CRA CE Marking Conformity

CRA Declaration of Conformity: Template and Step-by-Step Writing Guide

How to write a compliant EU Declaration of Conformity for CRA. Includes ready-to-use template, required elements checklist, and common mistakes to avoid.

CRA Evidence Team
Author
January 18, 2026
Updated March 21, 2026, 12:00:00 AM UTC
18 min read
CRA Declaration of Conformity: Template and Step-by-Step Writing Guide
In this article

Every product with digital elements needs an EU Declaration of Conformity before it can legally carry the CE marking. The DoC is your formal statement that the product meets CRA requirements. You are legally responsible for its accuracy.

This guide provides a complete template and explains each required element.

Summary

  • EU Declaration of Conformity (DoC) is mandatory for all CRA products and must be in place before market placement
  • Must be signed by the manufacturer or an authorized representative established in the EU
  • Required elements are defined in CRA Article 28 and Annex V
  • Must be provided in the language(s) required by each Member State where the product is sold (Article 28(2))
  • Retain for at least 10 years after market placement, or for the length of the support period, whichever is longer (Article 13(13))
  • A substantial modification requires a new DoC, issued by whoever made the change
  • A template is provided below. Adapt it for your product.

Important: Signing a DoC without completing conformity assessment violates both Article 13 (up to €15M or 2.5% of global annual turnover) and Article 28 (up to €10M or 2% of global annual turnover).

Tip: Include the product support period (minimum 5 years) and vulnerability contact point in your DoC. This is not required by Annex V, but it improves regulatory transparency.

What Is the EU Declaration of Conformity?

The EU Declaration of Conformity is a formal legal document in which the manufacturer declares that a product complies with applicable EU legislation. It is mandatory for all products with digital elements before they can bear the CE marking. For CRA products, it must state:

  • The product meets the essential cybersecurity requirements (Annex I)
  • Conformity assessment has been completed
  • The manufacturer takes legal responsibility

Without a signed DoC, your product cannot bear the CE marking and cannot be legally placed on the EU market.

What Does the CRA Require in the DoC?

Legal Basis

CRA Article 28 specifies DoC requirements, referencing the structure in Annex V. The DoC must be:

  • Drawn up before placing the product on the market (Article 13(12))
  • Updated as appropriate when the product or compliance status changes (Article 28(2))
  • Provided in the language(s) required by each Member State where the product is placed (Article 28(2))
  • Retained for at least 10 years after placing on the market, or for the length of the support period, whichever is longer (Article 13(13))

Note: Article 28(3) allows manufacturers subject to multiple EU regulations to draw up a single combined DoC covering all applicable acts. See the "Multiple Regulations" template variation below.

Required Elements

# Element What to include Source
1 Date of issue Date you sign the declaration. Must be after conformity assessment is complete. Annex V, item 1
2 Manufacturer identification Full legal name, postal address, contact information Annex V, item 2
3 Sole responsibility statement Exact wording: "This declaration of conformity is issued under the sole responsibility of the provider" Annex V, item 3
4 Product identification Name, type, model, batch or serial number; optional photograph where appropriate Annex V, item 4
5 Conformity statement Confirm the product is in conformity with Regulation (EU) 2024/2847 Annex V, item 5
6 Standards and certifications applied Harmonized standards relied on; any European cybersecurity certificates used Annex V, item 6
7 Notified Body details Name, number, and certificate reference. Required only when a third-party assessment module was used. Annex V, item 7
8 Signature Full name, title/function, place, date; handwritten or qualified electronic signature Annex V, item 8

Note: A declaration number is not required by Annex V, but strongly recommended for version control and internal tracking.

Complete DoC Template

Use this as a starting point. Customize the bracketed sections for your product.

Note: Section 3 of the template contains a legally required verbatim phrase (Annex V, item 3). Do not paraphrase it:

"This declaration of conformity is issued under the sole responsibility of the provider."

═══════════════════════════════════════════════════════════════
                 EU DECLARATION OF CONFORMITY
                    (Cyber Resilience Act)
═══════════════════════════════════════════════════════════════

Declaration No.: [DoC-PRODUCT-YYYY-NNN]
Date of Issue: [DD Month YYYY]

───────────────────────────────────────────────────────────────
1. MANUFACTURER
───────────────────────────────────────────────────────────────

Name:           [Company Legal Name]
Address:        [Street Address]
                [Postal Code, City]
                [Country]
Contact:        [Email / Phone]
Website:        [URL]

───────────────────────────────────────────────────────────────
2. PRODUCT IDENTIFICATION
───────────────────────────────────────────────────────────────

Product Name:   [Product Name]
Model/Type:     [Model Number / Type Designation]
Hardware Ver:   [Hardware Version, if applicable]
Software Ver:   [Software/Firmware Version]
Batch/Serial:   [Batch number range or serial number format]
Product Photo:  [Optional photograph for traceability, where appropriate]

Product Description:
[Brief description of the product and its intended purpose,
sufficient to identify the product unambiguously]

───────────────────────────────────────────────────────────────
3. DECLARATION
───────────────────────────────────────────────────────────────

This declaration of conformity is issued under the sole
responsibility of the provider.

The object of the declaration described above is in conformity
with the relevant Union harmonisation legislation:

     Regulation (EU) 2024/2847 of the European Parliament
      and of the Council of 23 October 2024 on horizontal
      cybersecurity requirements for products with digital
      elements (Cyber Resilience Act)

    [ Additional applicable legislation, e.g.:
     Directive 2014/53/EU (Radio Equipment Directive)
     Regulation (EU) 2023/1230 (Machinery Regulation)
     etc.]

───────────────────────────────────────────────────────────────
4. CONFORMITY ASSESSMENT
───────────────────────────────────────────────────────────────

Conformity assessment procedure applied:

    [Choose one:]

     Module A (Internal Production Control)
      Based on Annex VIII of Regulation (EU) 2024/2847

     Module B + C (EU-Type Examination + Conformity to Type)
      Based on Annex VIII of Regulation (EU) 2024/2847
      Notified Body: [Name], No. [XXXX]
      EU-Type Examination Certificate: [Certificate Number]
      Date: [Certificate Date]

     Module H (Full Quality Assurance)
      Based on Annex VIII of Regulation (EU) 2024/2847
      Notified Body: [Name], No. [XXXX]
      QA System Certificate: [Certificate Number]
      Date: [Certificate Date]

     European Cybersecurity Certification Scheme (Article 27(9))
      Certificate issued under a scheme adopted pursuant to
      Regulation (EU) 2019/881 (Cybersecurity Act)
      Certification scheme: [Name]
      Certificate number: [Number]
      Assurance level: [Substantial / High]

───────────────────────────────────────────────────────────────
5. STANDARDS AND SPECIFICATIONS APPLIED
───────────────────────────────────────────────────────────────

Harmonised standards applied:
[List all harmonised standards used, with full references]

     EN [XXXXX]:20XX - [Standard Title]
     EN [XXXXX]:20XX - [Standard Title]

Other technical specifications applied:
[List any other standards or specifications used]

     ISO/IEC [XXXXX]:20XX - [Standard Title]
     [Other specifications]

Cybersecurity certifications applied (if applicable):
[List any European cybersecurity certificates per Annex V item 6]

     [Certification scheme name - Certificate reference]

───────────────────────────────────────────────────────────────
6. ADDITIONAL INFORMATION (CRA-Specific)
───────────────────────────────────────────────────────────────

Support Period:
Security updates will be provided until: [DD Month YYYY]
(Minimum 5 years from date of market placement)

First EU Market Placement: [DD Month YYYY]

Cybersecurity Contact:
For vulnerability reports and security inquiries:
    Email: [security@company.com]
    Web:   [https://company.com/security]
    security.txt: [https://company.com/.well-known/security.txt]

Technical Documentation:
Technical documentation is available upon request to
competent authorities at the address above.

───────────────────────────────────────────────────────────────
7. SIGNATURE
───────────────────────────────────────────────────────────────

Signed for and on behalf of:

[Company Legal Name]


_________________________________
[Full Name]
[Title/Function]

Place: [City, Country]
Date:  [DD Month YYYY]

═══════════════════════════════════════════════════════════════
                         END OF DECLARATION
═══════════════════════════════════════════════════════════════

Section-by-Section Guidance

1. Document Identification

Declaration Number: Not required by Annex V but strongly recommended as best practice for version control and internal tracking. Recommended format:

  • DoC-[ProductCode]-[Year]-[Sequence]
  • Example: DoC-SSP3000-2027-001

Date of Issue: The date you sign the declaration. Must be after conformity assessment is complete.

2. Manufacturer Identification

Who signs the DoC?

  • The manufacturer — the entity that designed, produced, or markets the product under its own name
  • OR an authorized representative established in the EU, acting under a written mandate

If the manufacturer has no establishment in the EU, appointing an authorized representative is required. Add:

Authorized Representative: [Name, Address]
acting on behalf of: [Manufacturer Name, Address]

3. Product Identification

Be specific enough for traceability:

  • Include model numbers, not just product names
  • Specify version numbers for hardware and software separately
  • Indicate batch or serial number scope

Example:

Product Name:   SmartSense Pro Industrial Sensor
Model/Type:     SSP-3000
Hardware Ver:   Rev C (PCB v3.2)
Software Ver:   Firmware 2.4.1
Batch/Serial:   Serial numbers SSP3K-2027-XXXXXX

4. Conformity Assessment

Which module you must use depends on your product's classification. Use this table to orient yourself:

Module When it applies Notified Body?
Module A — Internal Production Control Default products; Class I with harmonized standards No
Module B+C — EU-Type Examination All products; mandatory for Class II (unless H); mandatory for Class I without harmonized standards Yes
Module H — Full Quality Assurance All products; alternative to B+C for Class I and II Yes
EUCC / Cybersecurity scheme Products holding a European cybersecurity certificate at assurance level ≥ Substantial (Article 27(9)) No additional third-party assessment required

Note: For Critical products (Annex IV), EU-type examination must be performed by a specialized notified body. See CRA Conformity Assessment Decision Guide for the full routing logic.

Use this flowchart to identify your path:

flowchart TD
    A["What is your product class?"] --> B["Default\n(not Annex III/IV)"]
    A --> C["Class I\n(Annex III)"]
    A --> D["Class II\n(Annex III)"]
    A --> E["Critical\n(Annex IV)"]
    B --> F["Module A, B+C, or H\nyour choice"]
    C --> G{"Harmonized standards\nfully applied?"}
    G -->|Yes| H["Module A available\nor B+C / H"]
    G -->|No| I["Module B+C or H\nNotified Body required"]
    D --> J["Module B+C or H\nNotified Body required"]
    E --> K["EU-type examination\nspecialised Notified Body"]

5. Standards Applied

Harmonized Standards:

  • Standards published in the Official Journal of the EU
  • Create a presumption of conformity for the requirements they cover
  • Include full reference: number, year, title

Format:

EN 303 645:2020 - Cyber Security for Consumer Internet of Things: Baseline Requirements

If no harmonized standards exist: State: "No harmonised standards applied. Conformity demonstrated through [describe approach]."

Cybersecurity Certifications (Annex V, item 6): If a European cybersecurity certificate was relied on during conformity assessment, list it here with the scheme name and certificate reference number.

6. CRA-Specific Additional Information

This section is not required by Annex V, but including it improves regulatory transparency:

Support Period: State when security updates end. Must be at least 5 years from market placement (Article 13(8)).

Cybersecurity Contact: Where vulnerability reports should be sent, including a reference to your security.txt file.

Note: The support period end date must also appear at the point of purchase under Article 13(19). Including it in the DoC is best practice, but it does not substitute for point-of-purchase communication.

7. Signature

Who can sign:

  • A person authorized to legally commit the manufacturer
  • Typically: CEO, Director, Quality Manager, or Regulatory Affairs Lead

Requirements:

  • Full name and title/function
  • Place and date (date must be after assessment completion)
  • Handwritten signature, or a qualified electronic signature

CE Marking and the DoC

For physical products, affix the CE marking visibly, legibly, and indelibly to the product before placing it on the market (Article 30(1)).

For software-only products (Article 30(3)), the CE marking is placed either:

  • Directly on the EU Declaration of Conformity, or
  • On the product's website — in a section that is easily and directly accessible to users

Note: The CE marking must be affixed before placing the product on the market, not after. For software products, ensure the DoC or website section is live before any distribution begins.

Does the DoC Need to Be Translated?

Yes. Article 28(2) requires that the DoC be made available in the language(s) required by each Member State in which the product is placed on the market.

In practice:

  • Selling only in Germany → a German DoC is required
  • Selling across the EU → you will need multiple language versions
  • Keep all language versions in the technical file

The simplified EU DoC (Annex VI) and the URL pointing to the full DoC must also be in the required language(s). The URL itself must remain stable and accessible.

When Do You Need Multiple DoCs?

One DoC Per Product Type

Each distinct product model or type generally needs its own DoC.

Can be covered by a single DoC when:

  • Products are variants of the same type
  • The same conformity assessment applies to all variants
  • The same standards were applied

Example:

Product Name:   SmartSense Pro Industrial Sensor
Model/Type:     SSP-3000 (all variants)
                - SSP-3000-WiFi
                - SSP-3000-LoRa
                - SSP-3000-Cellular

When Does a Modification Require a New DoC?

Warning: A substantial modification — any change that affects the product's compliance with CRA essential requirements (Annex I, Part I) or changes the product's intended purpose — triggers a mandatory new DoC (Article 28). Whoever carries out the substantial modification becomes the manufacturer of the modified product and must issue the new DoC. This applies equally to the original manufacturer making major updates and to a third party that modifies and resells the product.

Scenario New DoC required?
New hardware version that affects security characteristics Yes, substantial modification
Firmware update that introduces new interfaces or new threat vectors Yes, altered cybersecurity risk profile
Firmware update that changes the product's intended purpose Yes, substantial modification
Security patch (same architecture, no new risk, reduces CVEs) Case by case
Change to applied harmonized standards or conformity assessment certificate Yes
Cosmetic, documentation-only, or localization change No
Third party substantially modifies the product and places it on the market Yes, third party issues the new DoC as the new manufacturer

For the manufacturer's own iterative software releases: if the update is not a substantial modification, the existing DoC remains valid. You must be able to demonstrate this to market surveillance authorities — performing a cybersecurity risk assessment per Article 13(2) is the explicit mechanism the guidance recommends for this.

DoC Distribution

With the product (Article 13(20)): Article 13(20) requires you to provide either:

  • The full Annex V DoC, or
  • A simplified EU DoC containing the exact internet address where the full DoC can be found

You are not required to include both.

On request:

  • Must be provided to market surveillance authorities
  • Should be provided to customers upon request

Simplified EU Declaration of Conformity

Article 13(20) allows manufacturers to ship a simplified EU Declaration of Conformity with the product in place of the full Annex V document. The simplified form is defined in Annex VI and consists of exactly two sentences:

Hereby, [name of manufacturer] declares that the product with digital elements
type [designation] is in compliance with Regulation (EU) 2024/2847.

The full text of the EU declaration of conformity is available at the
following internet address: [URL]

This is particularly useful for:

  • Software products where including a full legal document with each distribution is impractical
  • Hardware products with limited packaging space
  • Any product where the full DoC is published online

Requirements:

  • The full Annex V DoC must exist and be publicly accessible at the stated URL
  • The simplified declaration must include the URL (Article 13(20))
  • The full DoC remains mandatory in the technical file and for authority requests

Best practices for the URL:

  • Use a stable URL — do not change it after products are distributed
  • Accessible without registration or login
  • The page should allow the DoC to be downloaded or printed

Common Mistakes

Mistake Why it matters Fix
Missing required elements — e.g., no conformity assessment module stated DoC is non-compliant Use the checklist before signing; verify every Annex V item
Wrong entity signs — importer or distributor signs instead of manufacturer DoC is legally invalid Only the manufacturer (or authorized representative with mandate) may sign
Outdated standards references — withdrawn or superseded standards listed Presumption of conformity is lost Review applied standards regularly; update DoC when standards change
No version control — multiple DoC versions exist with no clear current version Audit and enforcement risk Assign declaration numbers; archive superseded versions
Signing before assessment is complete — DoC dated before conformity activities finished Violates Article 28 Complete all assessment activities first; DoC date must follow assessment
Wrong language — DoC only in English when selling in a non-English-speaking Member State Non-compliant for that market Translate the DoC into each required Member State language (Article 28(2))
No update after substantial modification — original DoC still in use after a material change DoC covers a version it was never assessed for Issue a new DoC whenever a substantial modification occurs

DoC Preparation Checklist

Before Drafting

Item Status
Conformity assessment complete
Test reports available
Technical file prepared
Standards list finalized
Support period determined
Language requirements confirmed for all target Member States

Document Content

Item Status
Unique declaration number assigned
Manufacturer name and address correct
Product fully identified (model, version, batch/serial)
CRA referenced correctly: "Regulation (EU) 2024/2847"
Other applicable legislation listed (if any)
Conformity assessment module stated
Notified Body details included (if applicable)
All applied standards listed with full references
Support period end date included
Security contact information included

Signature

Item Status
Signatory is authorized to commit the manufacturer
Full name and title/function stated
Place and date stated (date after assessment completion)
Signature present (handwritten or qualified electronic)

Distribution

Item Status
Copy accompanies the product (physical or digital link)
Copy in technical file
Available for authority requests
Versions tracked and archived
Language versions prepared for all target Member States
CE marking applied before distribution

DoC Template Variations

For Module A (Self-Assessment)

4. CONFORMITY ASSESSMENT

Conformity assessment procedure applied:

     Module A (Internal Production Control)
      Based on Annex VIII of Regulation (EU) 2024/2847

      The manufacturer has verified that the product meets
      the essential requirements through internal assessment
      documented in the technical file.

For Module B+C (Third-Party)

4. CONFORMITY ASSESSMENT

Conformity assessment procedure applied:

     Module B + C (EU-Type Examination + Conformity to Type)
      Based on Annex VIII of Regulation (EU) 2024/2847

      EU-Type Examination performed by:
      Notified Body: TÜV Rheinland LGA Products GmbH
      Notified Body Number: 0197
      Certificate Number: EU-TYPE-2027-12345
      Certificate Date: 15 January 2027

      The manufacturer ensures production conformity to the
      certified type (Module C) through internal production
      controls.

For Multiple Regulations (Article 28(3))

When a product is subject to both the CRA and other EU legislation, a single combined DoC is permitted under Article 28(3):

3. DECLARATION

The object of the declaration described above is in conformity
with the relevant Union harmonisation legislation:

     Regulation (EU) 2024/2847 (Cyber Resilience Act)

     Directive 2014/53/EU (Radio Equipment Directive)
      Notified Body: [Name], No. [XXXX]
      Certificate: [Number]

     Directive 2014/35/EU (Low Voltage Directive)

Retention Requirements

What to retain Retention period Where
Signed DoC (or authenticated copy) 10 years after market placement, or for the length of the support period, whichever is longer (Article 13(13)) Technical file; accessible to authorities on request
Version history and superseded DoCs Alongside the current DoC Technical file
Supporting documentation referenced in the DoC Alongside the DoC Technical file

How CRA Evidence Helps

CRA Evidence includes DoC management:

  • Template generator: Pre-filled with your product details
  • Version tracking: Manage DoC versions across products
  • Digital distribution: Host DoCs with stable URLs
  • Archive management: 10-year retention with full audit trail
  • Export: Generate compliant DoC documents

Create your Declaration of Conformity at app.craevidence.com.

Related Articles

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.

Topics covered in this article

Share this article

Related Articles

Does the CRA apply to your product?

Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.

Check Now

Ready to achieve CRA compliance?

Start managing your SBOMs and compliance documentation with CRA Evidence.

Start 14-Day Free Trial
Back to all articles