Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Article 31 of Regulation (EU) 2024/2847 requires manufacturers to draw up technical documentation containing at least the 8 elements set out in Annex VII before placing the product on the EU market. The documentation must be continuously updated during the support period. It is the file that market surveillance authorities, notified bodies, and customs officials will request. This page explains each element, what it means in practice, and how CRACheck structures it.

Annex VII is the backbone of CRA compliance documentation. It requires: (1) a general product description including intended purpose, software versions, and hardware layout; (2) design, development, and production information including system architecture, SBOM, and CVD policy; (3) the cybersecurity risk assessment under Article 13; (4) the support period rationale; (5) harmonised standards or alternative solutions applied; (6) test reports; (7) a copy of the EU Declaration of Conformity; and (8) the SBOM upon reasoned request from market surveillance authorities. CRACheck structures all 8 elements into a single file. €149 per product. 15–25 minutes. 100% in your browser.

Generate CRA dossier — €149Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 31 + Annex VII · 8 documents · 100% browser-side

Key figures

8
Elements required in the technical documentation under Annex VII
10 yr
Minimum retention period per Annex VIII Part I point (4.2)
Art. 31
Legal basis for the technical documentation obligation

How CRACheck structures the 8 Annex VII elements

1
General product description (Annex VII §1)
You enter the product's intended purpose, software versions affecting compliance, hardware photographs/illustrations if applicable, and user information per Annex II. CRACheck structures this as the opening section of the technical documentation.
2
Design, development, production & vulnerability handling (Annex VII §2)
You describe the system architecture, software component dependencies, the SBOM (top-level), the CVD policy, the contact address for vulnerability reporting, the mechanism for distributing security updates, and the production monitoring processes.
3
Cybersecurity risk assessment (Annex VII §3)
CRACheck generates the risk assessment framework per Article 13(2)–(3), mapping each applicable Annex I requirement to identified risks, implemented mitigations, and residual risk levels.
4
Support period rationale (Annex VII §4)
You declare the support period and the factors considered per Article 13(8): expected product lifetime, market comparables, operating environment availability, and third-party component support periods.
5
Standards and specifications (Annex VII §5)
You declare which harmonised standards, common specifications, or European cybersecurity certification schemes have been applied, in full or in part. Where none have been applied, you describe the alternative technical solutions adopted.
6
Test reports (Annex VII §6)
You reference or attach the results of conformity tests. CRACheck provides a structured section for test scope, methodology, results, and date.
7
EU Declaration of Conformity (Annex VII §7)
CRACheck generates the Declaration per Article 28 and Annex V, embedded as a section of the technical documentation.

Common mistakes

ANNEX VII · §2

Treating the SBOM as optional

Annex VII §2(b) requires "the software bill of materials" as part of the vulnerability handling processes. Annex I Part II point (1) requires the manufacturer to draw up an SBOM in a commonly used and machine-readable format covering at least the top-level dependencies. The SBOM is not optional — its existence must be documented in the technical file.

ART. 31(2)

Creating the documentation once and never updating it

Article 31(2) states that the technical documentation "shall be continuously updated, where appropriate, at least during the support period." A static document produced in 2027 that is never revised for new vulnerabilities, updated components, or changed standards does not comply.

ANNEX VII · §5

Claiming harmonised standards without specifying which parts were applied

Annex VII §5 requires a list of harmonised standards applied "in full or in part." If applied only in part, the technical documentation must specify the parts applied. A blanket "EN standard applied" without identifying specific clauses is insufficient.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Identifies your product category and the conformity assessment module. Corresponds to Annex VII preamble requirements.

2

Technical Documentation

The core Annex VII file. Contains all 8 required elements: product description, design and development, risk assessment, support period, standards, test reports, Declaration, SBOM reference.

3

Risk Assessment

Cybersecurity risk assessment per Article 13(2)–(3). Corresponds to Annex VII §3.

4

User Information

Annex II information sheet. Referenced in Annex VII §1(d).

5

Declaration of Conformity

EU Declaration per Article 28 and Annex V. Included in the technical file per Annex VII §7.

6

CVD Policy

Coordinated vulnerability disclosure policy. Part of the design and development section per Annex VII §2.

7

Notification Template

ENISA/CSIRT notification template per Article 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

8

Obligations Calendar

Key dates including the 10-year retention obligation and support period milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE
Technical documentation consultancy
€10,000–25,000 per product
2–6 months
Requires deep access to your engineering team
Deliverable format varies
✓ CRACHECK
€149 per product
15–25 minutes
8 structured PDFs covering all 8 Annex VII elements
You fill the data; CRACheck organises it into the required structure
30-day edit window. 10 regenerations

Two layers

● LAYER 1 — DOCUMENTATION · CRACHECK

Article 31 + Annex VII documentation

CRACheck generates the Article 31 + Annex VII technical documentation file with all 8 required elements structured and cross-referenced.

∅ LAYER 2 — NOT INCLUDED

What CRACheck does not do

CRACheck does not review the accuracy of your engineering inputs. It does not audit your SBOM, test your product, or validate your risk assessment. The data you enter is the data that appears in the documentation. Accuracy is your responsibility under Article 13.

CRACheck structures. You substantiate.

Enforcement regime

⚖️
€15M / 2.5% — Art. 64(2)

Non-compliance with Annex I essential requirements.

⚖️
€10M / 2% — Art. 64(3)

Missing or incomplete Art. 31 technical documentation.

⚖️
€5M / 1% — Art. 64(4)

Incorrect or misleading information in the documentation.

Alternatives

CriterioDIY from regulation textConsultancyCRACheck
PriceFree (internal time)€10,000–25,000€149
DeliveryWeeks to structure2–6 months15–25 minutes
Risk of missing elementsHighDepends on consultant's CRA expertiseAll 8 Annex VII elements covered
FormatVariesVaries8 structured PDFs
Data handlingInternalShared with consultancy100% browser-side
CRACheck€14915-25 min8 PDFsBrowser-side

Technical documentation for a multi-product portfolio?

Each product with digital elements needs its own Annex VII file. Volume pricing available. Pack of 10: €99. Pack of 30: €79.

Request volume pricing
Commercial enquiries via hello@solidwaretools.com

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847, based on the information you enter. The accuracy, completeness, and truthfulness of that information is your responsibility as manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case.

CRACheck is not legal advice. For situations specific to your product or market, consult a qualified lawyer or specialised regulatory consultancy.

Frequently asked questions

Does the technical documentation need to be in a specific language?
Article 31(4) of Regulation (EU) 2024/2847 states that the documentation must be drawn up in an official language of the Member State where the notified body is established, or in a language acceptable to that body. For products using Module A (no notified body), the documentation should be in a language required by the market surveillance authority of the Member State where the product is placed on the market.
Can the technical documentation be a single document or must it be separate files?
The regulation does not prescribe a specific file format. CRACheck distributes the content across 8 focused PDFs for clarity and usability, but a market surveillance authority will accept any format that contains all 8 Annex VII elements in a traceable and accessible manner.
What does "continuously updated" mean in Article 31(2)?
Article 31(2) states that the technical documentation "shall be continuously updated, where appropriate, at least during the support period." This means you must update the documentation when the product changes (new firmware, new components), when new vulnerabilities are discovered, when standards are updated, or when the risk assessment changes. CRACheck provides 10 regenerations within the 30-day licence window for this purpose.
Is the SBOM in Annex VII point (8) automatically disclosed?
No. Annex VII point (8) states that the SBOM is provided "further to a reasoned request from a market surveillance authority" and only to the extent "necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I." It is not published proactively.
Is this a subscription?
No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.
Can I request a refund?
Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.
What if the regulation changes?
If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.

8 elements. One documentation file. Generated in minutes.

CRACheck structures all 8 Annex VII elements into a single documentation set. €149 per product. Browser-side.

€149 one-time
8-document ZIP · 15-25 min · Art. 31 + Annex VII · 100% browser-side · Permanent PDF
Generate CRA Dossier

Related landings

ANNEX I

Annex I — the 21 essential cybersecurity requirements
ANNEX V

Annex V Declaration of Conformity — how to fill it
ANNEX II

Annex II user information — the 9 requirements
✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history