9.1 CRA Compliance Statement
9.1.1 Purpose
The CRA Compliance Statement is the public summary of all CRA compliance artefacts for a product. It serves as a central point of reference for customers, market surveillance authorities, and internal audits.
IMPORTANT
The CRA Compliance Statement is not a replacement for the legally binding EU Declaration of Conformity (Annex V). It is a supplementary, publicly accessible presentation that links to all relevant documents.
9.1.2 Generation Principle
PRINCIPLE
The machine-readable JSON is the single source. All human-readable formats and compliance artefacts are generated from it — never maintained separately.
┌──────────────────────────┐
│ .compliance/ │
│ cra-statement.json │
│ (Single Source of Truth) │
└─────────┬────────────────┘
│
┌───────────────────┼───────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Compliance Page │ │ CE Marking │ │ Container Labels│
│ (HTML/PDF) │ │ (About dialog, │ │ (OCI annotations│
│ on portal │ │ README, footer)│ │ Dockerfile) │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ API endpoint │ │ Simplified DoC │ │ Release notes │
│ for authorities │ │ (Annex VI) │ │ snippet │
└─────────────────┘ └─────────────────┘ └─────────────────┘Generated Artefacts
| Artefact | Generated from | Target |
|---|---|---|
| Compliance page (HTML/PDF) | All JSON fields | Compliance portal |
| CE marking | manufacturer.*, conformity.*, cra_classification.notified_body | About dialog, README, footer, documentation |
| Container labels | conformity.ce_marking, conformity.declaration_url, support_period.end_date | Dockerfile / OCI annotations |
| Simplified DoC (Annex VI) | manufacturer.name, product.*, conformity.declaration_url, support_period.* | README, release notes, packaging |
| API response | Full JSON | /api/products/{name}.json |
| Release notes snippet | conformity.*, support_period.*, security_documentation.* | GitHub Release |
CE Marking from JSON
The CE marking is generated from JSON fields and automatically placed at the configured locations (→ 7.7 CE Marking):
Generated CE marking:
CE [1234] ← notified_body (if applicable)
BAUER GROUP ← manufacturer.name
Musterstraße 1, 12345 Musterstadt ← manufacturer.address
MinIO Gateway v2.1.0 ← product.name + product.versionFor container images, OCI labels are additionally generated:
LABEL org.opencontainers.image.ce-marking="conformant"
LABEL eu.cra.doc.url="https://go.bauer-group.com/cra-minio-gateway"
LABEL eu.cra.doc.version="1.0"
LABEL eu.cra.support.end="2031-03-01"9.1.3 Required Content
The following information must be publicly accessible under the CRA and is consolidated in the statement:
| CRA Reference | Information | Cross-Reference |
|---|---|---|
| Art. 13(6) | Coordinated Vulnerability Disclosure Policy | → 4.2 Disclosure Policy |
| Art. 13(8) | Support period | → 6.4 Support & Lifecycle |
| Art. 13, Annex II | User information (security instructions) | → 7.10 User Information |
| Art. 28, Annex V | EU Declaration of Conformity (or link thereto) | → 7.8 EU Declaration of Conformity |
| Art. 29–30 | CE marking | → 7.7 CE Marking |
| Annex I, Part II, No. 1 | SBOM (machine-readable) | → Chapter 2: SBOM & Signing |
| Annex VII | Manufacturer contact information | → 6.1 Product Description |
9.1.4 Recommended Structure
A CRA Compliance Statement should contain the following sections:
1. Product Identification
- Product name, version, type (software / container / firmware)
- CRA product category (Standard / Class I / Class II / Critical)
- Unique identifier (e.g. package URL, container image reference)
2. Manufacturer Information
- Company, address
- Security contact (e.g.
disclosure@bauer-group.com) - Authorised representative (if applicable)
3. Conformity Status
- Applied conformity assessment procedure (→ Chapter 7)
- Link to the EU Declaration of Conformity (Annex V)
- CE marking: status and placement
- Date of last assessment
4. Security Documentation
Links to:
- SBOM (CycloneDX JSON)
- Vulnerability Disclosure Policy / SECURITY.md
- User information (Annex II)
- Technical documentation (where publicly available)
5. Support Period
- Start and end of the support period
- Current phase (Active Support / Security Support)
- Reference to update mechanism (→ 6.3 Update Mechanism)
6. Harmonised Standards
- Applied harmonised standards and technical specifications
- SBOM format standard (e.g. CycloneDX v1.5)
7. Vulnerability Management
- Reference to Vulnerability Disclosure Policy
- CVE monitoring status
- Patch SLAs (→ 3.3 Patch Management)
9.1.5 Example
A CRA Compliance Statement for a fictional product might look like this:
CRA COMPLIANCE STATEMENT
MinIO Gateway — Version 2.1.0
Date: 2026-03-01 | Manufacturer: BAUER GROUP
Field Value Product type Container Image CRA category Standard Conformity module Module A (Internal Control) CE marking ✅ In About dialog and documentation EU Declaration of Conformity [Link to DoC] SBOM [CycloneDX JSON — GitHub Release] SECURITY.md [Link] User information (Annex II) [Link] Support period 2026-03-01 to 2031-03-01 Vulnerability disclosure disclosure@bauer-group.com
9.1.6 Placement
| Channel | Format | Audience |
|---|---|---|
| Compliance portal | HTML (generated from JSON) | Customers, authorities |
| Product repository | .compliance/cra-statement.json | Developers, audits |
| README.md | Simplified reference with link | Developers |
| Product website | Compliance section | Customers |
| Release notes | Reference to current statement | All |
→ Publication strategy details: 9.2 Publication Strategy
9.1.7 Cross-References
| Document | Link |
|---|---|
| EU Declaration of Conformity (Annex V) | 7.8 EU Declaration of Conformity |
| Simplified DoC (Annex VI) | 7.9 Simplified DoC |
| User Information (Annex II) | 7.10 User Information |
| CE Marking | 7.7 CE Marking |
| Template | A.9 CRA Compliance Statement |