← All templates
Free Template

CRA User Information Template (Annex II)

A fill-in template for the user information and instructions required by Annex II of the Cyber Resilience Act. It covers all eight Annex II items, from manufacturer identity and the vulnerability reporting contact through to the support period end date and secure decommissioning instructions.

ForManufacturers preparing the information and instructions that must accompany products with digital elements placed on the EU market
CRA Articles
Article 13Annex II

How to Use This Template

Article 13, Annex II

Use this template to assemble the information and instructions that must accompany every product with digital elements you place on the EU market.

What this document is. Annex II of the Cyber Resilience Act (Regulation (EU) 2024/2847) lists the minimum user-facing information a manufacturer must supply with the product. It accompanies the product in electronic or physical form and should remain accessible online for the duration of the support period.

When it applies. The Annex II information package is part of the full conformity obligations, which apply to products placed on the EU market from 11 December 2027. The Article 14 obligation to report actively exploited vulnerabilities and severe incidents to ENISA starts earlier, on 11 September 2026. A monitored vulnerability reporting channel supports both, since Article 14 deadlines run from the moment you become aware of exploitation.

Complete every bracketed field, then remove this section before publication.

Note

This section is informational. It helps your documentation team understand the legal context of the document. Keep it in your internal master copy and strip it from the version supplied with the product.

Manufacturer Identity and Contact Details

Annex II(1)

Manufacturer: [LEGAL ENTITY NAME] Registered trade name / trademark: [TRADE NAME] Postal address: [REGISTERED ADDRESS] Email: [CONTACT EMAIL] Website: [WEBSITE URL]

Authorised representative in the EU (where appointed): [REPRESENTATIVE NAME] [REPRESENTATIVE ADDRESS] [REPRESENTATIVE EMAIL]

Note

Users and market surveillance authorities must be able to identify and reach you without research. If you sell under multiple brands, the entity named here must match the entity on the Declaration of Conformity and the rest of your CE marking documentation.

Single Point of Contact for Vulnerability Reporting

Annex II(2), Article 13

Security vulnerabilities in this product can be reported to our single point of contact:

Vulnerability reporting portal: [PORTAL URL] Security email: [[email protected]]

Our coordinated vulnerability disclosure policy, including scope, response timelines, and our safe harbour commitment, is published at: [CVD POLICY URL]

We acknowledge vulnerability reports within 48 hours of receipt.

Note

Annex II requires you to tell users where vulnerabilities can be reported and where your CVD policy can be found. Point this at the same contact advertised in your security.txt file so every report reaches one monitored channel. A generic support inbox that does not route to security staff does not meet the single point of contact expectation in Article 13.

Product Identification

Annex II(3)

Product name: [PRODUCT NAME] Product type / category: [e.g. Smart Thermostat / Industrial Gateway / Standalone Software] Model: [MODEL NUMBER] Batch / serial number: [BATCH OR SERIAL NUMBER, or state where it is printed on the device] Software / firmware versions this document applies to: [VERSION RANGE]

This identification also appears on [the product label / the packaging / the About screen].

Note

The identifier must let a user, an importer, or an authority match this document to the exact product without ambiguity. For software products, state the version range the document covers and where users can check their installed version.

Intended Purpose and Essential Functionality

Annex II(4)

Intended purpose: [DESCRIBE WHAT THE PRODUCT IS FOR, e.g. 'Residential heating control via the local network and the [COMPANY NAME] cloud service'] Intended operating environment: [Residential / Commercial / Industrial], [expected network conditions, e.g. behind a home router, on a segmented OT network] Essential functionality: [LIST THE CORE FUNCTIONS THE USER RELIES ON]

Security properties provided by the manufacturer:

  • [e.g. Encrypted communication (TLS 1.3) between device and cloud]
  • [e.g. Signed firmware updates verified before installation]
  • [e.g. Role-based access control for the administration interface]
Note

Describe the security environment the product expects as well as the security functions it provides. This section defines what secure use of the product looks like and anchors the risk statements in the next section.

Known Circumstances of Significant Cybersecurity Risk

Annex II(5)

The following known or foreseeable circumstances may lead to significant cybersecurity risks when the product is used in accordance with its intended purpose or under reasonably foreseeable misuse:

  • [e.g. Exposing the administration interface directly to the public internet]
  • [e.g. Operating the product on firmware older than version X.X]
  • [e.g. Disabling automatic security updates without a compensating patch process]
  • [e.g. Connecting untrusted USB accessories or third-party peripherals]

Where we become aware of new circumstances of this kind, we will update this document at [DOCUMENTATION URL].

Note

Be specific and honest. This item covers reasonably foreseeable misuse as well as intended use, so include the risky configurations you know users adopt in practice. Vague statements give you no usable evidence that you informed users.

Access to the EU Declaration of Conformity

Annex II(6), Annex IX

This product carries the CE marking, which signifies conformity with the applicable EU requirements.

The EU Declaration of Conformity for this product can be accessed at:

[DOC URL, e.g. https://yourcompany.example/compliance/doc/[PRODUCT]]

[Where the simplified declaration under Annex IX is supplied with the product, include it here and keep the URL above pointing to the full declaration.]

Note

Keep the DoC URL stable for as long as the product is on the market. If you ship the simplified Annex IX declaration, the full declaration behind the URL must stay accessible for that same period.

Technical Security Support and Support Period End Date

Annex II(7), Article 13

Type of technical security support: [e.g. Security updates delivered over the air / downloadable firmware images / managed update service] How security updates are announced: [e.g. in-product notification, security advisory feed at [ADVISORY URL], email to registered users]

Support period end date: Security updates for this product will be provided until [DD MONTH YYYY].

[Alternative where a fixed date is not practical: Security updates will be provided for [X] years from the date of purchase.]

After the end of the support period, the product will no longer receive security updates. Information about successor products and migration options will be published at [URL].

Note

State a concrete date or a period the user can compute from their purchase date. Conditional wording such as 'as long as commercially viable' does not meet the Annex II requirement. For most consumer products the Commission has signalled five years as the expected minimum support period.

Detailed Instructions for Secure Use

Annex II(8), Annex I

Detailed instructions are provided below [or at [INSTRUCTIONS URL]].

1. Secure initial commissioning

  • Change the default administrator credential during first setup: [STEPS]
  • [e.g. Register the device to a user account before connecting it to the production network]
  • [e.g. Review and apply the recommended network and firewall settings]

2. How changes to the product can affect the security of data

  • [e.g. Installing third-party integrations grants them access to [DATA CATEGORIES]]
  • [e.g. Enabling remote access exposes the API described in section [X]]

3. Installing security updates

  • Automatic security updates are enabled by default and install [WHEN / HOW].
  • To check for and install updates manually: [STEPS]
  • To turn off automatic security updates (advanced users): [STEPS]. We recommend leaving automatic updates enabled.

4. Secure decommissioning

  • To remove all user data from the device before disposal or resale: [FACTORY RESET STEPS]
  • To delete associated cloud data: [ACCOUNT DELETION STEPS]

5. Information for integrators (where the product is intended for integration into other products)

  • [e.g. interface documentation, secure integration requirements, how security updates propagate to the integrating product]
Note

Annex II(8) enumerates the instruction topics, including commissioning, the security effect of changes, update installation, turning off automatic updates, secure decommissioning with data removal, and integrator information. Write real steps for your actual product. Placeholder steps left in production documentation are themselves a documentation gap an auditor will flag.

Use this template automatically in CRA Portal

CRA Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail. Receiving and tracking reports is free, and Article 14 filing is on Pro.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?
CRA Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.
Set up your free portal