FAQEUCyber Resilience Act

EU Cyber Resilience Act FAQ Technical Documentation

Use this CRA FAQ to understand what Annex VII requires, when technical documentation must exist, how it must be kept up to date, and what authorities or notified bodies may request.

Built for compliance, engineering, certification, and legal teams preparing and maintaining CRA technical files.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 10, 2026
Updated
Mar 10, 2026
Sections
21

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 10, 2026
Updated Mar 10, 2026
Overview

CRA technical documentation is the evidence package behind the manufacturer's conformity case. This FAQ explains what Annex VII requires, when the documentation must exist, how it must be updated during the support period, when documentation can be reused across products or laws, and how language and authority-access rules work in practice.

Search this module

Find a question or answer quickly

21 of 21 sections
Section 1

What is CRA technical documentation?

CRA technical documentation is the evidence package that shows how the manufacturer ensured that the product and the manufacturer's processes comply with the applicable essential cybersecurity requirements.

It must contain all relevant data or details of the means used by the manufacturer to ensure compliance and must at least contain the elements listed in Annex VII.

Citations
Recommended next step

Use EU Cyber Resilience Act FAQ Technical Documentation as a cited research workflow

Research Copilot can turn EU Cyber Resilience Act FAQ Technical Documentation into a reusable cited workflow for teams implementing EU Cyber Resilience Act FAQ.

Research workflow
Open Research Copilot

Start from EU Cyber Resilience Act FAQ Technical Documentation and move to source-backed decisions and evidence workflows.

Explore next step
Talk to Sorena
Talk through your EU Cyber Resilience Act FAQ implementation

Review evidence gaps, ownership, and next steps for EU Cyber Resilience Act FAQ.

Explore next step
Section 2

When does the technical documentation have to exist?

It must be drawn up before the product is placed on the market.

It must then be continuously updated, where appropriate, at least during the support period.

The Commission FAQ adds that it has to be available when the product is placed on the market, regardless of where it is physically stored.

Citations
Section 3

What has to be in the technical documentation?

Annex VII requires, as applicable:

- a general description of the product, including intended purpose, compliance-relevant software versions, hardware images or illustrations where relevant, and user information and instructions

- a description of design, development, production, and vulnerability handling processes

- the cybersecurity risk assessment and applicability of Annex I Part I requirements

- the information used to determine the support period

- the list of harmonised standards, common specifications, or certification schemes applied, and descriptions of alternative solutions where they were not applied

- test reports

- a copy of the EU declaration of conformity

- where applicable, the software bill of materials

Citations
Section 4

Does the technical documentation have to include the cybersecurity risk assessment?

Yes.

Article 13(4) requires the manufacturer to include the cybersecurity risk assessment in the technical documentation when placing the product on the market. The same provision also requires a clear justification where certain essential cybersecurity requirements are not applicable to the product.

Citations
Section 5

Does the technical documentation have to explain the support period and software versions?

Yes.

Annex VII expressly requires:

- versions of software affecting compliance with essential cybersecurity requirements

- relevant information taken into account to determine the support period under Article 13(8)

Those are not optional extras. They are part of the minimum CRA documentation set where applicable.

Citations
Section 6

How must CRA technical documentation deal with harmonised standards, common specifications, and alternative solutions?

The technical documentation must identify the harmonised standards, common specifications, and relevant certification schemes used in full or in part.

Where they were not applied, the documentation must describe the solutions adopted to meet the essential requirements and list any other relevant technical specifications used. If they were applied only in part, the documentation must specify which parts were applied.

Citations
Section 7

Can one set of technical documentation cover more than one EU product law?

Yes, where Article 12 applies.

For CRA products that are also subject to other Union legal acts requiring technical documentation, Article 31(3) allows a single set of technical documentation containing both the CRA information and the information required by those other acts.

Citations
Section 8

Can the technical documentation be part of the module H quality-system documentation?

Yes.

The Commission FAQ says technical documentation may form part of the quality-system documentation where the manufacturer uses a quality-system-based conformity assessment route such as module H.

Citations
Section 9

In what language can the technical documentation be written?

Article 31(4) says the technical documentation and correspondence relating to a conformity assessment procedure must be drawn up in an official language of the Member State in which the notified body is established or in a language acceptable to that body.

The Commission FAQ adds that the technical documentation can be written in any language, but if a market surveillance authority requests it, it needs to be provided in a language easily understood by that authority.

Citations
Section 10

Does the technical documentation have to be public or customer-facing?

No, as a rule it does not.

The Commission FAQ states that there is no general obligation to make the technical documentation available to customers or the public. The specific CRA exception is Article 32(5), where a manufacturer of qualifying free and open-source software in an Annex III category relies on the CRA's special Article 32(5) rule and therefore has to make the technical documentation public at the time of placing on the market.

Citations
Section 11

What can CRA market surveillance authorities request beyond the core technical-documentation file?

Manufacturers must, on reasoned request, provide authorities with the information and documentation necessary to demonstrate conformity. Article 53 goes further and says authorities may be granted access to the data needed to assess design, development, production, and vulnerability handling, including related internal documentation.

For SBOMs, the CRA does not require public release, but Annex VII and Annex I make them part of the documentation framework and market surveillance authorities may request them where necessary to check compliance.

Citations
Cyber Resilience Act

Article 13(22), Article 53, Annex I Part II point 1, Annex VII points 2(b) and 8, recital 77

Section 12

Does the technical documentation have to be updated when the product changes?

Yes.

Article 31(2) requires continuous updating where appropriate, at least during the support period. The March 2026 draft guidance adds that technical documentation must remain accurate, complete, and up to date even where updates do not amount to substantial modifications.

For substantial modifications, the draft guidance, relying on the Blue Guide, says the documentation has to be updated to the extent the modification affects the applicable requirements, and unchanged aspects do not need to be retested or redocumented.

Citations
Section 13

Do products designed before the CRA applied need full historic design records recreated?

Not necessarily.

The March 2026 draft guidance says that for products designed before the CRA's application date, the obligation to provide evidence in the conformity assessment should not be read as requiring the manufacturer to recreate original design and development test evidence where that would not improve the product's security. The manufacturer still has to demonstrate current compliance through the cybersecurity risk assessment and technical documentation.

Citations
Section 14

Is there a simplified technical documentation format for smaller companies?

Yes.

Article 33(5) says microenterprises and small enterprises may provide the Annex VII elements using a simplified format once the Commission specifies that form by implementing act. Notified bodies must accept that form for conformity assessment purposes.

Citations
Section 15

Does the CRA require one fixed template for technical documentation?

No.

The CRA prescribes what the technical documentation must contain, mainly through Annex VII, but it does not impose one mandatory template or filing structure. What matters is that the file contains the required content and is clear enough to let a notified body or market surveillance authority assess conformity.

In practice, that means the manufacturer has flexibility in how the file is organised, but not in whether the required elements are actually present and kept up to date.

Citations
Section 16

Does the technical documentation need to distinguish product versions and redesigns?

Yes.

The Commission FAQ says that where a product has been redesigned or reassessed, the technical documentation must reflect all versions of the product, describe the changes made, explain how the versions can be identified, and include information on the relevant conformity assessment.

That matters in practice because the CRA documentation is meant to remain usable throughout the product's life. A manufacturer cannot keep only the newest file if that makes it impossible to tell which documentation applies to which version placed on the market.

Citations
Section 17

Can a manufacturer automatically use one technical-documentation set for every product variant in a family?

Not automatically.

The March 2026 draft guidance allows a single set of technical documentation where the variants share the same architecture, security-relevant design, intended purpose, and cybersecurity risks, and where all relevant risks and essential requirements are adequately covered. If differences between variants affect cybersecurity properties, those differences must be reflected in the technical documentation and, where necessary, the conformity assessment.

Citations
Section 19

Does the fact that technical documentation is not generally public mean authorities are limited to the Annex VII file only?

No.

The January 2026 Commission FAQ and Article 53 make clear that, where necessary to assess conformity, market surveillance authorities may be granted access to the data needed to assess design, development, production, and vulnerability handling, including related internal documentation of the relevant economic operator. So the non-public character of the technical documentation does not cap authority access at the bare Annex VII file.

Citations
Section 20

Can a manufacturer keep CRA technical documentation split across different internal systems or suppliers, as long as the full set can be produced?

Yes, in principle.

Inference from the CRA text and Commission FAQ: the legal requirement is that the technical documentation be drawn up, contain the required Annex VII content, be available when the product is placed on the market, and be provided to authorities on reasoned request. The CRA does not prescribe one storage location or one physical dossier, but the manufacturer remains responsible for being able to assemble and provide a coherent, complete set when needed.

Citations
Section 21

If a notified body accepts one language for CRA conformity-assessment documentation, does that automatically settle the language issue for market-surveillance requests?

No.

Article 31(4) deals with the language of technical documentation and correspondence relating to a conformity assessment procedure, especially for notified-body interactions. Separately, Article 13(22) requires manufacturers to provide the necessary information and documentation to market-surveillance authorities in a language that can be easily understood by the requesting authority. The Commission FAQ makes the same distinction.

Citations
Primary sources

References and citations

Cyber Resilience Act
data.europa.eu21 citations
Referenced sections
  • Article 31(1), Annex VII
  • Article 13(12), Article 31(2)
  • Annex VII
Show 16 more
  • Article 13(4), Annex VII point 3
  • Annex VII points 1(b) and 4
  • Annex VII point 5
  • Article 31(3)
  • Article 31, Annex VIII Part IV point 3.1(b)
  • Article 31(4), Article 13(22), Article 53
  • Article 32(5)
  • Article 13(22), Article 53, Annex I Part II point 1, Annex VII points 2(b) and 8, recital 77
  • Article 31(2)
  • Article 13(12), Article 31, Annex VII point 6
  • Article 33(5)
  • Article 31, Annex VII
  • Article 31(2), Annex VII point 1
  • Article 53
  • Article 13(12), Article 13(22), Article 31(1)
  • Article 31(4), Article 13(22)
Related guides

Explore more topics

Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification.
Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations.
Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting.
Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking
Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales.
CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies
CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers.
CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities
CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products
CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes.
CRA Core Functionality FAQ | Important Products, Critical Products, Classification
CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints
CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation.
CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties
CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints.
CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence
Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code
CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing.
CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication
CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality
CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits.
CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components
CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies.
CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery
CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine.
CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries
CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls.
CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification
CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs.
CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation
CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation.
CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance
CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities.
CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation
CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records.
CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence
CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting.
CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions
CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories.
CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths
CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths.
CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards
CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences.
CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation
CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope.
CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility
CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements.
CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products
CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications.
CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions
CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions.
CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits
CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability.
CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)
CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates.
CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products
CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment.
CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability
CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability.
CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence
CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence.
CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay
CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software.
CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions
CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates.
CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices
CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices.
CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply.
CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule.
CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing
CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing.
Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking
Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date.
Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA essential cybersecurity requirements in Annex I.
Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure.
Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes.
Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking
Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing.
Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting.
SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence.
Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence.
Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates.