CRA documentation

Your product security documentation is crucial for compliance with the Cyber Resilience Act. It must comprehensively cover all security developments, assessments, vulnerabilities, updates and patches identified or implemented throughout the product's lifecycle.

Documentation: a vector of information on security activities for authorities & end-users

Product technical documentation will serve as a vector of information on security activities for verification authorities and end-customers.

Equipment manufacturers should methodically document cybersecurity risks associated with their products, encompassing known vulnerabilities and pertinent data from external sources. This documentation not only aids in internal decision-making processes but also fosters transparency and accountability in adherence to regulatory requirements. As mandated by regulations, manufacturers must include vulnerabilities list, third-party information, and periodic risk assessments.

Cyber Resilience Act documentation requirements

Documentation: a comprehensive security manual

At minimum, the product with digital elements shall be accompanied by:

  • the name, email address and the website of the manufacturer
  • the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received
  • the correct identification of the type, batch, version or serial number or other element allowing the identification of the product
  • the intended use, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties
  • any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks
  • the link to the declaration of conformity
  • the type of technical security support offered by the manufacturer
  • how changes to the product with digital elements can affect the security of data.
  • how security-relevant updates can be installed
  • information on how user data can be securely removed
“Ensuring thorough documentation within user guides or integration manuals is essential. It's crucial that this documentation clearly outlines the requirements for securely utilizing the product's security functionalities. This aspect is particularly critical for products destined for integration into larger systems, where the integration guide also serves as a security manual. It meticulously details the essential points necessary to maintain security integrity without compromise. By providing comprehensive documentation, users can navigate the product's security features confidently, thereby minimizing the risk of inadvertently compromising system security.”
Julien Bernet - Cybersecurity Leader - The Embedded Kit
Julien Bernet
Cybersecurity leader

The documentation should be maintained for 10 years

Furthermore, manufacturers are obligated to maintain technical documentation and EU conformity declarations for a period of ten years following the product’s market introduction, ensuring accessibility to market surveillance authorities.

Consult our comprehensive dossier on the CRA

Read the dossier
Download the dossier in pdf

Related content

Discover more from The Embedded Kit

Subscribe now to keep reading and get access to the full archive.

Continue reading