Why the technical documentation matters
The technical documentation is the evidence base behind the EU Declaration of Conformity. You draw it up before placing the product on the market, keep it, and hand the relevant parts to a market-surveillance authority on request. Whether you self-assess (Module A) or use a notified body, the Annex VII file is mandatory.
It is also the single document that most clearly demonstrates the CRA's logic: it ties the product's design and processes — how you build it — to a risk assessment and to each essential requirement — what the product must do.
The eight Annex VII elements
Annex VII requires the following, in order:
- Element 1 — General description (purpose, versions, hardware photos, user information)
- Element 2 — Design, development, production + vulnerability-handling processes (incl. SBOM, CVD)
- Element 3 — Cybersecurity risk assessment + how each Annex I Part I requirement applies & is met
- Element 4 — Information used to determine the support period
- Element 5 — Harmonised standards applied (or other solutions where partly/not applied)
- Element 6 — Test reports (product + vulnerability-handling conformity)
- Element 7 — Copy of the EU Declaration of Conformity
- Element 8 — Software bill of materials (on market-surveillance-authority request)
The risk assessment is the heart of the file
Element 3 is where most of the work lives. The CRA requires a cybersecurity risk assessment and — crucially — a demonstration of how each essential requirement in Annex I, Part I applies to the product and how it is met (or why a requirement does not apply). This per-requirement narrative is the substance auditors and customers actually read.
The Annex I requirements you address one by one cover the product's security properties: secure-by-default configuration, access control, confidentiality, integrity, availability, data minimisation, no harm to other networks, security logging, and secure data removal.
What you must supply yourself — never fabricate
Parts of the file can be assembled from a structured assessment, but several elements have to come from the real product and must never be invented:
- The software bill of materials — elements 2 and 8 — generated from the actual product build, not written from memory. The CRA lets an authority demand it.
- Test reports — element 6 — your real SAST/DAST, fuzzing, penetration-test and dependency/vulnerability-scan outputs.
- Product facts — the general description, versions and hardware photos (element 1) and the support-period information (element 4) — facts about the product as actually shipped.
How it connects to the Declaration of Conformity
Element 7 of the technical documentation is a copy of the EU Declaration of Conformity (Annex V). The two documents are written together: the standards you cite in the technical documentation (element 5) are the same references that appear in the Declaration, and the Declaration states that the product is in conformity with Regulation (EU) 2024/2847.
For products that go through a notified body, the Declaration also names the body, its number and the certificate — a block that default, self-assessed products do not have.