Technical File Export
This guide explains how to export your CRA technical file from CRA Evidence, what's included, and how to use it with regulators.
What is a Technical File?
A technical file is the complete documentation package required by CRA Annex VII. It demonstrates that your product meets the essential cybersecurity requirements.
CRA Article 31 states:
"The technical documentation referred to in Article 13(14) shall contain at least the information set out in Annex VII, as applicable to the relevant product with digital elements."
When You Need It
- Market surveillance: When authorities request documentation
- CE marking: To support your compliance declaration
- Customer requests: Enterprise customers may request evidence
- Audits: For third-party conformity assessments
- Records: 10-year retention requirement
What's Included
CRA Evidence generates a ZIP archive containing:
{product}-{version}-technical-file-{date}.zip
|
+-- manifest.json # Machine-readable metadata
+-- README.md # Human-readable summary
+-- CRA_COMPLIANCE_CHECKLIST.md # Annex VII compliance checklist
+-- sboms/ # Software Bills of Materials
| +-- sbom-v1.0.json
| +-- sbom-components.json
+-- documents/ # CRA-required documentation
+-- risk_assessment/
+-- eu_declaration_of_conformity/
+-- user_manual/
+-- vulnerability_policy/
+-- technical_documentation/
+-- test_report/
manifest.json
Machine-readable file containing all CRA metadata:
- Manufacturer information (Annex II)
- Product and version details (Annex VII.1)
- CRA status and completeness
- Harmonised standards applied (Annex VII.6)
- Vulnerability handling info (Annex VII.4, 11)
- Conformity assessment details (Annex VII.8)
- Support period info (Annex VII.10)
- CE marking details (Annex VII.13)
- SBOM metadata (Annex VII.12)
- Document inventory
Compliance Checklist
A point-by-point checklist mapping to Annex VII:
| # | Annex VII Requirement | Status | Notes |
|---|----------------------|--------|-------|
| 1 | General product description | Present | ... |
| 2 | Design documentation | Present | ... |
| 3 | Risk assessment | Present | ... |
...
This helps reviewers quickly assess completeness.
How to Export
Via Web Interface
- Navigate to your Product > Version
- Click the Export Technical File button
- ZIP file downloads automatically
Via API
curl -X GET "https://app.craevidence.com/api/v1/versions/{version_id}/export" \
-H "Authorization: Bearer $API_TOKEN" \
--output technical-file.zip
Options:
| Parameter | Default | Description |
|---|---|---|
include_sboms |
true | Include SBOM files |
include_documents |
true | Include document files |
Annex VII Mapping
The export covers all 13 Annex VII requirements:
| # | Annex VII Requirement | Source in CRA Evidence |
|---|---|---|
| 1 | General product description | Product/Version metadata |
| 2 | Design and development description | technical_documentation docs |
| 3 | Cybersecurity risk assessment | risk_assessment docs |
| 4 | Vulnerability handling procedures | vulnerability_policy docs |
| 5 | EU Declaration of Conformity | eu_declaration_of_conformity docs |
| 6 | Harmonised standards applied | Version harmonised_standards_applied field |
| 7 | Test reports summary | test_report docs |
| 8 | Conformity assessment info | Version conformity assessment fields |
| 9 | User instructions (Annex II) | user_manual docs |
| 10 | Support period info | Version lifecycle fields |
| 11 | Vulnerability contact point | Organisation vulnerability_contact_point |
| 12 | SBOM | SBOM entities |
| 13 | CE marking info | Version CE marking fields |
Preparing for Complete Export
For a complete technical file, ensure you've configured:
Organisation Settings
Required for manufacturer information (Annex II):
- [ ] Legal name
- [ ] Full address (line 1, city, postal code, country)
- [ ] Contact email
- [ ] Vulnerability contact point (for Annex VII.11)
- [ ] CSIRT member state
Version Settings
Required for compliance evidence:
- [ ] Release date
- [ ] End of support date
- [ ] Support period justification
- [ ] Harmonised standards applied (if any)
- [ ] Conformity assessment type
- [ ] CE marking applied (when and by whom)
- [ ] Secure-by-default confirmation
Documents
Upload all required documents:
- [ ] Risk assessment
- [ ] EU Declaration of Conformity
- [ ] User manual
- [ ] Vulnerability disclosure policy
SBOM
- [ ] At least one SBOM uploaded
- [ ] Acceptable quality score
Understanding the Export Status
CRA Status in Export
The export includes a status assessment:
| Status | Meaning |
|---|---|
| Ready | All required items present |
| Incomplete | One or more required items missing |
Missing Items Report
The manifest includes a missing_items array showing gaps:
{
"cra_status": {
"status": "incomplete",
"missing_items": [
"risk_assessment document",
"harmonised_standards_applied"
]
}
}
Using the Technical File
For Market Surveillance
When authorities request documentation:
- Generate a fresh export close to the request date
- Provide the complete ZIP file
- The manifest provides machine-readable verification
- The checklist shows compliance point-by-point
For CE Marking
Before applying CE marking:
- Export technical file
- Verify "Ready" status
- Review the compliance checklist
- Address any gaps
- Proceed with marking
For Customer Requests
Enterprise customers may request:
- SBOM only: Download from SBOM section
- Full technical file: Export as described
- Specific documents: Download individually
For Internal Records
CRA requires 10-year retention:
- Export technical file at each release
- Store in your document management system
- Include in your backup procedures
- Tag with version and export date
Retention Requirements
CRA Article 13(14) requires:
"Technical documentation shall be kept for a period of 10 years after the product... is placed on the market, or for the period of the expected lifetime of the product, whichever is longer."
What This Means
- Keep exports for at least 10 years after last sale
- CRA Evidence stores your data, but also maintain your own backups
- Consider EU data residency requirements
Tracking Market Placement
CRA Evidence tracks:
- First placed on market: When first unit sold
- Last placed on market: When final unit sold
The 10-year clock starts from last_placed_on_market.
Best Practices
When to Export
| Event | Action |
|---|---|
| New version release | Export and archive |
| Before CE marking | Export and verify completeness |
| Significant document update | Re-export |
| Regulatory request | Export fresh copy |
| Annual review | Export for records |
Export Naming Convention
Use consistent naming for your archives:
{product-slug}-{version}-technical-file-{YYYY-MM-DD}.zip
Example: myproduct-v2.1.0-technical-file-2025-06-15.zip
Verification Before Submission
Before submitting to authorities:
- Extract and review the
README.mdfile - Check the compliance checklist for gaps
- Verify all files are included
- Confirm manufacturer information is current
- Ensure CE marking date is accurate
Troubleshooting
Missing Files in Export
If documents don't appear:
- Verify documents are uploaded to the correct version
- Check document storage status (
content_availablein manifest) - Ensure S3/storage is accessible
"Incomplete" Status Despite Having Documents
Check that you have:
- Uploaded the correct document types (not just "other")
- Associated documents with the correct version
- Set required version fields (end of support date, etc.)
Large Export Size
If the export is very large:
- Review document file sizes
- Consider compressing large documents before upload
- Check for duplicate uploads
Export Timeout
For versions with many files:
- Try exporting via API with increased timeout
- Export SBOM and documents separately
- Contact support for assistance
API Reference
Export Technical File
GET /api/v1/versions/{version_id}/export
Authorization: Bearer <token>
Query Parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
| include_sboms | boolean | true | Include SBOM files |
| include_documents | boolean | true | Include document files |
Response:
200 OK: ZIP file withContent-Disposition: attachment404 Not Found: Version not found403 Forbidden: No access to version
Manifest Schema (v1.1)
Key sections in manifest.json:
{
"export_format": "CRA Evidence Technical File v1.1",
"exported_at": "2025-06-15T10:00:00Z",
"cra_annex_vii_version": "Regulation (EU) 2024/2847",
"manufacturer": {
"name": "...",
"address": "...",
"contact_email": "...",
"vulnerability_contact_point": "..."
},
"product": {
"name": "...",
"category": "important_class_i"
},
"version": "2.1.0",
"cra_status": {
"status": "ready",
"quality_score": 85,
"missing_items": []
},
"harmonised_standards_applied": [...],
"vulnerability_handling": {...},
"conformity_assessment": {...},
"retention": {...},
"ce_marking": {...},
"sboms": [...],
"documents": [...]
}
See the API documentation for complete schema details.
Next Steps
- FAQ - Common questions answered
- Core Concepts - CRA fundamentals and classification
Summary Checklist
Before exporting your final technical file:
Organisation Setup:
- [ ] Legal name and address configured
- [ ] Contact email set
- [ ] Vulnerability contact point defined
- [ ] CSIRT member state designated
Version Configuration:
- [ ] Release date set
- [ ] End of support date defined (5+ years)
- [ ] Support period justified
- [ ] CE marking recorded (if applicable)
- [ ] Conformity assessment type selected
Documents Uploaded:
- [ ] Risk assessment
- [ ] EU Declaration of Conformity
- [ ] User manual
- [ ] Vulnerability disclosure policy
SBOM:
- [ ] At least one SBOM uploaded
- [ ] Quality score acceptable (80+ recommended)
Final Check:
- [ ] Export and review the
README.mdfile - [ ] Verify compliance checklist shows all items present
- [ ] Archive export for 10-year retention
Last updated February 27, 2026
Was this page helpful?
Thanks for your feedback!
Help us improve. What was missing or unclear?