Free documentation pack
CRA Documentation Templates
Before you can CE-mark a product under the EU Cyber Resilience Act, you need a set of technical documents in place: an Annex VII documentation package, a machine-readable SBOM, a CVD policy, and an EU Declaration of Conformity. This pack gives you a ready-to-adapt template for each one, free.
TL;DR
What's in the pack
Technical documentation index (Annex VII)
DownloadA structured index covering every element Annex VII requires: product description, design and production information, risk assessment, SBOM, vulnerability handling, and more. Use it as a checklist and a filing map.
SBOM starter template (CycloneDX JSON)
DownloadA machine-readable CycloneDX JSON template pre-populated with the minimum required fields. Drop it into your repository and fill in your components.
CVD policy template
DownloadA coordinated vulnerability disclosure policy template aligned with CRA requirements and ISO 29147. Covers scope, reporting channels, timelines, and the CVD contact point.
EU Declaration of Conformity outline
DownloadAn outline for the EU DoC you must draw up before CE marking your product. Covers the required elements: product identification, standards applied, conformity assessment procedure, and manufacturer declaration.
What Annex VII actually requires
Annex VII of the CRA lists the elements the technical documentation must contain. It is not optional, and it is not a formality: market surveillance authorities can and will ask to see it. Here is the plain-English version of what needs to be in there.
General description of the product
What the product is, who it is for, the intended use, and the digital elements it contains.
Design and development documentation
Architecture, design choices relevant to security, information about the development environment and the development lifecycle.
Cybersecurity risk assessment
A documented assessment of the cybersecurity risks the product may face and the measures taken to address them.
SBOM
A machine-readable software bill of materials listing at least all top-level dependencies, in CycloneDX or SPDX format.
Vulnerability handling procedures
How you identify, assess and fix vulnerabilities, including your CVD process and your security update release process.
EU Declaration of Conformity
The signed declaration that the product meets the CRA requirements. Required before CE marking.
Key dates for manufacturers
11 September 2026: reporting obligations apply
11 December 2027: full CRA application
Free download
Get the full documentation pack
All four templates, emailed to you. Leave your email and we'll also notify you when the templates are updated or the rules change.
Documentation questions people ask
What is technical documentation under the CRA?
Technical documentation is the package of evidence a manufacturer must draw up before placing a product on the EU market. Annex VII of the CRA lists what it must contain: a product description, design and production information, a cybersecurity risk assessment, the SBOM, vulnerability handling procedures, and more. You must keep it for ten years after the product is placed on the market and produce it on request to market surveillance authorities.
Who needs to prepare technical documentation?
Manufacturers of products with digital elements placed on the EU market. Importers and distributors do not draw up the technical documentation themselves, but they must ensure one exists and cooperate with authorities if asked. If you are an importer or distributor, the readiness checklist explains your specific obligations.
What must the SBOM contain?
At minimum, the SBOM must list all top-level (direct) dependencies in machine-readable format. CycloneDX and SPDX are the two recognised standards. It must be included in the technical documentation. Best practice is to include transitive dependencies and package URLs (PURLs) so it can drive automated vulnerability scanning.
What is a CVD policy and why is it required?
A coordinated vulnerability disclosure policy sets out how you receive, acknowledge, investigate and fix vulnerability reports from external researchers. The CRA requires manufacturers to have a CVD policy and a publicly accessible contact point so researchers know how to reach you. Without one, you are not compliant - and you're likely missing vulnerability reports that could affect your users.
When do I need technical documentation ready?
The CRA reporting obligations for manufacturers take effect 11 September 2026 (24h/72h/14d notifications to ENISA). Full application of the CRA, including the technical documentation, CE marking and DoC requirements, takes effect 11 December 2027. You should have documentation ready well in advance of these dates if you intend to place products on the EU market.
Keep going
Am I in scope?
Check whether the CRA applies to your product and what class it falls into.
What are my obligations?
Your CRA duties by role - manufacturer, importer, or distributor.
SBOM Tool
Pick your SBOM format and check your readiness against Annex VII requirements.
Readiness Checklist
Every step to get CRA-ready, on one free checklist.
Sources
- [1]Regulation (EU) 2024/2847 (Cyber Resilience Act), on EUR-Lexretrieved 8 Jun 2026
- [2]European Commission, Cyber Resilience Act summaryretrieved 8 Jun 2026
- [3]European Commission, Cyber Resilience Act policy pageretrieved 8 Jun 2026
- [4]ENISA, Single Reporting Platform (SRP)retrieved 8 Jun 2026
This is guidance to help you understand CRA documentation requirements, not legal advice. For decisions specific to your product and business, confirm with the official sources we link or a qualified adviser.