Skip to main content

User Instructions for Software as Part of Technical Documentation

The information you provide to your users is considered a key part of your software product under the Cyber Resilience Act (CRA). As such, a copy of these instructions must be included in your Technical Documentation.

The Explicit Requirement

Annex VII, point 1(d), of the CRA states that the general description of the product within the Technical Documentation must include the "user information and instructions as set out in Annex II".

This means the documentation you prepare for your users—covering secure installation, operation, and use—is also an official part of the file you present to authorities.

What User Information is Required?

Annex II details the information you must provide to users of your app, game, or software. This includes:

  • Your contact details as the manufacturer.
  • The single point of contact for reporting vulnerabilities.
  • The product's intended purpose and security properties.
  • The end-date of the support period.
  • Instructions for secure installation, operation, use, and decommissioning (including secure data removal).

Why is it in the Technical Documentation?

Including the user instructions in the technical file allows authorities to:

  • Verify Transparency: Check if you are providing users with all the security-relevant information required by Annex II.
  • Assess Risk Communication: Evaluate how you communicate risks and secure usage practices to your users.
  • Ensure Consistency: Confirm that the product's intended purpose described in the instructions matches what's stated elsewhere in your compliance files.

The instructions you provide to your users are a direct reflection of your product's security posture and your commitment to user safety.

Key Takeway

A complete copy of the information and instructions you provide to your software's users, as detailed in Annex II, is a mandatory component of your Technical Documentation.