CRA EU Declaration of Conformity — Annex V

Three documents, two annexes, one signature

8 elements

Annex V minimum content of the EU DoC

Annex VI

Simplified DoC — must include URL of the full version

10 years

Retention of the DoC after placing on market — Art. 13(13)

The 8 Annex V elements in order

Each element is verbatim from Annex V. The article references show where the underlying obligation comes from.

Element 1 — Product identification

‘Name and type and any additional information enabling the unique identification of the product with digital elements.’ Includes model, version, batch / serial information as required by Article 13(15).

Element 2 — Manufacturer identity

‘Name and address of the manufacturer or its authorised representative.’ Connects to Article 13(16) (contact details on product, packaging or accompanying document) and to Article 18 if an authorised representative is appointed.

Element 3 — Sole responsibility statement

‘A statement that the EU declaration of conformity is issued under the sole responsibility of the provider.’ Article 28(4) makes the manufacturer assume responsibility by drawing up the declaration.

Element 4 — Object of the declaration

‘Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate).’ Traceability is the key word — a photograph is optional, not required.

Element 5 — Conformity statement

‘A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation.’ For multi-regulation products, Article 28(3) requires a single declaration listing every applicable Union legal act.

Element 6 — Standards, common specifications, certificates

‘References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared.’ Connects to Article 27 (presumption of conformity) and Article 27(8) (EU cybersecurity certification scheme).

Element 7 — Notified body (when applicable)

‘Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued.’ Required for Module B, Module H, and certain Critical product paths.

Element 8 — Additional information

Free-form field. Use for product-specific notes, version mapping, support-period end date, or references to the Annex VII technical documentation.

Signature block

Annex V closes with ‘Signed for and on behalf of:’ with place and date of issue, name, function and signature. Internally print-controlled or electronically signed; the regulation does not require qualified electronic signature.

Languages

Article 28(2) requires the declaration to be made available in the languages required by the Member State in which the product is placed on the market or made available on the market. National rules apply; some Member States accept English, others require the national language.

Common mistakes

❌

SIMPLIFIED DoC MISUSE

“We send the simplified DoC without the full one”

Wrong. Annex VI says: ‘The full text of the EU declaration of conformity is available at the following internet address: …’ The simplified version is only valid if the full Annex V declaration is accessible at the stated URL. If the URL is dead, the simplified version fails to satisfy Article 28.

❌

MULTI-ACT FRAGMENTATION

“We issue separate DoCs for the CRA and the Machinery Regulation”

Article 28(3) requires a SINGLE EU declaration of conformity when the product is subject to multiple Union legal acts requiring such a declaration. The single declaration identifies every applicable act and its publication reference. Article 12 (high-risk AI systems) follows the same logic for the AI Act.

❌

LANGUAGE LAZINESS

“English DoC is enough for the EU”

Article 28(2) is explicit: the declaration must be made available in the languages required by the Member State in which the product is placed on the market or made available on the market. Distributing across all 27 Member States means potentially up to 24 official languages. National market surveillance authorities can refuse the declaration if not in an accepted language.

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Is it a hardware or software product (or component) with digital elements?

Art. 3(1) — “product with digital elements”

Can it connect directly or indirectly to a device or network?

Art. 2(1) — logical or physical data connection

Will it be placed or made available on the EU market in the course of a commercial activity?

Art. 3(21)(22) + Recital 15

Is it NOT excluded? (not a medical device, not a motor vehicle, not certified aviation, not marine equipment, not national security/defence-only, not a spare part)

Art. 2(2)–(7)

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT

149 €

/ product

8-document CRA dossier (ZIP)
Product Classifier + Technical Documentation
Risk Assessment + User Information
10 regenerations · 30 days
1 licence = 1 product

Buy licence →

PROFESSIONAL PACK

1,199 €

70 generations · 1 key

For multi-product catalogues

70 generations with a single key
70 complete dossiers (8 documents each)
Switch product between generations
Ideal for importers with large catalogues
For consultants billing CRA compliance

Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

📖 LEGAL DRAFTING OF EU DoC ACROSS MULTI-MARKET

€2,000–€8,000

Counsel-led drafting of the Annex V declaration plus translations for each Member State of distribution. Multiplies by SKU count for catalogues.

CRACHECK — SAME OUTPUT

€149

CRACheck pre-fills the Annex V structure from your inputs, references the harmonised standards / certificates you applied (Element 6), notified body if any (Element 7), and produces the simplified Annex VI version with the URL of the full declaration.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

→ Full text on EUR-Lex (CELEX 32024R2847)
→ HTML version (article-by-article)
→ Official PDF (81 pages)
→ All 24 EU language versions

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

What is the difference between Annex V and Annex VI?

Annex V is the FULL EU declaration of conformity, with the 8 elements listed in this guide. Annex VI is a SIMPLIFIED version that may accompany the product (Article 13(20)). The simplified declaration contains the manufacturer name, the product type designation, a statement of compliance with Regulation (EU) 2024/2847, and an internet address where the full Annex V declaration can be accessed. The simplified version is only valid if the full one is reachable at the URL.

Can I provide the EU DoC electronically?

Yes. Article 13(20) allows either a copy of the EU declaration of conformity or a simplified EU declaration of conformity with the product. The regulation is technology-neutral; PDF, web page, or paper copy are all acceptable. Article 30(1) further allows the CE marking itself to be on the EU declaration of conformity for software-only products.

When does the declaration need to be updated?

Article 28(2) says ‘Such a declaration shall be updated as appropriate.’ This is connected to Article 13(14): when there are changes in the development process, design, characteristics, or in the harmonised standards / certifications relied on. A substantial modification under Article 3(30) requires re-issuing the declaration for the modified version.

How long must I keep the EU DoC?

Article 13(13) requires the manufacturer to keep the technical documentation AND the EU declaration of conformity at the disposal of market surveillance authorities for at least 10 years after the product has been placed on the market, OR for the support period — whichever is longer. For a product with a 15-year support period, that means 15-year retention; for a short-lived product, 10 years.

Is this a subscription?

No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.

What if the regulation changes before I file my dossier?

Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.

The CRA EU declaration of conformity: 8 elements required by Annex V of Regulation (EU) 2024/2847, plus the Annex VI simplified version and the language rules of Article 28