CRA Compliance

Why CRA Documentation Never Stops Being Due

Teams often treat the CRA technical file as a one-time gate before CE marking. The regulation's text says otherwise. Article 31(2) requires the technical documentation to be drawn up before placing on the market and then continuously updated, at least for the duration of the support period, which Article 13(8) floors at five years for most products. Article 13(3) applies the same discipline to the cybersecurity risk assessment, and Article 28 requires the EU Declaration of Conformity to be kept up to date.

The duty has teeth because of Article 13(13). Market surveillance authorities can request the file for ten years after placing on the market, or for the support period if longer, and they receive it in whatever state it is actually in. A file that describes a product several releases out of date is a finding on first comparison.

Our new walkthrough maps the four event classes that oblige an update, ordinary releases, substantial modifications under Article 32, threat and vulnerability events, and support period changes, and lays out a dual cadence of time-based baseline reviews plus event-driven re-reviews. It also shows how the CRA Portal product workspace runs that cadence, with a periodic review clock derived from the product's own declared review regularity, automatic review triggers from supply-chain scans and portal reports, drift detection against the last placing-on-market snapshot, and support-period countdown warnings.

Read the full breakdown of the update duties in Articles 13, 28 and 31.

Read More