Keeping Software Technical Documentation Up-to-Date and Available
Your Technical Documentation under the Cyber Resilience Act (CRA) is not a static artifact you create once and then archive. For any software product like an app or a game, it must be a living file that reflects the current state of your product and its compliance.
The Update Requirement
Article 31, Paragraph 2, states that the Technical Documentation "shall be continuously updated, where appropriate, at least during the support period". This means as your software evolves, so too must its documentation.
Key triggers for an update include:
- A substantial modification to your software.
- The release of new versions with different security features.
- Changes to your risk assessment based on new threats.
- Updates to your vulnerability handling processes.
- The application of new or revised harmonised standards.
The Availability Requirement
You must keep this documentation available for oversight. Article 13, Paragraph 13, sets the timeline: you must keep the Technical Documentation and the EU Declaration of Conformity "at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer".
This long-term availability ensures accountability even years after your software's initial release. You need a reliable system for storing and retrieving this information upon a reasoned request from an authority.
FOSS Exception Note
It is worth noting that for important free and open-source software using the self-assessment route, the manufacturer must make the technical documentation publicly available at the time of placing on the market (Article 32, Paragraph 5).
Key Takeway
Your software's Technical Documentation must be kept updated throughout the product's support period and remain available for authorities for at least 10 years after market placement or for the support period, whichever is longer.