This document is under active development and has not been finalised.
CRA Compliance

English

Deutsch
简体中文

English

Deutsch
简体中文

Appearance

9.4 Maintenance & Updates

9.4.1 Update Triggers

The CRA Compliance Statement must be updated upon the following events:

TriggerAffected FieldsDeadlinePriority
New major/minor releaseproduct.version, conformity.*, sbom_urlBefore placing on the market🔴 High
Change in CRA product categorycra_classification.*Immediately🔴 High
New/changed harmonised standardsharmonised_standards[]Within 30 days🟡 Medium
New CRA delegated/implementing actsDepends on contentWithin 30 days🟡 Medium
Change in support periodsupport_period.*Immediately🔴 High
Change of conformity modulecra_classification.conformity_moduleBefore next release🟡 Medium
Change in manufacturer datamanufacturer.*Within 14 days🟢 Low
New Vulnerability Disclosure Policysecurity_documentation.*Within 14 days🟡 Medium

LEGAL BASIS

Art. 10(12) CRA: "The manufacturer shall ensure that the product [...] remains in conformity with the essential requirements throughout the support period."

This implies the obligation to keep the public compliance presentation up to date as well.

9.4.2 Review Cycle

Regular Reviews

CycleScopeResponsible
Every releaseFull review of all fieldsProduct Owner
Semi-annuallyProactive review even without releaseSecurity Lead
AnnuallyAlignment with current CRA state (delegated acts)Compliance Officer

Review Checklist

  • [ ] All required fields populated and current?
  • [ ] Referenced URLs reachable?
  • [ ] Support period still valid?
  • [ ] DoC date current (for new release)?
  • [ ] SBOM link points to current version?
  • [ ] Harmonised standards still applicable?
  • [ ] Product category still correct?

9.4.3 Versioning

CRA Compliance Statements are versioned alongside the product code:

AspectRule
Storage.compliance/cra-statement.json in the product repository
VersioningGit history = audit trail
Change logmetadata.statement_version is incremented with each content change
Release couplingStatement is frozen with the release tag

Example Workflow

text
1. Developer updates .compliance/cra-statement.json
2. Pull request / code review
3. CI validates JSON schema (→ 9.3)
4. Merge into main
5. Release tag → statement is automatically published (→ 9.2)

9.4.4 Responsibilities

RoleTaskWhen
Product OwnerContent accuracy, recognising triggersEvery release
Security LeadVerifying security-relevant fields (SBOM, CVD, standards)Semi-annually + upon incidents
DevOpsMaintaining CI/CD pipeline, ensuring schema validationUpon pipeline changes
Compliance OfficerIdentifying regulatory changes, initiating schema updatesAnnually + ad hoc

9.4.5 Automation

CI/CD Checks

CheckWhenAction on Failure
JSON schema validationEvery PR/pushBlock build
Required field completenessEvery PR/pushBlock build
URL reachabilityWeekly (scheduled)Warning in Slack/Teams
Support expiry warningDailyAlert 90/30/7 days before expiry
Statement age warningMonthlyAlert if >6 months without update

Automatic Publication

text
Release tag → CI/CD → compliance portal updated

Details: 9.2.6 CI/CD Integration

Notifications

EventChannelRecipients
Statement publishedSlack/TeamsProduct Owner, Security Lead
Validation failedCI/CDDevelopers
Support expiringEmail + SlackProduct Owner, Management
Statement stale (>6 months)SlackProduct Owner

9.4.6 Special Cases

Product End-of-Life

When a product reaches the end of its support period:

  1. Set support_period.phase to eol
  2. Compliance statement remains published (10-year retention requirement, Art. 10(13))
  3. Reference to successor product (if available)
  4. No further security updates — communicate clearly

Substantial Modification (Art. 20)

In case of a substantial modification:

  1. Conduct a new conformity assessment (→ 1.8 Substantial Modifications)
  2. Issue a new EU Declaration of Conformity
  3. Fully update the CRA Compliance Statement
  4. Publish as a new version on the portal

9.4.7 Cross-References

TopicLink
JSON schema and validation9.3 Machine-Readable Format
Publication pipeline9.2 Publication Strategy
Support & Lifecycle6.4 Support & Lifecycle
Substantial Modifications1.8 Substantial Modifications
SBOM retention2.3 Archival & Retention

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT

© 2026 BAUER GROUP. Commercial use of the documentation is not permitted.

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT

© 2026 BAUER GROUP. Commercial use of the documentation is not permitted.