← CRA Glossary
CRA Legal Terms

Technical Documentation (CRA)

Technical documentation under the CRA is the comprehensive set of records a manufacturer must compile and maintain to demonstrate that a product with digital elements meets the Annex I essential cybersecurity requirements. It must be retained for at least 10 years and made available to market surveillance authorities on request.

Technical documentation under the CRA is the comprehensive set of records a manufacturer must compile and maintain to demonstrate that a product with digital elements meets the Annex I essential cybersecurity requirements. It must be retained for at least 10 years and made available to market surveillance authorities on request.

CRA Legal Terms
Free CVD portal →

What Is CRA Technical Documentation?

Technical documentation is the evidentiary package that manufacturers must compile to demonstrate CRA compliance. It is not a single document but a structured collection of records that collectively demonstrate that the product was designed, tested, and is maintained in accordance with the Annex I essential requirements. Article 13(3) requires this documentation to be drawn up before market placement and kept up to date throughout the product lifecycle. The documentation is not routinely submitted to any authority — it is held by the manufacturer and produced on demand by market surveillance authorities during inspections or investigations.

CRA reference:Article 13(3), Annex VI

Required Content of CRA Technical Documentation

Annex VI of the CRA specifies the minimum content of technical documentation:

  1. General product description — purpose, function, intended use environment, and user population.
  2. Design and development documentation — security architecture, threat model, attack surface analysis.
  3. Information on cybersecurity risk assessment — risk methodology and results.
  4. List of harmonised standards or common specifications applied.
  5. SBOM — inventory of software and firmware components.
  6. Vulnerability handling processes — CVD policy, patch management procedures, monitoring approach.
  7. Test reports — penetration test results, vulnerability scan reports, code review findings.
  8. EU Declaration of Conformity — or a reference to it.
  9. Notified body documents (if applicable) — assessment certificate, module declarations.
  10. Copies of security advisories issued during the product's support period.
CRA reference:Article 13(3), Annex VI

Retention and Access Requirements

The CRA requires technical documentation to be retained for 10 years from the date the product is placed on the market, or for the duration of the support period if longer. This means:

  • A product with a 5-year support period needs documentation retained for at least 10 years.
  • A product with a 12-year support period needs documentation retained for 12 years.
  • Documentation must be accessible in all EU member states where the product is sold — practically this means retaining it in a format that can be shared with any national MSA.
  • Non-EU manufacturers must ensure their EU authorised representative can access and provide the documentation.

Digital retention with version control and audit trail is strongly recommended.

CRA reference:Article 13(3)

Keeping Technical Documentation Current

Technical documentation is a living compliance record, not a one-time submission. It must be updated when:

  • A new software version with security-relevant changes is released.
  • A new vulnerability is discovered and a patch developed — the CVD record, advisory, and SBOM update must be added.
  • The threat model is revised following a significant change in the threat landscape.
  • A penetration test is conducted — new results replace or supplement old ones.
  • The conformity assessment is updated due to a substantial product modification.

Manufacturers should establish a change management process that identifies when documentation-triggering events occur and assigns responsibility for updating the relevant documentation sections.

CVD Portal makes Technical Documentation (CRA) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Does technical documentation need to be in a specific language?+

The CRA requires technical documentation to be available to market surveillance authorities in the official language of the relevant member state, or in a language accepted by that authority. In practice, English is widely accepted for technical documentation by most EU MSAs. The EU Declaration of Conformity must be made available in the language(s) required by member states where the product is placed on the market. Manufacturers should confirm language requirements with the MSAs of their target markets.

What happens if market surveillance authorities find our technical documentation incomplete?+

MSAs may require the manufacturer to remedy deficiencies within a specified period. If the documentation cannot demonstrate conformity, the MSA can restrict or prohibit the product's sale, require a recall, or initiate enforcement proceedings. Fines for documentation failures can reach €10 million or 2% of global annual turnover. Complete, well-organised technical documentation is the first line of defence in any MSA inspection.

Can we use a technical file that already exists for other EU regulations (e.g. RED) as the basis for CRA documentation?+

Yes, and this is the recommended approach. If you already maintain a technical file for the Radio Equipment Directive or Machinery Regulation, you can extend it to include the CRA-specific elements (threat model, SBOM, CVD policy, vulnerability handling procedures, penetration test reports). The CRA's Annex VI documentation requirements complement rather than replace other regulatory technical file requirements. Maintaining a single integrated technical file reduces duplication and ensures consistency.

Related terms

EU Declaration of Conformity (DoC)The EU Declaration of Conformity is a formal document signed by the manufacturer (or authorised representative) declaring that a product meets the essential requirements of all applicable EU regulations, including the CRA. It must be drawn up before the CE mark is affixed and kept available for market surveillance authorities for at least 10 years.Conformity AssessmentConformity assessment is the process by which a manufacturer demonstrates that its product meets the CRA's essential cybersecurity requirements. The process required depends on the product's classification: Default and Class I products can self-assess; Class II and Critical products require third-party assessment by a notified body.Software Bill of Materials (SBOM)An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.Annex I Essential RequirementsAnnex I of the EU Cyber Resilience Act sets out the mandatory cybersecurity requirements that all products with digital elements must meet. It is divided into two parts: Part I covers secure product properties, and Part II covers manufacturer vulnerability handling obligations.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IVCritical Products with Digital Elements — Highest-Risk ClassificationArticle 20EU Declaration of Conformity and CE Marking Requirements

Browse the full CRA Compliance Checklist

See how Technical Documentation (CRA) fits into your complete CRA compliance programme.

View checklists →