cybersecurity requirements. It must be retained for at least 10 years and made available to market surveillance authorities on request.Annex I Essential RequirementsAnnex I of the EU Cyber Resilience Act sets out the mandatory cybersecurity requirements that all products with digital elements must meet. It is divided into two parts: Part I covers secure product properties, and Part II covers manufacturer vulnerability handling obligations.Conformity AssessmentConformity assessment is the process by which a manufacturer demonstrates that its product meets the CRA's essential cybersecurity requirements. The process required depends on the product's classification: Default and Class I products can self-assess; Class II and Critical products require third-party assessment by a notified body.EU Declaration of Conformity (DoC)The EU Declaration of Conformity is a formal document signed by the manufacturer (or authorised representative) declaring that a product meets the essential requirements of all applicable EU regulations, including the CRA. It must be drawn up before the CE mark is affixed and kept available for market surveillance authorities for at least 10 years.

CRA articles using this term

Annex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 13Coordinated Vulnerability Disclosure Obligations for Manufacturers

Browse the full CRA Compliance Checklist

See how Annex VII Technical Documentation File fits into your complete CRA compliance programme.

View checklists →