← All templates
Free Template

EU Declaration of Conformity Template (CRA Annex V)

A field-by-field EU Declaration of Conformity template structured on CRA Annex V. Each section covers one required element of the declaration, from product identification through to signature, with guidance on Article 28 obligations and the simplified Annex IX option.

ForManufacturers drawing up the EU Declaration of Conformity before placing a product with digital elements on the EU market
CRA Articles
Article 28Annex V

When to Use This Template

Article 28(1), Article 28(2)

Use this template to draw up the EU Declaration of Conformity (DoC) required by Article 28 of the Cyber Resilience Act (Regulation (EU) 2024/2847). The DoC is the document in which you declare, on your sole responsibility, that your product with digital elements meets the essential cybersecurity requirements of Annex I.

  • Draw up the DoC before placing the product on the EU market and before affixing the CE marking
  • The DoC obligation applies from 11 December 2027, the date the CRA's full conformity requirements take effect
  • Article 14 reporting starts earlier, on 11 September 2026, and applies independently of the DoC
  • Keep the DoC available for 10 years after the last unit is placed on the market

Each section below corresponds to one required field from Annex V. Complete every field. Where a field does not apply to your product, state that explicitly rather than deleting it.

Note

This section is informational. Remove it from the final declaration. If your product is too small for a printed full declaration, or including it would be disproportionate, Annex IX allows a simplified declaration containing a short statement and a URL that resolves directly to this full document.

Declaration Field 1: Product Identification

Annex V(1)

EU Declaration of Conformity No: [DOC-2027-001]

Product name: [PRODUCT NAME] Product type / model: [MODEL NUMBER] Batch or serial number: [BATCH / SERIAL NUMBER or RANGE] Hardware version(s): [HW VERSION or 'Not applicable'] Software / firmware version(s) covered: [VERSION or VERSION RANGE]

The identification above uniquely identifies the product with digital elements covered by this declaration.

Note

The identification must allow unambiguous matching between a product unit and this declaration. For software, a version range such as '2.x' is acceptable only if every version in the range meets the essential requirements covered by the declaration. Cover each hardware variant explicitly or define the covered scope precisely enough that a market surveillance authority can tell whether a given unit is included.

Declaration Field 2: Manufacturer and Authorised Representative

Annex V(2)

Manufacturer: [COMPANY LEGAL NAME] [REGISTERED ADDRESS] [COUNTRY]

Authorised representative (required where the manufacturer is established outside the EU): [REPRESENTATIVE LEGAL NAME] [REGISTERED EU ADDRESS] [EU MEMBER STATE] Written mandate reference: [MANDATE REF or 'Not applicable']

Note

Use the full legal entity name and registered address exactly as they appear in your commercial register. Manufacturers established outside the EU must name their EU authorised representative here, and the representative may countersign under the written mandate. An EU subsidiary can act as authorised representative if it is formally designated and genuinely holds the technical documentation.

Declaration Field 3: Sole Responsibility Statement

Annex V(3)

This declaration of conformity is issued under the sole responsibility of the manufacturer, [COMPANY LEGAL NAME].

Note

This sentence is a legally binding commitment, so keep the wording close to the standard formula. The signatory takes personal responsibility for the accuracy of the declaration. A knowingly misleading declaration exposes the manufacturer to enforcement action in addition to the penalties for the underlying non-compliance.

Declaration Field 4: Object of the Declaration and Regulatory References

Annex V(4)

Object of the declaration: [PRODUCT NAME, MODEL, AND VERSION(S) as identified in Field 1]

The object of the declaration described above is in conformity with Regulation (EU) 2024/2847 (Cyber Resilience Act), in particular with the essential cybersecurity requirements set out in Annex I, as referenced by Article 5 of that Regulation.

Note

Name the CRA explicitly with its full regulation number and cite the specific provisions the declaration covers. A reference to Article 5 and Annex I is the core citation. Vague wording such as 'applicable EU cybersecurity legislation' is inadequate, because market surveillance authorities must be able to see exactly which requirements you are declaring conformity with.

Declaration Field 5: Harmonised Standards and Technical Specifications

Annex V(5), Article 27

Conformity is declared with reference to the following standards and technical specifications:

  • [HARMONISED STANDARD NUMBER AND VERSION, e.g. EN 303 645 V2.1.1 (2020-04)]
  • [COMMON SPECIFICATION adopted by the Commission, if applied]
  • [OTHER TECHNICAL SPECIFICATION, e.g. IEC 62443-4-1:2018]

Where no harmonised standard has been applied, conformity with the essential requirements has been demonstrated through [INTERNAL TESTING AND RISK ASSESSMENT METHODOLOGY], documented in the technical documentation [TECHNICAL DOCUMENTATION REFERENCE].

Note

Cite each standard with its exact number and version or date. Once harmonised standards for the CRA are cited in the Official Journal of the European Union, applying them will give a presumption of conformity under Article 27 for the requirements they cover. Until then, list the standards and specifications you actually applied as evidence of how conformity was demonstrated. Vague references such as 'industry best practices' are not adequate.

Declaration Field 6: Conformity Assessment Procedure

Annex V(6), Annex VI, Article 32

Product classification under the CRA: [Default / Important Class I / Important Class II / Critical]

Conformity assessment procedure followed (select and complete):

  • [ ] Module A - Internal control (available for default-class products, i.e. products with digital elements that are listed in neither Annex III nor Annex IV)
  • [ ] Module B - EU-type examination, followed by [PRODUCTION PHASE MODULE, e.g. Module D production quality assurance]
  • [ ] [OTHER MODULE PER ANNEX VI, as applicable to your product class]
Note

State the module exactly as identified in Annex VI. Default-class products can self-assess under Module A. Products listed in Annex III require notified body involvement under Article 32. The module stated here must match the assessment you actually performed, and the technical documentation drawn up under Annex VII must support it.

Declaration Field 7: Notified Body and Certificate

Annex V(7)

Notified body: [NOTIFIED BODY LEGAL NAME or 'Not applicable - Module A internal control'] Notification number: [4-DIGIT NUMBER, e.g. 1234] Assessment performed: [e.g. EU-type examination (Module B)] Certificate number: [CERTIFICATE REFERENCE] Certificate date: [YYYY-MM-DD]

Note

Complete this field only where a notified body was involved in the conformity assessment. For Module A self-assessment, state that no notified body involvement was required rather than leaving the field blank, so the reader can see the omission is deliberate.

Declaration Field 8: Other Applicable EU Legislation

Annex V(8), Article 28(4)

This declaration also covers conformity with the following Union harmonisation legislation under which the CE marking is affixed:

  • [e.g. Directive 2014/53/EU (Radio Equipment Directive)]
  • [e.g. Directive 2014/35/EU (Low Voltage Directive)]
  • [or 'Not applicable - this declaration covers Regulation (EU) 2024/2847 only']
Note

Article 28(4) permits a single declaration covering every CE marking act that applies to the product. A combined declaration must identify each act, the requirements addressed, and the assessment procedure used for each. An omission in a combined declaration affects compliance under every listed act, so review it against each regulation separately before signing.

Declaration Field 9: Place, Date, and Signature

Annex V(9)

Signed for and on behalf of [COMPANY LEGAL NAME]

Place of issue: [CITY, COUNTRY] Date of issue: [YYYY-MM-DD] Name: [SIGNATORY FULL NAME] Function: [e.g. Managing Director / Chief Compliance Officer] Signature: ______________________

Note

The signatory needs legal authority to commit the manufacturer, typically a director, a senior compliance officer, or a legally designated responsible person. Electronic signatures are generally accepted under eIDAS, but verify the expectations of the national market surveillance authorities in your key markets. Record the date carefully. It fixes which product versions and standards the declaration covers.

Record Keeping and Updates

Article 28(3)

Internal record for this declaration (retain with the technical documentation, remove before publication):

  • Declaration version: [v1.0]
  • Product versions covered: [LIST]
  • Supersedes: [PREVIOUS DOC REFERENCE or 'None']
  • Retention until: [DATE, 10 years after the last covered unit is placed on the market]
  • Storage location: [DOCUMENT SYSTEM REFERENCE]
  • Review triggers: [e.g. major firmware release, change of assessment module, newly applied harmonised standard]
Note

Keep the DoC available to market surveillance authorities throughout the product's market life and for 10 years after the last unit is placed on the market. Issue a revised declaration when a change affects the product's compliance basis, archive superseded versions rather than deleting them, and record which declaration version applies to which product versions and batches.

Use this template automatically in CRA Portal

CRA Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail. Receiving and tracking reports is free, and Article 14 filing is on Pro.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?
CRA Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.
Set up your free portal