← All templates
Free Template

CRA Technical Documentation Template (Annex VII)

A structured template for the technical file required by Article 31 and Annex VII of the EU Cyber Resilience Act. Covers the required content areas, from product description and cybersecurity risk assessment through support period justification, standards applied, test reports, and the EU Declaration of Conformity.

ForManufacturers of products with digital elements assembling the Annex VII technical file for conformity assessment and market surveillance requests
CRA Articles
Article 31Annex VII

How to Use This Template

Article 31, Annex VII

Use this template to assemble the technical documentation (the technical file) required by Article 31 and Annex VII of the EU Cyber Resilience Act (Regulation (EU) 2024/2847).

Key facts:

  • Drawn up before market placement. The technical file must exist before the product is placed on the EU market and before the EU Declaration of Conformity is signed.
  • Continuously updated. The file must describe the product as actually shipped, including updates released during the support period.
  • Available on request. Market surveillance authorities can request the file, and notified bodies review it during third-party conformity assessment.
  • Retention. Keep the file for at least 10 years after the last unit of the product is placed on the market, or for the duration of the support period, whichever is longer.
  • Deadlines. Full conformity obligations, including the technical file, apply from 11 December 2027. Article 14 reporting obligations start earlier, on 11 September 2026.
Note

This section is for your internal use. Remove it before presenting the file to an authority. Treat the technical file as a living index of documents instead of a single PDF, and record where each element lives so you can produce it quickly when asked.

Part 1: Product Description and Intended Purpose

Annex VII

Product name: [PRODUCT NAME] Model / type / SKU: [MODEL NUMBER] Software / firmware versions covered: [VERSION RANGE] Intended purpose: [What the product does and who it is intended for] Deployment environment: [Residential / Commercial / Industrial / Medical] CRA classification: [Default / Important Class I / Important Class II / Critical]

General description: [2-4 paragraphs describing the product, its main functions, and its security-relevant characteristics]

Network connectivity and interfaces: [Protocols used, exposed ports, wireless interfaces, associated cloud services and APIs] Data processed: [Categories of data stored, processed, or transmitted, including any personal data] Dependencies: [Hardware dependencies, third-party software components, cloud services relied upon] Hardware documentation: [For hardware products, photographs or illustrations showing external features, markings, and internal layout] User information: [Reference to the user information and instructions supplied with the product]

Note

The product description anchors everything else in the file. Authorities read it first to understand what the product is and which requirements apply, so keep it consistent with your marketing claims, your user documentation, and your risk assessment.

Part 2: Design, Development, and Production Documentation

Annex VII, Annex I Part I

Document the design and development of the product in enough detail for an authority to assess conformity with the essential requirements in Annex I Part I.

Include:

  • System architecture. [Architecture diagrams showing how software components relate to and build on each other, trust boundaries, and external interfaces]
  • Security design decisions. [Authentication model, cryptography used, secure boot, isolation and hardening measures, secure-by-default configuration]
  • Development process. [Secure development lifecycle description, code review practices, build and release controls]
  • Production and monitoring. [Description of production processes and how conformity of series production with the documented design is monitored]
  • Referenced documents: [Document ID, title, version, and storage location for each engineering document incorporated by reference]
Note

Aim for the level of detail a competent outsider needs to independently assess the product against Annex I Part I. Reference existing engineering documents by identifier and location instead of rewriting them, and make sure referenced documents stay retrievable for the full retention period.

Part 2 (continued): Vulnerability Handling Documentation

Annex VII, Annex I Part II, Article 13

Document the vulnerability handling processes required by Annex I Part II.

  • CVD policy. [Copy of or reference to your published coordinated vulnerability disclosure policy under Article 13, including its public URL]
  • Vulnerability contact. [The contact address for reporting vulnerabilities, e.g. your disclosure portal URL and security email]
  • Software bill of materials. [SBOM in SPDX or CycloneDX format covering first-party, commercial, and open-source components, with versions, licences, and dependency relationships]
  • Vulnerability monitoring. [How you monitor your components for newly disclosed vulnerabilities during the support period]
  • Secure update distribution. [Technical description of how security updates are built, signed, tested, and distributed, including protection against tampering and rollback]
  • Advisory publication. [Where and how you publish security advisories once fixes are available, e.g. a CSAF 2.0 feed]
Note

This part of the file benefits most from tooling. A disclosure portal with an audit trail, an up-to-date SBOM, and archived CSAF advisories give you audit-ready evidence that the Annex I Part II processes actually operate. CRA Portal produces all three.

Part 3: Cybersecurity Risk Assessment

Annex VII, Article 13(2)–(3)

Include the cybersecurity risk assessment drawn up under Article 13(2) and kept up to date under Article 13(3).

  • Threat model. [Realistic threat actors, attack surfaces, and attack scenarios for the intended purpose and reasonably foreseeable use]
  • Risk analysis. [Each identified risk with its likelihood and its potential impact on users, third parties, and connected systems]
  • Security measures. [The measures implemented to address each identified risk, mapped to the Annex I Part I requirements they support]
  • Applicability rationale. [Where an Annex I Part I requirement is assessed as not applicable to this product, the justification]
  • Residual risks. [Risks that cannot be fully mitigated and the rationale for accepting them]
  • Review history: [Dates and triggers of risk assessment reviews, e.g. new versions, new threat intelligence, reported vulnerabilities]
Note

The risk assessment is the justification layer of the technical file. It explains why your security measures are what they are. Keep it proportionate to the product. A consumer smart device needs a lighter assessment than an industrial control system, but both need a genuine risk-based analysis.

Part 4: Support Period Determination

Annex VII, Article 13(8)

Declared support period: [START DATE] to [END DATE] ([X] years) Where the support period is communicated to users: [Product page URL, packaging, user information]

Factors considered in determining the support period:

  • [Expected time the product will be in use]
  • [Support periods of comparable products on the market]
  • [Availability and support horizons of critical third-party components]
  • [Deployment environment and user expectations, e.g. industrial equipment lifetimes]

Justification: [2-3 paragraphs explaining why the chosen support period is appropriate for this product]

Note

Article 13(8) requires the support period to reflect the time the product is expected to be in use, and for most consumer products five years is the expected minimum. Document the reasoning, since a period that looks arbitrarily short invites market surveillance questions.

Part 5: Standards and Technical Specifications Applied

Annex VII, Article 27

List the standards and technical specifications applied to meet the essential requirements in Annex I.

| Standard / specification | Version | Applied in full or in part | Requirements covered | |---|---|---|---| | [e.g. IEC 62443-4-1] | [Edition] | [Full / Partial] | [Annex I Part I references] | | [e.g. ETSI EN 303 645] | [Version] | [Full / Partial] | [Annex I Part I references] | | [Internal specification] | [Version] | [Full / Partial] | [Annex I Part II references] |

For essential requirements without an applied standard: [Describe the solution adopted to meet each requirement, with references to the design documentation in Part 2 and the test reports in Part 6]

Note

Harmonised standards for the CRA are still in development and have not yet been cited in the Official Journal of the European Union. Once they are cited, applying them will create a presumption of conformity under Article 27 for the requirements they cover. Until then, list the standards you have applied and describe how each essential requirement is met.

Part 6: Test Reports

Annex VII, Annex I

Include reports of the tests carried out to verify conformity with Annex I Parts I and II.

  • Security testing. [Penetration test reports, vulnerability scans, fuzzing results, static and dynamic analysis reports, each with scope, methodology, findings, and remediation status]
  • Requirement verification. [Test evidence mapped to each applicable Annex I Part I requirement]
  • Process verification. [Evidence that the vulnerability handling processes operate in practice, e.g. records of a handled disclosure, update deployment logs]
  • Regression evidence. [Tests demonstrating that security properties are preserved across updates]

For each report, record: [Title, author or testing firm, date, product version tested, storage location]

Note

Authorities look for evidence that testing happened against the shipped version. Keep report versions aligned with software versions, and rerun or supplement testing when a significant update changes the product's security posture.

Part 7: Copy of the EU Declaration of Conformity

Annex VII, Article 28, Annex V

Include a copy of the signed EU Declaration of Conformity for the product.

Checklist for the enclosed DoC:

  • [ ] Product identification matching Part 1 of this file
  • [ ] Manufacturer name and address (and authorised representative, where applicable)
  • [ ] Sole responsibility statement
  • [ ] Reference to Regulation (EU) 2024/2847 and the requirements the declaration covers
  • [ ] Standards and specifications listed, matching Part 5 of this file
  • [ ] Conformity assessment procedure used (e.g. Module A internal control)
  • [ ] Notified body name, number, and certificate reference, where applicable
  • [ ] Place and date of issue, signatory name, function, and signature

[Attach the current signed DoC here. Annex V specifies the full field structure.]

Note

The DoC and the technical file must tell the same story. Every standard cited on the DoC should appear in Part 5, and every product version covered by the DoC should be described in Part 1. Update both together when the product changes.

Use this template automatically in CRA Portal

CRA Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail. Receiving and tracking reports is free, and Article 14 filing is on Pro.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?
CRA Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.
Set up your free portal