Documentation and Transparency

The fulfillment of essential requirements must be thoroughly documented. To comply with the CRA, manufacturers are required to produce three key types of documents:

​

1. Declaration of Conformity (DoC)

The Declaration of Conformity is the primary documentation required for product compliance under the CRA and is essential for affixing the CE mark. The DoC confirms that a product meets the necessary regulatory requirements and adheres to harmonized standards or essential cybersecurity requirements.

​

Compliance Procedures

A Declaration of Conformity can be obtained through different procedures, with third-party inspection requirements varying based on the chosen approach.

• Module A – Internal Control: The simplest method, allowing manufacturers to independently declare conformity with essential requirements without external assessment.

• Third-Party Assessment Options:

  • Module H: Compliance is assessed based on a certified quality management system.

  • Module B+C: An “EU-type examination” conducted by an EU-appointed inspection body (e.g., TÜV, DEKRA).

  • EU Cybersecurity Certification Scheme: Involves obtaining a certificate in accordance with EU cybersecurity regulations.

​

Third-Party Assessment Requirements

Entities classified as "important" or "critical" must undergo a third-party assessment to obtain a Declaration of Conformity, which is required for CE marking. For all other entities, a self-declaration of conformity is sufficient. This declaration must either accompany the product or be publicly accessible.
 

EU Declaration of Conformity Document

The EU Declaration of Conformity is a one-page document affirming compliance with the CRA’s requirements. It serves as official confirmation that the product meets applicable cybersecurity standards, allowing the manufacturer to affix the CE mark.

​

2. Technical Documentation 

Technical documentation is essential for demonstrating compliance with the CRA. This includes records from third-party assessments and other evidence of adherence to regulatory requirements. Market surveillance authorities are authorized to request this documentation at any time.

Content of Technical Documentation
Manufacturers must maintain comprehensive technical documentation for each product, which should include:

• Product Specifications: Detailed descriptions of the product, including system architecture and technical components.

• Security Measures: An overview of security controls implemented during the design and development phases.

• Risk Assessments: Documentation of risk analyses conducted to identify potential security vulnerabilities, along with the methodologies used.

• Vulnerability Management Plans: Strategies for mitigating identified risks, including procedures for addressing security vulnerabilities.
   

Accessibility and Retention

• Availability: The Declaration of Conformity (DoC) and related technical documentation must be readily accessible for review by regulatory authorities upon request.

• Lifecycle Maintenance: Documentation should be continuously updated throughout the product’s lifecycle to ensure ongoing compliance.

• Retention Period: Manufacturers are required to retain documentation for at least 10 years after the product is no longer on the market to support post-market surveillance.

​​​Comprehensive Compliance Documentation 
All products subject to the CRA must be supported by detailed technical documentation that verifies compliance with essential requirements. This includes:

1. Risk Analysis: A thorough assessment evaluating how essential requirements apply to the product.

2. Design Information: Documentation demonstrating compliance with "Essential Requirements Part I," covering system architecture and component interactions.

3. Vulnerability Management: Compliance with "Essential Requirements Part II," incorporating a Software Bill of Materials (SBOM) to track software dependencies.

4. Test Reports & Standards: Results from the conformity assessment process and a list of harmonized standards applied to ensure compliance.

​

3. Information & Instructions to the User

The "Information and Instructions to the User" document is a mandatory component for compliance with the Cyber Resilience Act (CRA) and the only document directly provided to purchasers. Despite its importance, it is often overlooked in discussions. This poses a significant challenge, as many product suppliers hesitate to implement security features without additional costs, while asset owners may be unwilling to incur extra expenses for enhanced cybersecurity measures. Failure to maintain and update this documentation can result in regulatory risks and potential penalties.

The user instructions must enable users to operate the product securely. This document should include:

• Product Usage and Functionality: Clear guidance on how to use the product and its security features.

• Delivery Requirement: The instructions must be provided along with the product.

​

Key Compliance Considerations:

1. Justification for Exemptions in Cybersecurity Risk Assessment

   • Manufacturers must document and justify exemptions in their technical documentation when certain essential cybersecurity requirements are deemed inapplicable.

2. Comprehensive Product Component Documentation

   • Maintain an up-to-date Software Bill of Materials (SBOM) to track vulnerabilities and risks associated with digital products.

3. Security of Third-Party Components

   • Conduct regular assessments of third-party components for known vulnerabilities to mitigate security risks in products with digital elements.

4. Adherence to Compliance Standards

   • Follow harmonized standards, common specifications, or cybersecurity certifications.

   • If alternative compliance methods are used, they must be documented.

5. Third-Party Conformity Assessment for Class II Products

   • Manufacturers of Class II digital products must undergo a third-party conformity assessment.

6. Internal Control Procedures for Open-Source Software

   • When following Module A procedures for free and open-source software, manufacturers must make technical documentation publicly available.

7. Simplified Documentation for Small Enterprises

   • Micro and small enterprises may use a simplified version of technical documentation to reduce administrative burdens upon product release.

8. Accessible Technical Documentation

   • Ensure documentation is translated into a widely understood language to facilitate compliance, particularly for smaller businesses.

9. Collaboration on Training and Innovation Initiatives

   • Member States and manufacturers should support training, awareness programs, testing environments, and sandbox initiatives to improve cybersecurity compliance, especially for microenterprises.

10. Market Surveillance and Compliance Monitoring

    • Market surveillance authorities should track best practices and compliance indicators, enhancing cooperation through ADCO (Administrative Cooperation Group) and guidance documents.

11. Standardized Product Categories and Reporting Requirements

    • The European Commission should define technical descriptions for key product categories and establish standardized formats for SBOMs and vulnerability notifications.

12. Consistent Implementation Across the EU

    • The European Commission should introduce simplified documentation formats and define corrective measures to ensure uniform compliance across all EU member states.