What must the user information contain under Annex II?

Annex II of Regulation (EU) 2024/2847 lists at least 11 categories: manufacturer identity and contact (1), product identification (2), intended purpose (3), security properties (4), known risks (5), support period end date (6), SBOM availability information (7), secure installation/operation/maintenance instructions (8), initial commissioning and update guidance (8a–8e), vulnerability reporting contact (9), single point of contact URL (10), and coordinated vulnerability disclosure policy reference (11).

In what format must the information be provided?

Article 13(19) of Regulation (EU) 2024/2847 requires the information to be provided 'in a clear, understandable, intelligible and legible manner.' It must accompany the product — physically, in the packaging, or via a link in a digital document. For software-only products, the information is typically delivered as a document accompanying the download.

Must the user information be in the local language?

Article 13(19) requires the instructions to be provided 'in a language which can be easily understood by users, as determined by the Member State concerned.' In practice, this means each EU market may require a local language version. English alone may not suffice for consumer products sold in non-English-speaking Member States.

Does Annex II apply to B2B products?

Yes. Annex II applies to all products with digital elements regardless of whether the end user is a consumer or a business. The depth and technicality of the information may differ — a B2B industrial gateway can use technical language that would not be appropriate for a consumer smart plug — but the obligation to provide all Annex II categories remains.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Article 16(m) of Directive (EU) 2011/83 applies. Upon licence activation, you give express consent for immediate generation of the digital content, waiving the 14-day withdrawal right. Refunds are accepted only for a reproducible technical defect.

What if the regulation changes?

If the regulation is amended during your licence validity period, you can regenerate the documentation using the updated version of the generator at no additional cost.

Article 13(19) of Regulation (EU) 2024/2847 requires you to provide users with clear, understandable information per Annex II before placing the product on the market. Eleven categories of mandatory information — from manufacturer identity and security properties to support period, SBOM availability, and vulnerability reporting contact. CRACheck generates the structured user information document.

Annex II is the user-facing layer of your CRA compliance. While the technical documentation (Annex VII) stays with the manufacturer and market surveillance authorities, the Annex II information goes to the user. It must be clear, understandable, intelligible, and legible per Art. 13(19). It must be available in a language easily understood by users in the target Member State. It covers eleven mandatory categories including security properties of the product, known cybersecurity risks, support period end date, how to report vulnerabilities, and instructions for secure installation, operation, and maintenance. CRACheck generates the user information document as part of the 8-document package. 15–25 minutes. €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Annex II at a glance

Mandatory information categories in Annex II

Art. 13(19)

Clear, understandable, intelligible, legible

Local

Language determined by the Member State

How to build Annex II user information

Manufacturer identity

Annex II, point (1): name, registered trade name or trademark, postal address, email address, and where available a website where the manufacturer can be contacted.

Product identification and security properties

Points (2)–(4): product name, model, version, intended purpose and essential functionalities including security properties such as encryption, access control, and update mechanisms.

Known risks and support period

Points (5)–(6): any known or foreseeable circumstance that may lead to cybersecurity risks, and the end date of the support period with guaranteed security updates.

Secure use instructions

Point (8): initial commissioning, secure installation, operation, and maintenance. How to install security updates. How to configure auto-updates. How to reset to secure defaults.

Vulnerability reporting

Points (9)–(11): contact information for vulnerability reporting, single point of contact URL, and reference to the coordinated vulnerability disclosure policy.

Run CRACheck

Input your product data. CRACheck generates the User Information document structured per all Annex II categories, integrated with the rest of the 8-document package. Cross-referenced with the CVD policy and risk assessment.

Three mistakes manufacturers make with user information

❌

MISSING SUPPORT DATE

Not displaying the support period end date on the product or packaging

Article 13(21) of Regulation (EU) 2024/2847 requires the support period end date to be "clearly and understandably indicated at the time of purchase, in an accessible manner and, where applicable, on the packaging of the product." A product page, packaging, or accompanying document that omits this date violates the requirement.

❌

NO VULNERABILITY CONTACT

Omitting the vulnerability reporting contact from user-facing documentation

Annex II, point (9) requires "information on how cybersecurity-relevant issues, including vulnerabilities in the product, can be reported." A product without a visible vulnerability reporting channel fails this requirement and weakens the Art. 14 notification pipeline.

❌

TECHNICAL JARGON

Writing user information in technical language incomprehensible to the target user

Art. 13(19) requires "clear, understandable, intelligible and legible" information. Consumer-facing products cannot use ISO references, CVE identifiers, or cryptographic algorithm names without explanation. The information must be adapted to the target audience. B2B products have more latitude for technical depth.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Category per Annex III/IV. Consumer products face stricter readability requirements for user information.

Technical Documentation

Annex VII. Point 1(d) cross-references the Annex II user information as part of the technical file.

Risk Assessment

Per Art. 13(2)–(3). The risk assessment informs what users need to know under Annex II, point (5): known risks and foreseeable circumstances.

User Information

The core deliverable for this landing. Structured per all 11 Annex II categories: manufacturer identity (1), product identification (2), intended purpose (3), security properties (4), known risks (5), support period (6), SBOM info (7), secure use instructions (8), vulnerability reporting (9), single point of contact (10), CVD reference (11).

Declaration of Conformity

Per Art. 28 and Annex V. A simplified version of the declaration must be provided to users per Art. 13(20).

CVD Policy

Per Annex I, Part II, point (5). Annex II, point (11) requires the user information to reference this policy.

Notification Template

Per Art. 14. Art. 14(8) requires the manufacturer to inform impacted users of the vulnerability — the User Information document establishes the communication channel. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Maps the support period end date — a key Annex II requirement — and user notification milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Commissioning a technical writer and regulatory consultant to produce CRA-compliant user documentation covering all 11 Annex II categories, adapted for each target market language.

€6,000–€15,000

3–6 weeks. One product, one language. Translation additional.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history