Does the technical documentation need to be in a specific language?

Article 31(4) of Regulation (EU) 2024/2847 states that the documentation must be drawn up in an official language of the Member State where the notified body is established, or in a language acceptable to that body. For products using Module A (no notified body), the documentation should be in a language required by the market surveillance authority of the Member State where the product is placed on the market.

Can the technical documentation be a single document or must it be separate files?

The regulation does not prescribe a specific file format. CRACheck distributes the content across 8 focused PDFs for clarity and usability, but a market surveillance authority will accept any format that contains all 8 Annex VII elements in a traceable and accessible manner.

What does "continuously updated" mean in Article 31(2)?

Article 31(2) states that the technical documentation "shall be continuously updated, where appropriate, at least during the support period." This means you must update the documentation when the product changes (new firmware, new components), when new vulnerabilities are discovered, when standards are updated, or when the risk assessment changes. CRACheck provides 10 regenerations within the 30-day licence window for this purpose.

Is the SBOM in Annex VII point (8) automatically disclosed?

No. Annex VII point (8) states that the SBOM is provided "further to a reasoned request from a market surveillance authority" and only to the extent "necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I." It is not published proactively.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Article 31 of Regulation (EU) 2024/2847 requires manufacturers to draw up technical documentation containing at least the 8 elements set out in Annex VII before placing the product on the EU market. The documentation must be continuously updated during the support period. It is the file that market surveillance authorities, notified bodies, and customs officials will request. This page explains each element, what it means in practice, and how CRACheck structures it.

Annex VII is the backbone of CRA compliance documentation. It requires: (1) a general product description including intended purpose, software versions, and hardware layout; (2) design, development, and production information including system architecture, SBOM, and CVD policy; (3) the cybersecurity risk assessment under Article 13; (4) the support period rationale; (5) harmonised standards or alternative solutions applied; (6) test reports; (7) a copy of the EU Declaration of Conformity; and (8) the SBOM upon reasoned request from market surveillance authorities. CRACheck structures all 8 elements into a single file. €149 per product. 15–25 minutes. 100% in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Elements required in the technical documentation under Annex VII

10 yr

Minimum retention period per Annex VIII Part I point (4.2)

Art. 31

Legal basis for the technical documentation obligation

How CRACheck structures the 8 Annex VII elements

General product description (Annex VII §1)

You enter the product's intended purpose, software versions affecting compliance, hardware photographs/illustrations if applicable, and user information per Annex II. CRACheck structures this as the opening section of the technical documentation.

Design, development, production & vulnerability handling (Annex VII §2)

You describe the system architecture, software component dependencies, the SBOM (top-level), the CVD policy, the contact address for vulnerability reporting, the mechanism for distributing security updates, and the production monitoring processes.

Cybersecurity risk assessment (Annex VII §3)

CRACheck generates the risk assessment framework per Article 13(2)–(3), mapping each applicable Annex I requirement to identified risks, implemented mitigations, and residual risk levels.

Support period rationale (Annex VII §4)

You declare the support period and the factors considered per Article 13(8): expected product lifetime, market comparables, operating environment availability, and third-party component support periods.

Standards and specifications (Annex VII §5)

You declare which harmonised standards, common specifications, or European cybersecurity certification schemes have been applied, in full or in part. Where none have been applied, you describe the alternative technical solutions adopted.

Test reports (Annex VII §6)

You reference or attach the results of conformity tests. CRACheck provides a structured section for test scope, methodology, results, and date.

EU Declaration of Conformity (Annex VII §7)

CRACheck generates the Declaration per Article 28 and Annex V, embedded as a section of the technical documentation.

Common mistakes

❌

ANNEX VII · §2

Treating the SBOM as optional

Annex VII §2(b) requires "the software bill of materials" as part of the vulnerability handling processes. Annex I Part II point (1) requires the manufacturer to draw up an SBOM in a commonly used and machine-readable format covering at least the top-level dependencies. The SBOM is not optional — its existence must be documented in the technical file.

❌

ART. 31(2)

Creating the documentation once and never updating it

Article 31(2) states that the technical documentation "shall be continuously updated, where appropriate, at least during the support period." A static document produced in 2027 that is never revised for new vulnerabilities, updated components, or changed standards does not comply.

❌

ANNEX VII · §5

Claiming harmonised standards without specifying which parts were applied

Annex VII §5 requires a list of harmonised standards applied "in full or in part." If applied only in part, the technical documentation must specify the parts applied. A blanket "EN standard applied" without identifying specific clauses is insufficient.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies your product category and the conformity assessment module. Corresponds to Annex VII preamble requirements.

Technical Documentation

The core Annex VII file. Contains all 8 required elements: product description, design and development, risk assessment, support period, standards, test reports, Declaration, SBOM reference.

Risk Assessment

Cybersecurity risk assessment per Article 13(2)–(3). Corresponds to Annex VII §3.

User Information

Annex II information sheet. Referenced in Annex VII §1(d).

Declaration of Conformity

EU Declaration per Article 28 and Annex V. Included in the technical file per Annex VII §7.

CVD Policy

Coordinated vulnerability disclosure policy. Part of the design and development section per Annex VII §2.

Notification Template

ENISA/CSIRT notification template per Article 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Key dates including the 10-year retention obligation and support period milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Technical documentation consultancy

€10,000–25,000 per product

2–6 months

Requires deep access to your engineering team

Deliverable format varies

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history