Must the technical documentation be ready before I sell the product?

Yes. Article 31(2) of Regulation (EU) 2024/2847 states: "The technical documentation shall be drawn up before the product with digital elements is placed on the market." Placing a product on the EU market without the Annex VII file completed is a violation of Art. 31.

How long must I keep the technical documentation?

Article 13(13) of Regulation (EU) 2024/2847 requires the manufacturer to keep the technical documentation and EU declaration of conformity "at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer."

Can I produce a single technical file for an entire product family?

Article 31(3) allows a single set of technical documentation for products also subject to other Union legal acts. However, each distinct product with digital elements that carries its own product identifier per Art. 13(15) needs its own Annex VII file covering its specific design, risk assessment, and support period.

What if harmonised standards do not exist yet for my product category?

Annex VII, point 5 of Regulation (EU) 2024/2847 anticipates this. Where harmonised standards, common specifications, or cybersecurity certification schemes have not been applied, you must include "descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied."

Does CRACheck produce the test reports required under point 6?

No. CRACheck structures the documentation framework including the section where test reports are referenced. You must conduct the conformity testing and provide the results. CRACheck integrates your test data into the Annex VII structure.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Article 16(m) of Directive (EU) 2011/83 applies. Upon licence activation, you give express consent for immediate generation of the digital content, waiving the 14-day withdrawal right. Refunds are accepted only for a reproducible technical defect.

What if the regulation changes?

If the regulation is amended during your licence validity period, you can regenerate the documentation using the updated version of the generator at no additional cost.

Article 31 of Regulation (EU) 2024/2847 requires you to draw up technical documentation before placing the product on the market. Annex VII lists the eight elements it must contain — from product description and system architecture to risk assessment, SBOM, CVD policy, conformity test reports, and the EU declaration of conformity. CRACheck generates the structure covering all eight.

Annex VII is the backbone of your CRA compliance file. Point 1 covers the general product description including intended purpose, software versions, and user information per Annex II. Point 2 covers design, development, production, and vulnerability handling processes — including the SBOM and CVD policy. Point 3 is the cybersecurity risk assessment per Art. 13. Point 4 documents the support period rationale. Point 5 covers harmonised standards and certification schemes applied. Point 6 addresses test reports. Point 7 is the EU declaration of conformity. Point 8 is the SBOM available to authorities on request. CRACheck structures all eight into a single technical documentation package. 15–25 minutes. €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Annex VII at a glance

8 points

Annex VII documentation requirements

10 years

Retention obligation — Art. 13(13)

Art. 31(2)

Must be continuously updated

How to build the complete Annex VII file

Map your product

Annex VII, point 1: intended purpose, software versions affecting compliance, photographs/illustrations (for hardware), user instructions per Annex II.

Document design and vulnerability handling

Point 2: system architecture (a), SBOM + CVD policy + secure update mechanism (b), production and monitoring processes (c).

Complete the risk assessment

Point 3: cybersecurity risk assessment per Art. 13(2)–(3) showing how Annex I Part I requirements apply.

Justify the support period

Point 4: factors considered per Art. 13(8) to determine your support commitment.

Reference standards and certifications

Point 5: harmonised standards, common specifications per Art. 27, or cybersecurity certification schemes. If none applied, describe alternative solutions meeting Annex I.

Attach test reports

Point 6: conformity test results verifying compliance with Annex I Parts I and II.

Include the declaration of conformity

Point 7: copy of the EU declaration per Art. 28 and Annex V.

Run CRACheck

CRACheck generates the complete Annex VII structure, pre-populated with your data, as part of the 8-document package. All points covered. All cross-references resolved.

Three mistakes manufacturers make with Annex VII

❌

PARTIAL FILE

Producing technical documentation that covers only 3-4 of the 8 Annex VII points

Annex VII lists 8 mandatory elements. Art. 31(1) says the documentation shall contain "at least" these elements. A technical file that includes the risk assessment (point 3) and declaration (point 7) but omits the SBOM (points 2b, 8), CVD policy (point 2b), and support period justification (point 4) is incomplete under the regulation.

❌

STATIC FILE

Creating the technical documentation once and never updating it

Art. 31(2) requires the documentation to be "continuously updated, where appropriate, at least during the support period." A technical file frozen at the date of market placement becomes non-compliant as the product evolves, dependencies change, and vulnerabilities are discovered.

❌

WRONG LANGUAGE

Producing the documentation only in the manufacturer's language when a notified body requires another

Art. 31(4) requires the documentation to be "drawn up in an official language of the Member State in which the notified body is established or in a language acceptable to that body." For Default-category products using Module A (self-assessment), this is less critical, but for Important/Critical products requiring notified body involvement, language compliance matters.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines the conformity assessment route under Art. 32. Default products use Module A (Annex VIII). Important Class I/II and Critical products may require Modules B+C or H.

Technical Documentation

The core deliverable. Implements all 8 points of Annex VII: product description (1), design/SBOM/CVD/update (2a-c), risk assessment (3), support period (4), standards (5), tests (6), declaration (7), SBOM note (8).

Risk Assessment

Per Art. 13(2)–(3) and Annex I Part I. Feeds directly into Annex VII point 3.

User Information

Per Annex II. Referenced by Annex VII point 1(d).

Declaration of Conformity

Per Art. 28 and Annex V. Inserted as Annex VII point 7.

CVD Policy

Per Annex I, Part II, point (5). Referenced by Annex VII point 2(b).

Notification Template

Per Art. 14. Documents the manufacturer's reporting process per Annex VII point 2(b). Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Maps the documentation lifecycle: creation before market placement, continuous updates during support period, 10-year retention per Art. 13(13).

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Engaging a CRA compliance firm to build the complete Annex VII technical file: product analysis, risk assessment, standards mapping, SBOM integration, CVD policy drafting, declaration, and test report coordination.

€15,000–€30,000

8–16 weeks. One product. Cannot self-regenerate.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history