Required documents
This page explains how to upload each document type into CRA Evidence and which CLI --type value to use. Anchor IDs match the doc_type values used in the application, enabling deep links from the product documentation interface directly to the relevant entry below.
For what each document must contain under the CRA, see the hub: Technical documentation and Declaration of conformity.
Tip: Some documents apply to the product as a whole (policies, manuals) and are automatically linked to every new version. Others are version-specific (risk assessments, declarations). See the Documents checklist for the distinction.
CLI upload type map
When uploading documents from CI, use the exact --type value that matches the
evidence file.
| Evidence | CLI --type |
|---|---|
| Vulnerability handling policy | vulnerability_policy |
| User manual or security instructions | user_manual |
| Coordinated vulnerability disclosure policy | coordinated_disclosure_policy |
| Secure development lifecycle policy | secure_development_policy |
| Update mechanism documentation | update_mechanism_documentation |
| Cybersecurity risk assessment | risk_assessment |
| Technical documentation | technical_documentation |
| EU declaration of conformity | eu_declaration_of_conformity |
| Threat model | threat_model |
| Test report | test_report |
| Third-party audit | third_party_audit |
| Supplier due diligence | supplier_due_diligence |
craevidence upload-document \
--product acme-router \
--version 2.4.1 \
--file release-evidence/risk-assessment.md \
--type risk_assessment
What each document must contain
CRA Evidence stores and links these documents to your products and versions, but it does not define their regulatory content. For the required content of each document type, see the hub:
- Technical documentation. Covers the technical file, risk assessment, secure development, update mechanism, vulnerability handling, user instructions, and audit reports.
- Declaration of conformity. Covers the EU declaration of conformity and its mandatory fields.
The anchors below match the application's doc_type values so that deep links from the product documentation interface resolve to the right entry.
Vulnerability handling policy
Scope: product-level, applies to all versions. Required content: see Technical documentation.
User manual: security section
Scope: product-level, applies to all versions. Required content: see Technical documentation.
Coordinated vulnerability disclosure policy
Scope: product-level, applies to all versions. Required content: see Technical documentation.
Secure development lifecycle policy
Scope: product-level, applies to all versions. Required content: see Technical documentation.
Update mechanism documentation
Scope: product-level, applies to all versions. Required content: see Technical documentation.
Cybersecurity risk assessment
Scope: version-specific, must reflect the specific software version, hardware revision, or product variant. Required content: see Technical documentation.
EU declaration of conformity
Scope: version-specific, must be drawn up for each product version placed on the market. Required content: see Declaration of conformity.
Third-party audit report
Scope: version-specific, issued by the notified body for the assessed product version or type. You upload the report you receive from the notified body. Required content: see Conformity assessment.
See also
- Documentation guide. How to upload and manage documents in CRA Evidence.
- Conformity assessment. Which assessment procedure applies to your product category.
- Technical file export. Compile all your documents into a complete Annex VII technical file.
- Understanding the CRA. Product categories, core requirements, and the full obligation overview.
Help us improve. What was missing or unclear?