Go back to the web Sign In

Documents Checklist

This guide explains what documents you need for CRA compliance, which CRA articles require them, and how to upload them to CRA Evidence.

Overview

CRA compliance requires more than an SBOM. You also need documentation covering:

  • How you designed for security (risk assessment)
  • Your formal compliance declaration (EU DoC)
  • How users should operate your product securely (user manual)
  • How you handle vulnerability reports (disclosure policy)

Required Documents Summary

Document CRA Reference Required For Status in CRA Evidence
Risk Assessment Art. 13(2), Annex VII.3 All products Required
EU Declaration of Conformity Art. 28, Annex VII.5 All products Required
User Manual Annex II, Annex VII.9 All products Required
Vulnerability Disclosure Policy Art. 13(8), Annex VII.4 All products Required
Technical Documentation Annex VII.2 All products Recommended
Test Reports Annex VII.7 Self-assessment Recommended
Third-Party Audit Art. 32-34 Class II/Critical If applicable

Required Documents (All Products)

Risk Assessment

CRA Reference: Article 13(2), Annex VII point 3

What It Is: A document describing the cybersecurity risk assessment you performed during design and development.

What CRA Says:

"Manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases."

What to Include:

  • Threat model (what attacks are possible?)
  • Risk identification (what could go wrong?)
  • Risk evaluation (how severe? how likely?)
  • Mitigation measures (what did you do about it?)
  • Residual risks (what remains acceptable?)

Format: PDF recommended, any document format accepted

Upload in CRA Evidence: Document type: risk_assessment

EU Declaration of Conformity

CRA Reference: Article 28, Annex V, Annex VII point 5

What It Is: A formal declaration that your product meets CRA requirements.

What CRA Says:

"The EU declaration of conformity shall state that compliance with the essential cybersecurity requirements set out in Part I of Annex I has been demonstrated."

What to Include (per Annex V):

  1. Product name and type, plus any additional information
  2. Manufacturer name and address
  3. Statement that the declaration is issued under sole responsibility of the manufacturer
  4. Object of the declaration (product identification)
  5. Reference to harmonised standards or other specifications
  6. Where applicable, notified body details
  7. Additional information (CE marking date, etc.)
  8. Signature

Template Structure:

EU DECLARATION OF CONFORMITY

1. Product: [Name], [Model], [Version]
2. Manufacturer: [Legal Name]
   Address: [Full Address]
3. This declaration of conformity is issued under the sole
   responsibility of the manufacturer.
4. Object of the declaration: [Product description]
5. The object of the declaration described above is in conformity
   with the relevant Union harmonisation legislation:
   - Regulation (EU) 2024/2847 (Cyber Resilience Act)
6. References to the relevant harmonised standards used:
   - [List standards, e.g., EN ISO/IEC 27001:2022]
7. [Notified body info if applicable]
8. Additional information:
   - CE marking affixed: [Date]
   - Support period: [End date]

Signed for and on behalf of:
[Name, Title]
[Place and Date]
[Signature]

Upload in CRA Evidence: Document type: eu_declaration_of_conformity

User Manual

CRA Reference: Annex II, Annex VII point 9

What It Is: Instructions for users on how to install, configure, and operate your product securely.

What CRA Says (Annex II):

"Products with digital elements shall be accompanied by instructions and information... including as a minimum: (a) name, registered trade name... of the manufacturer; (b) single point of contact; (c) a description of the product... (d) when security support will end; (e) instructions for the secure installation, operation and maintenance..."

What to Include:

  • Product identification
  • Manufacturer contact information
  • Security support end date
  • Secure installation instructions
  • Secure configuration guidance
  • Secure operation guidelines
  • Update/patching instructions
  • Secure decommissioning guidance

Minimum Security Topics:

  • Default passwords (should be none, or forced change)
  • Network security configuration
  • Data protection settings
  • Logging and monitoring setup
  • Backup and recovery

Upload in CRA Evidence: Document type: user_manual

Vulnerability Disclosure Policy

CRA Reference: Article 13(8), Annex VII point 4, Annex I Part II

What It Is: Your policy describing how external parties can report vulnerabilities and how you handle them.

What CRA Says:

"Manufacturers shall have in place appropriate policies and procedures, including coordinated vulnerability disclosure policies, for processing and remediating potential vulnerabilities in the product with digital elements reported from internal or external sources."

What to Include:

  • How to report (email, web form, etc.)
  • What information to provide
  • Response timeline commitments
  • Coordination process
  • Disclosure timeline
  • Recognition/credits policy
  • Legal safe harbor (recommended)

Template Structure:

VULNERABILITY DISCLOSURE POLICY

1. INTRODUCTION
   [Company] welcomes reports of security vulnerabilities in [Product].

2. SCOPE
   This policy covers: [list products/versions]

3. HOW TO REPORT
   Email: security@company.com
   Include: Description, steps to reproduce, impact assessment

4. WHAT WE COMMIT TO
   - Acknowledge receipt within [X] business days
   - Provide status update within [Y] days
   - Work with you on coordinated disclosure

5. SAFE HARBOR
   We will not take legal action against researchers who:
   - Report vulnerabilities in good faith
   - Do not access user data
   - Do not disrupt services

6. RECOGNITION
   We credit researchers in our security advisories.

7. RESPONSE TIMELINE
   - Critical: [X] days to patch
   - High: [Y] days to patch
   - Medium: [Z] days to patch

Upload in CRA Evidence: Document type: vulnerability_policy

Technical Documentation

CRA Reference: Annex VII point 2

What It Is: Description of the design and development of your product.

What to Include:

  • Architecture overview
  • Security design decisions
  • Component interactions
  • Data flow diagrams
  • Authentication/authorization design
  • Cryptographic implementations

Upload in CRA Evidence: Document type: technical_documentation

Test Reports

CRA Reference: Annex VII point 7

What It Is: Summary of testing performed to validate security requirements.

What to Include:

  • Test scope and methodology
  • Security test results
  • Penetration test findings (if performed)
  • Compliance test results
  • Remediation of findings

Upload in CRA Evidence: Document type: test_report

Category-Specific Requirements

Important Class I Products

If you're applying harmonised standards for self-assessment:

Additional Document Description
Standards Mapping How your product meets each standard
Conformity Evidence Test results against standard requirements

Important Class II and Critical Products

Third-party assessment required:

Additional Document CRA Reference Description
Third-Party Audit Report Art. 32-34 Assessment by notified body
Conformity Certificate Art. 34 Certificate from notified body

Upload in CRA Evidence: Document types: third_party_audit, conformity_certificate

How to Upload Documents

Via Web Interface

  1. Navigate to your Product > Version
  2. Click the Documents tab
  3. Click Upload Document
  4. Select the document type from the dropdown
  5. Add a description (optional but recommended)
  6. Choose your file
  7. Click Upload

Via CLI

Use the upload-document CLI command:

craevidence upload-document \
  --product my-product \
  --version 1.2.3 \
  --type risk_assessment \
  --file risk-assessment.pdf

Via API (CI endpoint)

curl -X POST "https://app.craevidence.com/api/v1/ci/upload" \
  -H "Authorization: Bearer $API_TOKEN" \
  -F "file=@risk-assessment.pdf" \
  -F "product=my-product" \
  -F "version=1.2.3" \
  -F "artifact_type=document" \
  -F "document_type=risk_assessment"

Document Requirements by CRA Article

Complete Mapping

CRA Article Requirement Document Type
Art. 13(1) Compliance with Annex I Technical documentation
Art. 13(2) Risk assessment risk_assessment
Art. 13(3) Component due diligence SBOM (handled separately)
Art. 13(5) Support period Included in version metadata
Art. 13(6) Vulnerability identification Vulnerability tracking (CRA Evidence feature)
Art. 13(7) Effective corrections Remediation workflow (CRA Evidence feature)
Art. 13(8) Disclosure policy vulnerability_policy
Art. 13(10) SBOM SBOM (handled separately)
Art. 13(12) Conformity assessment eu_declaration_of_conformity
Art. 13(14) Documentation retention All documents (10-year storage)
Art. 28 EU Declaration eu_declaration_of_conformity
Annex II User information user_manual
Annex VII.2 Design documentation technical_documentation
Annex VII.3 Risk assessment risk_assessment
Annex VII.4 Vulnerability handling vulnerability_policy
Annex VII.5 EU Declaration eu_declaration_of_conformity
Annex VII.7 Test reports test_report
Annex VII.9 User instructions user_manual

Achieving "CRA Ready" Status

CRA Evidence calculates readiness status based on:

For "Ready" Status, You Need:

  • [ ] At least one SBOM uploaded
  • [ ] Risk Assessment document
  • [ ] EU Declaration of Conformity
  • [ ] User Manual
  • [ ] Vulnerability Disclosure Policy

Status Meanings

Status What It Means
Incomplete Missing SBOM or one or more required documents
Ready All required documents present

Note: "Ready" status means CRA Evidence has the artifacts it needs. Actual compliance also depends on the content of these documents being accurate and complete.

Best Practices

  1. Review annually: Update risk assessments and policies as threats evolve; outdated documentation is a compliance risk.
  2. Be specific: Generic templates don't demonstrate compliance — documents must clearly relate to your actual product.
  3. Use consistent naming: [Product]-[Type]-[Date].pdf makes audit retrieval straightforward.

Common Questions

Can I use one risk assessment for multiple versions?

Yes, if the security design hasn't changed significantly. However, you should:

  • Review and date-stamp for each release
  • Note any version-specific considerations
  • Update when there are material changes

What format should documents be?

PDF is recommended for formal documents (EU DoC, policies). CRA Evidence accepts:

  • PDF
  • Microsoft Office formats (docx, xlsx)
  • Plain text/Markdown
  • Images (for diagrams)

How long must I keep documents?

CRA Article 13(14) requires keeping technical documentation for:

  • 10 years after the product is placed on market, OR
  • The support period, whichever is longer

CRA Evidence is designed for long-term storage.

What if my product doesn't have a user manual?

All products need instructions for secure use. Even if your product is "self-explanatory":

  • Document secure configuration
  • Explain security features
  • Describe update procedures
  • Provide contact information

Next Steps

After uploading your documents:

  1. Vulnerability Workflow - Understand vulnerability handling
  2. Technical File Export - Generate your compliance bundle

Document Type Reference

Document Type (API) Display Name Required
risk_assessment Risk Assessment Yes
eu_declaration_of_conformity EU Declaration of Conformity Yes
user_manual User Manual Yes
vulnerability_policy Vulnerability Disclosure Policy Yes
technical_documentation Technical Documentation No
test_report Test Report No
third_party_audit Third-Party Audit Class II/Critical
conformity_certificate Conformity Certificate Class II/Critical
security_advisory Security Advisory No
architecture_diagram Architecture Diagram No
other Other No
Last updated February 27, 2026
Was this page helpful?
Thanks for your feedback!

Help us improve. What was missing or unclear?