Annex VII – Technical Documentation Guide
Overview
Annex VII of the CRA defines the complete content of the technical documentation that every manufacturer must create and retain for 10 years. This guide explains each requirement in detail and references the respective documentation location.
LEGAL BASIS
Art. 31 CRA: The technical documentation shall be drawn up before the product is placed on the market and shall be kept up to date on a continuous basis.
Annex VII CRA: Content of the technical documentation.
Requirement 1 – General Product Description
Annex VII No. 1: A general description of the product with digital elements, including:
| Element | Description | Documentation Location |
|---|---|---|
| Intended Use | Purpose, target audience, usage scenarios | Product Description |
| Versions | Affected software/firmware versions | Release Notes, SBOM |
| Hardware Requirements | If applicable: hardware requirements | Product Description |
| Basic Characteristics | Functional scope, core functions | Product Description |
Implementation: One document per product following the Product Description Template.
Requirement 2 – Design and Development Description
Annex VII No. 2: Description of the design and development processes, including:
| Element | Description | Documentation Location |
|---|---|---|
| Security Architecture | Overview of security measures | Security Architecture |
| Data Processing | What data is processed, data flows | Security Architecture |
| Threat Model | Identified threats and countermeasures | Risk Assessment |
| Design Decisions | Security-relevant architectural decisions | Security Architecture |
Requirement 3 – Cybersecurity Risk Assessment
Annex VII No. 3: The cybersecurity risk assessment pursuant to Art. 10(2), including:
| Element | Description | Documentation Location |
|---|---|---|
| Methodology | Applied risk assessment method | Risk Assessment Template |
| Identified Risks | List of cybersecurity risks | Risk Assessment |
| Evaluation | Likelihood x Impact | Risk Assessment |
| Measures | Risk mitigation measures | Risk Assessment |
| Residual Risks | Accepted residual risks with justification | Risk Assessment |
Requirement 4 – Vulnerability Handling
Annex VII No. 4: Description of vulnerability handling processes:
| Element | Description | Documentation Location |
|---|---|---|
| Monitoring | How vulnerabilities are identified | CVE Monitoring |
| Assessment | How vulnerabilities are assessed | Risk Assessment |
| Remediation | How vulnerabilities are remediated | Patch Management |
| Disclosure | How vulnerabilities are disclosed | Disclosure Policy |
| SBOM | Machine-readable SBOM | SBOM & Signing |
Requirement 5 – Applied Standards and Specifications
Annex VII No. 5: List of applied harmonised standards, Common Specifications or cybersecurity certification schemes:
| Standard | Scope | Status |
|---|---|---|
| ISO/IEC 27001 | Information Security Management System | Reference |
| ISO/IEC 29147 | Vulnerability Disclosure | Applied |
| ISO/IEC 30111 | Vulnerability Handling | Applied |
| CycloneDX v1.6 | SBOM Format | Applied |
| Sigstore/Cosign | Artifact Signing | Applied |
| OWASP ASVS | Application Security Verification | Reference |
| IEC 62443 | Industrial Cybersecurity | If industrial products |
Note: Harmonised standards specific to the CRA are under development. This list will be updated once they are published.
HARMONISED STANDARDS
Once harmonised standards for the CRA are published, these will enable the presumption of conformity. The application of harmonised standards is particularly critical for Class I with Module A.
Requirement 6 – Test Results
Annex VII No. 6: Results of the tests and examinations performed:
| Test Type | Description | Tooling |
|---|---|---|
| Static Analysis (SAST) | Source code analysis for vulnerabilities | SonarQube, Semgrep |
| Dynamic Analysis (DAST) | Runtime testing for vulnerabilities | OWASP ZAP, Burp |
| Dependency Scanning | Verification of dependencies | Trivy, Grype, Snyk |
| Container Scanning | Verification of container images | Trivy |
| Secret Scanning | Search for secrets in code | Gitleaks, GitGuardian |
| Penetration Testing | Manual security testing | External (for Class I+) |
| Fuzzing | Robustness testing | AFL, libFuzzer |
Retention: Test results are archived as CI/CD artifacts and are accessible via the repository.
Requirement 7 – Conformity Assessment Results
Annex VII No. 7: Results of the conformity assessment:
| Procedure | Documentation | Documentation Location |
|---|---|---|
| Module A | Self-assessment report | Internal Control |
| Module B+C | EU type-examination certificate | Module B+C |
| Module H | QMS certificate | Module H |
| EUCC | Cybersecurity certificate | EUCC |
Requirement 8 – EU Declaration of Conformity
Annex VII No. 8: Copy of the EU Declaration of Conformity:
Requirement 9 – Support Period
Annex VII No. 9: Determination of the Support Period:
Completeness Checklist
- [ ] No. 1: Product description created
- [ ] No. 2: Design and development processes documented
- [ ] No. 3: Cybersecurity risk assessment performed
- [ ] No. 4: Vulnerability handling documented
- [ ] No. 4: SBOM generated and archived
- [ ] No. 5: Applied Standards listed
- [ ] No. 6: Test Results documented and archived
- [ ] No. 7: Conformity Assessment Results documented
- [ ] No. 8: EU Declaration of Conformity created
- [ ] No. 9: Support Period determined
- [ ] All documents archived (10-year retention)
- [ ] All documents versioned (Git)