Skip to main content

CRA Technical Documentation: Your Software's Compliance Bible

Under the CRA, your 'Technical Documentation' is the comprehensive evidence file that backs up your claim of conformity, as stated in your EU Declaration of Conformity (Article 31(1) of the CRA legal text). It’s the detailed record demonstrating how your software product (your game, app, library, or engine) and your processes meet the essential cybersecurity requirements.

What It Must Contain

As per Annex VII of the CRA legal text, it must include, at a minimum:

  • General Product Description: Intended purpose, versions, user instructions (Annex VII, point 1).
  • Design, Development, Production, and Vulnerability Handling: Details on your secure development lifecycle, system architecture, your vulnerability handling processes (including your SBOM and coordinated disclosure policy), and how you manage updates (Annex VII, point 2).
  • Cybersecurity Risk Assessment: Your documented risk assessment (Article 13(2), Annex VII, point 3).
  • Support Period Rationale: Information on how you determined the product's support period (Annex VII, point 4).
  • Conformity Evidence: A list of harmonised standards, common specifications, or other solutions applied to meet requirements (Annex VII, point 5).
  • Test Reports: Results of tests verifying conformity (Annex VII, point 6).
  • Copy of EU DoC (Annex VII, point 7).

This documentation must be drawn up before placing the product on the market, kept for 10 years (or the support period, if longer), and made available to market surveillance authorities upon request (Article 13(13), Article 31(2) of the CRA legal text). For micro and small enterprises, a simplified format will be available (Recital 93, Article 33(5) of the CRA legal text).

Key Takeaway

Your Technical Documentation is the detailed proof behind your CRA compliance claims; it must be thorough, maintained, and ready for official inspection for years after your software's release.