What must the CRA Declaration of Conformity contain?

Annex V of Regulation (EU) 2024/2847 requires: (1) the manufacturer's name and address, (2) a statement that the declaration is issued under the sole responsibility of the manufacturer, (3) product identification (name, type, version, unique identifier), (4) a statement of conformity with the essential requirements, (5) references to harmonised standards or other specifications applied, (6) the conformity assessment procedure used, (7) where applicable, the notified body details, and (8) the date and signature of an authorized person.

Can we issue the declaration before the CRA enforcement date?

Yes. There is no prohibition on producing CRA documentation before December 2027. Early declarations demonstrate proactive compliance and can be included in vendor assessments, procurement responses, and customer communications.

How long must we keep the declaration available?

Article 28(2) requires the declaration to be kept at the disposal of market surveillance authorities for at least 10 years after the product is placed on the market or for the support period, whichever is longer. For software with a 5-year support period, the retention requirement is 10 years.

Do we need to update the declaration when we release a new software version?

Article 28(2) requires the declaration to be "continuously updated." Minor updates that do not affect compliance with essential requirements do not typically trigger a declaration update. Substantial modifications per Article 22 — those affecting the product's compliance — require a new conformity assessment and an updated declaration.

Our product has no harmonised standards yet. Can we still issue a declaration?

Yes. If harmonised standards under the CRA have not yet been published or applied, the declaration references the essential cybersecurity requirements in Annex I directly, without reference to specific standards. Article 32(1) allows self-assessment under Module A against the essential requirements.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate digital content generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

Article 28 of Regulation (EU) 2024/2847 requires a written EU declaration of conformity for every product with digital elements placed on the EU market. Annex V defines the content: manufacturer identity, product identification, conformity assessment procedure, applicable standards, and a signed statement of compliance. For a US software company, this declaration is one of 8 documents your EU buyer or market surveillance authority will request. CRACheck generates all of them.

The EU declaration of conformity under Annex V of the Cyber Resilience Act is not a marketing statement — it is a legal document. Article 28(2) states that the declaration shall be continuously updated and made available for at least 10 years or the support period, whichever is longer. Article 28(4) requires it to follow the structure in Annex V. For a US software company without a European regulatory affairs team, producing this document correctly — alongside the technical documentation under Article 31 that supports it — is a task CRACheck completes in 15-25 minutes for €149.

Generate declaration + dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Annex V

The specific annex defining the required content and structure of the CRA Declaration of Conformity

10 years

Minimum period the declaration must be kept available after placing the product on the market (Art. 28(2))

€149

One-time cost for the declaration plus 7 supporting documents

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Enter manufacturer details

Legal entity name, registered address, US headquarters. If you have an EU authorized representative under Article 18, enter their details.

Identify the product

Product name, version, unique identifier. The declaration must unambiguously identify the specific product it covers.

Select conformity assessment procedure

CRACheck determines whether your product uses Module A (self-assessment), Module B+C, or Module H based on its Annex III classification.

Reference applicable standards

If harmonised standards under the CRA have been applied, CRACheck references them. If not, the declaration references the essential requirements directly.

Generate the declaration

Pre-filled Annex V document with all required fields: manufacturer identity, product identification, conformity procedure, standards, and compliance statement.

Generate supporting documentation

The declaration is supported by the technical documentation (Art. 31 + Annex VII), risk assessment (Art. 13), and user information (Annex II). CRACheck generates all 8 documents together.

Sign and archive

The declaration must be signed by a person authorized to act on behalf of the manufacturer. Print, sign, date, and maintain alongside the technical documentation for at least 10 years.

Common mistakes

❌

WRONG TEMPLATE

"We created a self-declaration document based on other CE marking declarations"

CRA declarations of conformity follow Annex V of Regulation (EU) 2024/2847, which has specific content requirements distinct from declarations under the Machinery Directive, EMC Directive, or other CE marking frameworks. Using a template from another regulation will produce a non-compliant declaration. Annex V requires specific references to the CRA, the conformity assessment module used, and the essential cybersecurity requirements addressed.

❌

SIGNATORY REQUIREMENT

"Our EU distributor can sign the declaration on our behalf"

Article 28(1) states that the manufacturer draws up the EU declaration of conformity. The declaration is signed by a person authorized to bind the manufacturer. An EU distributor is not the manufacturer. An authorized representative under Article 18 has specific mandate limitations per Article 18(2) and cannot take on manufacturer obligations under Article 13. The declaration signature comes from your company.

❌

UNSUPPORTED DECLARATION

"We produced the declaration but did not create the underlying technical documentation"

A declaration of conformity without supporting technical documentation is legally meaningless. Article 28(1) requires the declaration to state that the essential requirements have been fulfilled. Article 31 requires the manufacturer to draw up technical documentation demonstrating compliance. If a market surveillance authority requests proof, the technical documentation behind the declaration must exist. CRACheck generates both together.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Annex III classification determining the conformity assessment procedure referenced in the declaration.

Technical Documentation

Art. 31 + Annex VII. The substantive evidence behind the declaration. Without this, the declaration has no foundation.

Risk Assessment

Art. 13(2)-(3). Part of the technical documentation that supports the declaration's claim of compliance with Annex I essential requirements.

User Information

Annex II. Referenced in the declaration as part of the manufacturer's obligations.

Declaration of Conformity

Art. 28 + Annex V. The formal declaration itself: manufacturer identity, product identification, conformity procedure, applicable standards or essential requirements, and compliance statement. Pre-filled, ready for signature.

CVD Policy

Annex I, Part II. Demonstrates vulnerability handling compliance referenced in the declaration's scope.

Notification Template

Art. 14. Supporting document for the vulnerability handling obligations claimed in the declaration. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Timeline for declaration maintenance: update triggers, 10-year retention requirement, support period alignment.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 REGULATORY AFFAIRS CONSULTANT

€13,000–€28,000

6-16 weeks. €3,000-€8,000 for the declaration alone + €10,000-€20,000 for the supporting technical documentation.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history