Skip to main content

Technical Documentation Requirements for Software Self-Assessment

When you're self-assessing your game, app, or software under Module A of the Cyber Resilience Act (CRA), your technical documentation is your primary evidence of compliance. Article 31 and Annex VII lay out what needs to be in there. This isn't just a formality; it’s what market surveillance authorities will look at.

What to Include for Software

For software products, your technical documentation must contain, as applicable:

  • General Description: Intended purpose, software versions affecting CRA compliance, and user information/instructions (Annex II). For software, "photographs or illustrations" might translate to screenshots of key UI elements or architecture diagrams.
  • Design, Development, Production, and Vulnerability Handling:
    • Information on software design and development, including system architecture (how components interact).
    • Details of your vulnerability handling processes: your Software Bill of Materials (SBOM), coordinated vulnerability disclosure policy, contact for reporting vulnerabilities, and how you securely distribute updates (Annex VII, point 2b).
    • Information on your "production" (build/release) and monitoring processes.
  • Cybersecurity Risk Assessment: Your documented assessment as per Article 13, showing how Annex I requirements apply.
  • Support Period Rationale: Information used to determine the support period (Annex VII, point 4; Article 13, Paragraph 8).
  • Standards and Specifications: A list of any harmonised standards, common specifications, or EU cybersecurity schemes applied. If not, a description of how you met the essential requirements, including other technical specs used (Annex VII, point 5).
  • Test Reports: Evidence of tests carried out to verify conformity with Annex I requirements (for both product properties and vulnerability handling).
  • EU Declaration of Conformity: A copy of it.
  • SBOM (Potentially for Authorities): Be prepared to provide your SBOM to market surveillance authorities upon a reasoned request if it's necessary for them to check compliance (Annex VII, point 8).

Living Document

This documentation must be drawn up before your software is placed on the market and kept updated, especially during the support period (Article 31, Paragraph 2).

Key Takeway

Your technical documentation for software self-assessment is a comprehensive dossier proving CRA compliance. It details your product, risks, security measures, vulnerability management, and conformity claims.