CRA Annex VII

CRA technical documentation: the Annex VII file, element by element

Every product with digital elements placed on the EU market under the Cyber Resilience Act (Regulation (EU) 2024/2847) needs a technical documentation file. Its required contents are set out in Annex VII of the Regulation. The file is what proves — to you, to your customers, and to a market-surveillance authority that asks — that the product meets the Act's essential cybersecurity requirements.

Annex VII lists eight elements. This page walks through each one: what it is, where the content comes from, and how much of it you can generate versus what you must supply from the real product.

Why the technical documentation matters

The technical documentation is the evidence base behind the EU Declaration of Conformity. You draw it up before placing the product on the market, keep it, and hand the relevant parts to a market-surveillance authority on request. Whether you self-assess (Module A) or use a notified body, the Annex VII file is mandatory.

It is also the single document that most clearly demonstrates the CRA's logic: it ties the product's design and processes — how you build it — to a risk assessment and to each essential requirement — what the product must do.

The eight Annex VII elements

Annex VII requires the following, in order:

  • Element 1General description (purpose, versions, hardware photos, user information)
  • Element 2Design, development, production + vulnerability-handling processes (incl. SBOM, CVD)
  • Element 3Cybersecurity risk assessment + how each Annex I Part I requirement applies & is met
  • Element 4Information used to determine the support period
  • Element 5Harmonised standards applied (or other solutions where partly/not applied)
  • Element 6Test reports (product + vulnerability-handling conformity)
  • Element 7Copy of the EU Declaration of Conformity
  • Element 8Software bill of materials (on market-surveillance-authority request)

The risk assessment is the heart of the file

Element 3 is where most of the work lives. The CRA requires a cybersecurity risk assessment and — crucially — a demonstration of how each essential requirement in Annex I, Part I applies to the product and how it is met (or why a requirement does not apply). This per-requirement narrative is the substance auditors and customers actually read.

The Annex I requirements you address one by one cover the product's security properties: secure-by-default configuration, access control, confidentiality, integrity, availability, data minimisation, no harm to other networks, security logging, and secure data removal.

What you must supply yourself — never fabricate

Parts of the file can be assembled from a structured assessment, but several elements have to come from the real product and must never be invented:

  • The software bill of materialselements 2 and 8 — generated from the actual product build, not written from memory. The CRA lets an authority demand it.
  • Test reportselement 6 — your real SAST/DAST, fuzzing, penetration-test and dependency/vulnerability-scan outputs.
  • Product factsthe general description, versions and hardware photos (element 1) and the support-period information (element 4) — facts about the product as actually shipped.

How it connects to the Declaration of Conformity

Element 7 of the technical documentation is a copy of the EU Declaration of Conformity (Annex V). The two documents are written together: the standards you cite in the technical documentation (element 5) are the same references that appear in the Declaration, and the Declaration states that the product is in conformity with Regulation (EU) 2024/2847.

For products that go through a notified body, the Declaration also names the body, its number and the certificate — a block that default, self-assessed products do not have.

Not sure which CRA route is yours?

The free scope checker walks the Annex III / Annex IV categories and returns your product class and conformity route in a minute.

Frequently asked questions

What is CRA Annex VII?

Annex VII of the Cyber Resilience Act (Regulation (EU) 2024/2847) sets out the required contents of a product's technical documentation — the eight-element file that evidences conformity with the Act's essential cybersecurity requirements.

What must CRA technical documentation contain?

Eight elements: a general product description; the design, development, production and vulnerability-handling processes (with the SBOM and coordinated vulnerability disclosure); the cybersecurity risk assessment showing how each Annex I requirement is met; the information used to set the support period; the standards applied; test reports; a copy of the EU Declaration of Conformity; and the software bill of materials on request.

Do I need an SBOM for the CRA?

Yes. The software bill of materials is part of the Annex VII technical documentation (elements 2 and 8), and a market-surveillance authority can require it. It is generated from the real product build, not drafted by hand.

Who has to produce the technical documentation?

The manufacturer, before placing the product on the EU market — whether the product is self-assessed under Module A or assessed by a notified body. The file is kept and provided to authorities on request.

Can AI write my CRA technical file?

It can draft the narrative parts — the descriptions and the per-requirement risk-assessment text — from a structured assessment. It must not fabricate the evidence: the SBOM, the test reports and the product facts (versions, photos, support period) have to come from the real product.

Get CRA-ready, without the consultancy bill

Start with the free scope check, then let Reglyze guide the self-assessment and assemble your Annex VII file and Declaration of Conformity.