What is the EU Cyber Resilience Act?

The CRA (Regulation 2024/2847) is an EU regulation requiring manufacturers of products with digital elements to meet cybersecurity requirements throughout the product lifecycle. It covers vulnerability handling, SBOM provision, and incident reporting to ENISA.

When does the CRA take effect?

Reporting obligations start 11 September 2026. All other requirements (vulnerability handling, SBOM, documentation, conformity assessment) apply from 11 December 2027.

Who does the CRA apply to?

Any manufacturer placing a product with digital elements on the EU market, including commercial software, IoT devices, and open-source projects with a commercial activity. SaaS is generally out of scope unless it involves embedded or downloadable components.

What is an SBOM and why does the CRA require it?

A Software Bill of Materials is a machine-readable inventory of all components in your software. The CRA requires it under Article 13(5) and Annex I Part II(1) so that downstream users and market surveillance authorities can identify vulnerable components.

How does Complaro help with CRA compliance?

Complaro helps automate the three hardest parts: classifying your products under CRA Annex III/IV, continuously scanning for known vulnerabilities, and generating pre-filled ENISA-format incident reports when actively exploited vulnerabilities are discovered.

CRA Technical Documentation Requirements: Full Guide

Technical documentation is the backbone of CRA compliance. It is what you present during conformity assessment, what market surveillance authorities request during investigations, and what proves you met the essential requirements when your product was placed on the market.

Without complete technical documentation, you cannot issue a valid EU Declaration of Conformity, apply a CE mark, or defend against enforcement action. This guide details exactly what you need to prepare.

What the CRA Requires

Annex VII of Regulation 2024/2847 specifies the contents of technical documentation. It must be drawn up before the product is placed on the market and kept up to date throughout the product's lifecycle. Here is each required element.

1. General Product Description

Provide a clear description of your product, including:

Intended purpose and core functionality
Hardware and software versions covered
How the product connects to networks and other devices
Visual representations (architecture diagrams, data flow diagrams)
User documentation and instructions for secure installation, configuration, and use

Be specific enough that an assessor can understand what the product does and how it works, but you do not need to disclose proprietary algorithms or trade secrets. Focus on security-relevant aspects.

2. Design and Development Documentation

Document how your product was designed and developed with security in mind. This maps directly to the Annex I Section 1 requirements and should cover:

Your threat model and how it informed design decisions
Security architecture and how components interact
How you addressed each essential cybersecurity requirement
Secure development lifecycle practices (coding standards, code review, testing methodology)
How the product handles authentication, authorization, and access control
Cryptographic implementations and key management
Data protection measures (encryption at rest and in transit)

This does not need to be a single monolithic document. Reference existing architecture documents, security design reviews, and development process documentation. Organize it so an assessor can trace each Annex I requirement to the corresponding documentation.

3. Risk Assessment

The CRA requires a cybersecurity risk assessment for your product. Document:

The risks identified through threat modeling
The likelihood and impact of each risk
How each identified risk is mitigated or accepted
Residual risks and why they are acceptable

Your risk assessment should cover both the product itself and its supply chain dependencies. A vulnerability in a critical third-party component is a product risk.

If your product processes personal data, consider aligning your CRA risk assessment with your GDPR Data Protection Impact Assessment to avoid duplication.

4. Software Bill of Materials (SBOM)

Include your SBOM in the technical documentation. The CRA requires an SBOM in a machine-readable format covering at minimum the top-level dependencies. Best practice includes:

CycloneDX or SPDX format
All direct and significant transitive dependencies
Package names, versions, and Package URLs
License information for each component
A process for keeping the SBOM current with each release

The SBOM must be made available to market surveillance authorities upon request. The CRA does not currently require publishing it to customers, but making it available enhances your supply chain transparency.

5. Test Reports

Document the security testing performed on your product. This includes:

Static analysis (SAST) results and how findings were addressed
Dynamic analysis (DAST) and penetration testing results
Dependency vulnerability scanning results
Fuzz testing results (where applicable)
Functional security testing (authentication bypass attempts, authorization checks, input validation)

You do not need to include every test run — include summary reports that demonstrate the scope and rigor of your testing program, along with evidence that identified issues were remediated.

6. Vulnerability Handling Documentation

Document your processes for handling vulnerabilities throughout the product lifecycle:

Your vulnerability disclosure policy (SECURITY.md)
Your vulnerability monitoring setup and data sources
Your triage and remediation process
Your ENISA reporting process and assigned responsibilities
How you communicate vulnerability fixes to users
Your security update delivery mechanism

7. Support Period

Clearly define and document the support period for your product — the duration during which you commit to providing security updates. Document:

The start and end date (or duration) of the support period
What the support period covers (security updates, bug fixes, feature updates)
How security updates will be delivered
What happens when the support period ends

The CRA requires that the support period be proportionate to the expected product lifetime. For IoT devices, this is particularly important given their long operational lifetimes.

8. EU Declaration of Conformity

The Declaration of Conformity is a formal document (specified in Annex V) in which the manufacturer declares that the product meets all CRA requirements. It includes manufacturer identification, product identification, the declaration statement, references to applicable regulations and standards, and the signature of an authorized person.

See our CE marking guide for the complete format and process.

Retention and Availability

Technical documentation must be:

Kept for 10 years after the product is placed on the market, or for the duration of the support period — whichever is longer
Made available to market surveillance authorities upon request within a reasonable timeframe
Provided in a language that can be easily understood by the authorities of the member state concerned

Store your documentation in a versioned, accessible system. Link documentation versions to product versions so you can produce the documentation that was current when a specific version was placed on the market.

Keeping Documentation Current

Technical documentation is not a one-time exercise. Update it when:

You release a new product version with security-relevant changes
Your SBOM changes (new dependencies, updated versions)
Your threat model changes (new attack vectors, changed risk profile)
Your vulnerability handling processes change
Test results identify new risks or confirm remediation of old ones

Automate what you can. Generate the SBOM from your CI/CD pipeline. Link test reports to build artifacts. Use tooling to track which documentation elements need updating when the product changes.

Practical Tips

Start now. Documentation is the most time-consuming part of CRA compliance. Do not leave it until the deadline.
Build incrementally. You do not need a perfect documentation package on day one. Start with the SBOM and vulnerability handling documentation (needed for the September 2026 deadline), then add design docs and test reports.
Use a consistent structure. Create a documentation template that maps each section to the corresponding Annex VII requirement. This makes it easy for assessors to verify completeness.
Cross-reference. Do not duplicate information. Reference existing documents (architecture docs, security policies, test plans) rather than rewriting them.
Automate generation. SBOMs, test report summaries, and dependency audit results can all be generated automatically from your CI/CD pipeline.

For a complete preparation timeline, see our CRA compliance checklist. To assess your readiness, run cra-scanner and use the readiness score guide to interpret your results.

Complaro automates the technical elements of your CRA documentation — SBOM generation and management, vulnerability scan results, ENISA report history, and compliance status tracking. Get started free.

CRA Technical Documentation Requirements: What You Need to Prepare