Search every question across sub-FAQs

Yes. Annex VII expressly requires information and specifications for the manufacturer's vulnerability handling processes.

Useful CRA evidence includes the SBOM where applicable, the coordinated vulnerability disclosure policy, proof that a contact address exists for vulnerability reports, secure update distribution design, test reports for vulnerability handling processes, and the information used to determine the support period under Article 13(8).

For module A, the manufacturer relies on internal control, verifies conformity, draws up the technical documentation, affixes CE marking, and declares conformity on its own responsibility.

For module B+C, the manufacturer draws up the technical documentation and a notified body assesses the design based on that documentation and a specimen or sample. For module H, the manufacturer operates a full quality system and draws up technical documentation through that system while the notified body assesses the quality system.

Yes, but the file must be explicit. Annex VII requires the list of harmonised standards, common specifications, or European cybersecurity certification schemes applied in full or in part.

If the manufacturer did not use them, the documentation must describe the alternative solutions used to meet Annex I requirements and list other relevant technical specifications. If a standard, common specification, or scheme was applied only partly, the file must say which parts were applied.

Yes, where the product is also subject to other Union legal acts requiring technical documentation.

Article 31(3) allows one technical-documentation set if it contains the information required by the CRA and the information required by those other Union acts. The practical limit is completeness: the combined dossier must still let each applicable law's conformity case be assessed.

Yes. The Commission FAQ says technical documentation may form part of the quality-system documentation where a manufacturer uses a quality-system-based route such as module H.

Under CRA Annex VIII Part IV, the quality system covers design, development, final product inspection and testing, and vulnerability handling. The application to the notified body includes technical documentation for one model of each product category intended to be manufactured or developed.

For conformity assessment, Article 31(4) requires the technical documentation and related correspondence to be in an official language of the Member State where the notified body is established or in a language acceptable to that body.

For market surveillance, the separate practical rule is authority comprehension: Article 13(22) and Article 53 require information, documentation, or data to be provided in a language easily understood by the requesting authority. The Commission FAQ says the file can be written in any language, but must be provided in an authority-understandable language when requested.

Generally, no. The Commission FAQ states that there is no general obligation to make technical documentation available to customers or the public.

The important exception is Article 32(5): manufacturers of qualifying free and open-source software in Annex III class I or II can use the CRA self-assessment route only if the technical documentation is made available to the public.

Authorities are not limited to a neat front-office dossier. On a reasoned request, manufacturers must provide the information and documentation necessary to demonstrate conformity.

Article 53 allows market surveillance authorities, where necessary to assess conformity, to access data needed to assess product design, development, production, and vulnerability handling, including related internal documentation. For SBOMs, Annex VII includes them where applicable and further to a reasoned authority request when necessary to check compliance with Annex I.

Yes, where the change affects the conformity case. Article 31(2) requires continuous updating where appropriate, at least during the support period.

The CRA draft guidance applies the Blue Guide approach: technical documentation has to be updated to the extent the modification affects applicable requirements, while unaffected aspects do not need to be retested or redocumented. Security updates that do not amount to substantial modifications can still require the file to remain accurate and complete.

Not automatically. The CRA draft guidance says manufacturers should not be read as having to recreate original design and development test evidence for products designed before CRA application where doing so would not improve the product's security.

That does not remove the current conformity burden. The manufacturer still needs a current CRA technical file that demonstrates conformity, including the cybersecurity risk assessment, test reports or other verification evidence, and Annex VII content that is available for conformity assessment and market surveillance.

Yes, but only in the way Article 33(5) provides.

Microenterprises and small enterprises may provide the Annex VII elements using a simplified format once the Commission specifies that form by implementing act. Notified bodies must accept that simplified form for conformity assessment purposes.

No. The CRA specifies the information that must be present, not one filing structure.

A manufacturer can organise the file across tools, repositories, suppliers, and quality-system records, but the assembled evidence still has to be complete, clear, versioned, and producible when a notified body or market surveillance authority needs to assess conformity.

The technical file should make clear which product version, software version, model, variant, or redesign each conformity record supports.

The draft CRA guidance allows reuse of one cybersecurity risk assessment, one technical-documentation set, and one conformity assessment for variants in a product family only where the products share the same architecture, security-relevant design, intended purpose, and cybersecurity risks. Differences that affect cybersecurity, such as communication interfaces, software stacks, update mechanisms, or remote connectivity, must be reflected in the risk assessment, technical documentation, and conformity assessment where necessary.

If a product has a remote data processing solution (RDPS) or relies on relevant third-party cloud solutions, the technical documentation should identify and describe those solutions.

The draft CRA guidance says the same RDPS documentation may be reused across product conformity assessments, but the RDPS must still be declared in each product's technical documentation. The risk assessment should also cover RDPS risks, third-party cloud-service risks treated similarly to third-party components, and relevant product-environment risks.

Yes, in principle, but the responsibility remains with the manufacturer.

The CRA requires the documentation to be drawn up, contain the required Annex VII content, be available before placing on the market, be kept up to date where appropriate, and be provided to authorities on reasoned request. The statute does not require one physical folder, but fragmented storage is risky if it prevents the manufacturer from producing a coherent, complete, authority-readable file.

The CRA entered into force on 10 December 2024.

The Regulation itself says it enters into force on the twentieth day following its publication in the Official Journal. The Commission FAQ uses the concrete date 10 December 2024.

The CRA generally applies from 11 December 2027.

But the Regulation also has two earlier phased dates:

- Chapter IV, covering the notification of conformity assessment bodies, applies from 11 June 2026

- Article 14 reporting obligations apply from 11 September 2026

Chapter IV of the CRA starts to apply on 11 June 2026. That chapter covers notifying authorities and conformity assessment bodies, including designation, notification, operation, and oversight of notified bodies.

The Commission FAQ explains that Member States must have their notifying-authority arrangements in place by that date.

Article 14 starts to apply on 11 September 2026. From that date, manufacturers must report actively exploited vulnerabilities and severe incidents having an impact on the security of their products through the CRA reporting system.

That early date also matters for open-source software stewards, because Article 24(3) ties some of their reporting obligations to Article 14. So, from 11 September 2026, the limited steward reporting hooks become relevant as well, even though the rest of the CRA still applies later.

That is the general date of application of the CRA.

From 11 December 2027, the manufacturer obligations, essential cybersecurity requirements, conformity assessment rules, CE marking framework, market surveillance rules, and the rest of the CRA apply, except for the earlier-starting provisions that already applied before that date.