Technical file export

This guide explains how to export your CRA technical file from CRA Evidence, what is included, and how to use it with regulators.

What is included

CRA Evidence generates a ZIP archive containing:

{product}-{version}-technical-file-{date}.zip
|
+-- manifest.json              # Machine-readable metadata
+-- technical-file.pdf         # Comprehensive human-readable PDF
+-- sboms/                     # Software Bills of Materials
|   +-- sbom-v1.0.json
|   +-- sbom-components.json
+-- documents/                 # CRA-required documentation
    +-- risk_assessment/
    +-- eu_declaration_of_conformity/
    +-- user_manual/
    +-- vulnerability_policy/
    +-- technical_documentation/
    +-- test_report/

manifest.json

Machine-readable file containing all CRA metadata:

• Manufacturer information
• Product and version details
• CRA status and completeness
• Harmonised standards applied
• Vulnerability handling info
• Conformity assessment details
• Support period info
• CE marking details
• SBOM metadata
• Document inventory

---

How to export

Via web interface

1. Navigate to your Product > Version
2. Click the Export Technical File button
3. ZIP file downloads automatically

Via API

curl -X GET "https://api.craevidence.com/api/v1/exports/versions/{version_id}/technical-file" \
  -H "Authorization: Bearer $API_TOKEN" \
  --output technical-file.zip

Options:

---

Annex VII coverage

The export is structured to map onto the technical documentation content listed in Annex VII of the CRA (general description, design and vulnerability-handling processes, risk assessment, support-period information, standards applied, test reports, the EU declaration of conformity, and the SBOM). For what each Annex VII item requires, see Technical documentation on the CRA compliance hub.

---

Preparing for a complete export

For a complete technical file, make sure you have configured:

Organisation settings

Required for manufacturer information (Annex II):

• [ ] Legal name
• [ ] Full address (line 1, city, postal code, country)
• [ ] Contact email
• [ ] Vulnerability contact point
• [ ] CSIRT member state

Version settings

Required for compliance evidence:

• [ ] Release date
• [ ] End of support date
• [ ] Support period justification
• [ ] Harmonised standards applied (if any)
• [ ] Conformity assessment type
• [ ] CE marking applied (when and by whom)
• [ ] Secure-by-default confirmation

Documents

Upload all required documents:

• [ ] Risk assessment
• [ ] EU declaration of conformity
• [ ] User manual
• [ ] Vulnerability disclosure policy

SBOM

• [ ] At least one SBOM uploaded
• [ ] Acceptable quality score

---

Understanding the export status

CRA status in export

The export includes a status assessment:

Missing items report

The manifest includes a missing_items array showing gaps:

{
  "cra_status": {
    "status": "incomplete",
    "missing_items": [
      "risk_assessment document",
      "harmonised_standards_applied"
    ]
  }
}

---

Using the technical file

For market surveillance

When authorities request documentation:

1. Generate a fresh export close to the request date
2. Provide the complete ZIP file
3. The manifest provides machine-readable verification
4. The checklist shows compliance point-by-point

For CE marking

Before applying CE marking:

1. Export technical file
2. Verify "Ready" status
3. Review the compliance checklist
4. Address any gaps
5. Proceed with marking

For customer requests

Enterprise customers may request:

• SBOM only: Download from SBOM section
• Full technical file: Export as described
• Specific documents: Download individually

For internal records

The CRA requires 10-year retention:

1. Export technical file at each release
2. Store in your document management system
3. Include in your backup procedures
4. Tag with version and export date

---

Retention requirements

Article 13(14) of Regulation (EU) 2024/2847 requires:

"Technical documentation shall be kept for a period of 10 years after the product... is placed on the market, or for the period of the expected lifetime of the product, whichever is longer."

What this means

• Keep exports for at least 10 years after the last sale
• CRA Evidence stores your data, but also maintain your own backups
• Consider EU data residency requirements

Tracking market placement

CRA Evidence tracks:

• First placed on market: When first unit sold
• Last placed on market: When final unit sold

The 10-year clock starts from last_placed_on_market.

---

Best practices

When to export

Export naming convention

Use consistent naming for your archives:

{product-slug}-{version}-technical-file-{YYYY-MM-DD}.zip

Example: myproduct-v2.1.0-technical-file-2025-06-15.zip

Verification before submission

Before submitting to authorities:

1. Extract and review the technical-file.pdf file
2. Check the manifest missing_items array for gaps
3. Verify all files are included
4. Confirm manufacturer information is current
5. Ensure CE marking date is accurate

---

Troubleshooting

Missing files in export

If documents do not appear:

• Verify documents are uploaded to the correct version
• Check document storage status (content_available in manifest)
• Ensure S3/storage is accessible

"Incomplete" status despite having documents

Check that you have:

• Uploaded the correct document types (not just "other")
• Associated documents with the correct version
• Set required version fields (end of support date, and so on)

Large export size

If the export is very large:

• Review document file sizes
• Consider compressing large documents before upload
• Check for duplicate uploads

Export timeout

For versions with many files:

• Try exporting via API with increased timeout
• Export SBOM and documents separately
• Contact support for assistance

---

API reference

Export technical file

GET /api/v1/exports/versions/{version_id}/technical-file
Authorization: Bearer <token>

Query Parameters:

Response:

• 200 OK: ZIP file with Content-Disposition: attachment
• 404 Not Found: Version not found
• 403 Forbidden: No access to version

---

Manifest schema (v1.1)

Key sections in manifest.json:

{
  "export_format": "CRA Evidence Technical File v1.1",
  "exported_at": "2025-06-15T10:00:00Z",
  "cra_annex_vii_version": "Regulation (EU) 2024/2847",

  "manufacturer": {
    "name": "...",
    "address": "...",
    "contact_email": "...",
    "vulnerability_contact_point": "..."
  },

  "product": {
    "name": "...",
    "category": "important_class_i"
  },

  "version": "2.1.0",

  "cra_status": {
    "status": "ready",
    "quality_score": 85,
    "missing_items": []
  },

  "harmonised_standards_applied": [...],
  "vulnerability_handling": {...},
  "conformity_assessment": {...},
  "retention": {...},
  "ce_marking": {...},
  "sboms": [...],
  "documents": [...]
}

See the API documentation for complete schema details.

---

Summary checklist

Before exporting your final technical file:

Organisation setup:

• [ ] Legal name and address configured
• [ ] Contact email set
• [ ] Vulnerability contact point defined
• [ ] CSIRT member state designated

Version configuration:

• [ ] Release date set
• [ ] End of support date defined (5+ years)
• [ ] Support period justified
• [ ] CE marking recorded (if applicable)
• [ ] Conformity assessment type selected

Documents uploaded:

• [ ] Risk assessment
• [ ] EU declaration of conformity
• [ ] User manual
• [ ] Vulnerability disclosure policy

SBOM:

• [ ] At least one SBOM uploaded
• [ ] Quality score acceptable (80+ recommended)

Final check:

• [ ] Export and review the technical-file.pdf file
• [ ] Verify the manifest missing_items array is empty
• [ ] Archive the export for 10-year retention