EU Cyber Resilience Act FAQ Declaration of Conformity

It is the document in which the manufacturer declares that the product with digital elements complies with the Cyber Resilience Act and takes responsibility for that compliance.

For CRA purposes, the declaration states that fulfilment of the applicable essential cybersecurity requirements in Annex I has been demonstrated. It should therefore be consistent with the conformity assessment route, the technical documentation, the cybersecurity risk assessment, and any harmonised standards, common specifications, cybersecurity certifications, or notified-body certificates relied on.

No. Before placing a product with digital elements on the market, the manufacturer must draw up technical documentation, complete or have completed the chosen conformity assessment procedure, and, where conformity has been demonstrated, draw up the EU Declaration of Conformity and affix the CE marking.

The product must also be accompanied by either a copy of the full EU Declaration of Conformity or a simplified EU Declaration of Conformity that points to the full text.

The CRA allows two customer-facing formats. The first is the full EU Declaration of Conformity, using the Annex V model structure. The second is the simplified EU Declaration of Conformity, using the Annex VI wording and giving the exact internet address where the full declaration can be accessed.

The simplified version reduces what accompanies the product, but it does not remove the obligation to create and maintain the full EU Declaration of Conformity.

Annex V requires enough information to identify the product and the compliance basis. The full declaration must include the product name, type, and identifying information; the manufacturer or authorised representative name and address; a sole-responsibility statement; the object of the declaration; and a statement that the product conforms with the relevant Union harmonisation legislation.

It must also list the relevant harmonised standards, common specifications, or cybersecurity certification used, and, where applicable, the notified body's name and number, the conformity assessment procedure performed, and the certificate issued. The signature block should identify the place and date of issue, name, function, and signature.

The simplified declaration must follow the Annex VI model. It names the manufacturer, identifies the product type, states that the product is in compliance with Regulation (EU) 2024/2847, and gives the internet address where the full EU Declaration of Conformity is available.

Teams using the simplified version should control that URL like a release artifact: it should resolve to the current full declaration for the product version being supplied, remain stable for authority checks, and be updated when the underlying declaration changes.

The CE marking and the declaration are linked outputs of the same market-access sequence. The manufacturer affixes the CE marking only after the relevant conformity assessment procedure has demonstrated conformity and the EU Declaration of Conformity has been drawn up.

For physical products, the CE marking must generally be placed visibly, legibly, and indelibly on the product. Where that is not possible or not warranted, it goes on the packaging and on the accompanying EU Declaration of Conformity. For software products, the CE marking may be placed either on the EU Declaration of Conformity or on the website accompanying the software product, with the relevant website section easily and directly accessible to consumers.

The declaration is the signed compliance statement; the technical documentation is the evidence file that shows how the product and the manufacturer's vulnerability-handling processes meet the applicable CRA requirements.

Annex VII requires the technical documentation to include, as applicable, the product description, software versions affecting compliance, design and development information, vulnerability-handling process specifications, the cybersecurity risk assessment, support-period rationale, applied standards or other solutions, test reports, and a copy of the EU Declaration of Conformity. A declaration that cites a standard, certification, or notified-body certificate should be traceable to the corresponding evidence in that technical file.

The manufacturer draws up the EU Declaration of Conformity and assumes responsibility for product compliance by doing so. A notified body, where involved, may issue certificates or approval decisions, but the declaration remains the manufacturer's responsibility statement.

An authorised representative can have declaration-related tasks only within the CRA mandate rules. At minimum, the mandate must allow the authorised representative to keep the EU Declaration of Conformity and technical documentation at the disposal of market surveillance authorities and provide information on request. The CRA does not let the authorised representative take over the manufacturer's core obligation to draw up the technical documentation before placement on the market.

Yes. Before placing a product on the market, importers must check that the manufacturer has carried out the appropriate conformity assessment, drawn up technical documentation, applied CE marking, and supplied the declaration required by Article 13(20). Importers must keep a copy of the EU Declaration of Conformity for at least 10 years after placement on the market or for the support period, whichever is longer.

Distributors must act with due care and, before making the product available, verify that the product bears the CE marking and that the manufacturer and importer have complied with the relevant documentation and accompanying-information obligations.

Yes. Where the product is subject to more than one Union legal act requiring an EU Declaration of Conformity, the CRA requires a single EU Declaration of Conformity covering all those acts and identifying them, including their publication references.

The Blue Guide and Commission FAQ explain that this single declaration can be organised as a dossier made up of the relevant individual declarations. That helps when one applicable Union act changes, but the public declaration package still needs to clearly identify every act it covers.

Not necessarily. The declaration must identify the product sufficiently for traceability, and Annex V refers to the product name, type, and other identifying information. The Commission FAQ explains that the declaration is linked to the individual product, but it does not need to include each unit's unique identifier.

In practice, the same declaration version may cover many products manufactured in series if it still accurately identifies the covered product model or version and the conformity basis has not changed.

The CRA says the declaration must be updated as appropriate. The Blue Guide gives practical examples: a change in applicable legislation, a change in the versions of harmonised standards, or a change in the manufacturer or authorised representative contact details can require an update for products placed on the market after that change.

CRA teams should also review the declaration when a product version changes, when a substantial modification creates a new conformity situation, when the chosen conformity assessment basis changes, when a certificate reference changes, or when the technical documentation is updated in a way that affects the declared compliance basis.

Manufacturers must keep the technical documentation and EU Declaration of Conformity available to market surveillance authorities for at least 10 years after the product has been placed on the market or for the support period, whichever is longer.

The same retention period appears for authorised representatives where their mandate covers keeping the declaration and technical documentation, and for importers keeping a copy of the declaration. This means the declaration archive should be tied to product placement records and support-period records, not just to the initial release date.

No. The declaration records the conformity basis; it does not create presumption of conformity by merely naming a standard. Under the CRA, presumption of conformity depends on the relevant Article 27 route, such as correctly applying harmonised standards whose references have been published in the Official Journal, applicable common specifications, or qualifying European cybersecurity certification schemes.

The Blue Guide is explicit that referencing a harmonised standard in the declaration without applying that standard, or the relevant parts of it, does not start presumption of conformity. If only part of a standard is applied, the technical documentation should show what was applied and how the remaining applicable CRA requirements were met.

A useful declaration control set links each declaration version to the product model or software version covered, the conformity assessment route, the technical documentation version, the cybersecurity risk assessment, the support-period rationale, the list of standards or other specifications applied, test reports, notified-body certificates where applicable, and the public or customer-facing URL used for the simplified declaration.

Keep an approval record showing who signed the declaration and why the evidence was sufficient. When a release, standard, certificate, manufacturer address, or conformity route changes, review whether the declaration and simplified-declaration URL need a new version. This is evidence discipline, not a separate CRA legal form, but it is the practical way to show that the signed declaration matches the technical file and the product being supplied.

Under the CRA, a missing EU Declaration of Conformity or an incorrectly drawn-up declaration is formal non-compliance. The market surveillance authority must require the relevant manufacturer to end the non-compliance.

If the formal non-compliance persists, the Member State must take appropriate measures to restrict or prohibit the product from being made available on the market, or ensure that it is recalled or withdrawn. Article 58 also treats missing or incomplete technical documentation and CE-marking failures as formal non-compliance.