CRA Declaration of Conformity: Template and Step-by-Step Writing Guide
How to write a compliant EU Declaration of Conformity for CRA. Includes ready-to-use template, required elements checklist, and common mistakes to avoid.
In this article
- Summary
- What Is the EU Declaration of Conformity?
- What Does the CRA Require in the DoC?
- Complete DoC Template
- Section-by-Section Guidance
- When Must CE Marking Be Applied Relative to the Declaration of Conformity?
- Does the DoC Need to Be Translated?
- Does Each Product Model or Version Need Its Own Declaration of Conformity?
- DoC Distribution
- Simplified EU Declaration of Conformity
- Common Mistakes
- DoC Preparation Checklist
- DoC Template Variations
- Retention Requirements
- Frequently Asked Questions
- Next Steps
Every product with digital elements needs an EU Declaration of Conformity before it can legally carry the CE marking. The DoC is your formal statement that the product meets CRA requirements. You are legally responsible for its accuracy.
This guide provides a complete template and explains each required element.
Summary
- EU Declaration of Conformity (DoC) is mandatory for all CRA products and must be in place before market placement
- Must be signed by the manufacturer or an authorized representative established in the EU
- Required elements are defined in CRA Article 28 and Annex V
- Must be provided in the language(s) required by each Member State where the product is sold (Article 28(2))
- Retain for at least 10 years after market placement, or for the length of the support period, whichever is longer (Article 13(13))
- A substantial modification requires a new DoC, issued by whoever made the change
- A template is provided below. Adapt it for your product.
Important: Signing a DoC without completing conformity assessment violates both Article 13 (up to €15M or 2.5% of global annual turnover) and Article 28 (up to €10M or 2% of global annual turnover).
Tip: Include the product support period (minimum 5 years) and vulnerability contact point in your DoC. This is not required by Annex V, but it improves regulatory transparency.
What Is the EU Declaration of Conformity?
The EU Declaration of Conformity is a formal legal document in which the manufacturer declares that a product complies with applicable EU legislation. It is mandatory for all products with digital elements before they can bear the CE marking. For CRA products, it must state:
- The product meets the essential cybersecurity requirements (Annex I)
- Conformity assessment has been completed
- The manufacturer takes legal responsibility
Without a signed DoC, your product cannot bear the CE marking and cannot be legally placed on the EU market.
What Does the CRA Require in the DoC?
Legal Basis
CRA Article 28 specifies DoC requirements, referencing the structure in Annex V. The DoC must be:
- Drawn up before placing the product on the market (Article 13(12))
- Updated as appropriate when the product or compliance status changes (Article 28(2))
- Provided in the language(s) required by each Member State where the product is placed (Article 28(2))
- Retained for at least 10 years after placing on the market, or for the length of the support period, whichever is longer (Article 13(13))
Note: Article 28(3) allows manufacturers subject to multiple EU regulations to draw up a single combined DoC covering all applicable acts. See the "Multiple Regulations" template variation below.
Required Elements
| # | Element | What to include | Source |
|---|---|---|---|
| 1 | Date of issue | Date you sign the declaration. Must be after conformity assessment is complete. | Annex V, item 1 |
| 2 | Manufacturer identification | Full legal name, postal address, contact information | Annex V, item 2 |
| 3 | Sole responsibility statement | Exact wording: "This declaration of conformity is issued under the sole responsibility of the provider" | Annex V, item 3 |
| 4 | Product identification | Name, type, model, batch or serial number; optional photograph where appropriate | Annex V, item 4 |
| 5 | Conformity statement | Confirm the product is in conformity with Regulation (EU) 2024/2847 | Annex V, item 5 |
| 6 | Standards and certifications applied | Harmonized standards relied on; any European cybersecurity certificates used | Annex V, item 6 |
| 7 | Notified Body details | Name, number, and certificate reference. Required only when a third-party assessment module was used. | Annex V, item 7 |
| 8 | Signature | Full name, title/function, place, date; handwritten or qualified electronic signature | Annex V, item 8 |
Note: A declaration number is not required by Annex V, but strongly recommended for version control and internal tracking.
Complete DoC Template
Use this as a starting point. Customize the bracketed sections for your product.
Note: Section 3 of the template contains a legally required verbatim phrase (Annex V, item 3). Do not paraphrase it:
"This declaration of conformity is issued under the sole responsibility of the provider."
═══════════════════════════════════════════════════════════════
EU DECLARATION OF CONFORMITY
(Cyber Resilience Act)
═══════════════════════════════════════════════════════════════
Declaration No.: [DoC-PRODUCT-YYYY-NNN]
Date of Issue: [DD Month YYYY]
---------------------------------------------------------------
1. MANUFACTURER
---------------------------------------------------------------
Name: [Company Legal Name]
Address: [Street Address]
[Postal Code, City]
[Country]
Contact: [Email / Phone]
Website: [URL]
---------------------------------------------------------------
2. PRODUCT IDENTIFICATION
---------------------------------------------------------------
Product Name: [Product Name]
Model/Type: [Model Number / Type Designation]
Hardware Ver: [Hardware Version, if applicable]
Software Ver: [Software/Firmware Version]
Batch/Serial: [Batch number range or serial number format]
Product Photo: [Optional photograph for traceability, where appropriate]
Product Description:
[Brief description of the product and its intended purpose,
sufficient to identify the product unambiguously]
---------------------------------------------------------------
3. DECLARATION
---------------------------------------------------------------
This declaration of conformity is issued under the sole
responsibility of the provider.
The object of the declaration described above is in conformity
with the relevant Union harmonisation legislation:
• Regulation (EU) 2024/2847 of the European Parliament
and of the Council of 23 October 2024 on horizontal
cybersecurity requirements for products with digital
elements (Cyber Resilience Act)
[• Additional applicable legislation, e.g.:
• Directive 2014/53/EU (Radio Equipment Directive)
• Regulation (EU) 2023/1230 (Machinery Regulation)
• etc.]
---------------------------------------------------------------
4. CONFORMITY ASSESSMENT
---------------------------------------------------------------
Conformity assessment procedure applied:
[Choose one:]
☐ Module A (Internal Production Control)
Based on Annex VIII of Regulation (EU) 2024/2847
☐ Module B + C (EU-Type Examination + Conformity to Type)
Based on Annex VIII of Regulation (EU) 2024/2847
Notified Body: [Name], No. [XXXX]
EU-Type Examination Certificate: [Certificate Number]
Date: [Certificate Date]
☐ Module H (Full Quality Assurance)
Based on Annex VIII of Regulation (EU) 2024/2847
Notified Body: [Name], No. [XXXX]
QA System Certificate: [Certificate Number]
Date: [Certificate Date]
☐ European Cybersecurity Certification Scheme (Article 27(9))
Certificate issued under a scheme adopted pursuant to
Regulation (EU) 2019/881 (Cybersecurity Act)
Certification scheme: [Name]
Certificate number: [Number]
Assurance level: [Substantial / High]
---------------------------------------------------------------
5. STANDARDS AND SPECIFICATIONS APPLIED
---------------------------------------------------------------
Harmonised standards applied:
[List all harmonised standards used, with full references]
• EN [XXXXX]:20XX - [Standard Title]
• EN [XXXXX]:20XX - [Standard Title]
Other technical specifications applied:
[List any other standards or specifications used]
• ISO/IEC [XXXXX]:20XX - [Standard Title]
• [Other specifications]
Cybersecurity certifications applied (if applicable):
[List any European cybersecurity certificates per Annex V item 6]
• [Certification scheme name - Certificate reference]
---------------------------------------------------------------
6. ADDITIONAL INFORMATION (CRA-Specific)
---------------------------------------------------------------
Support Period:
Security updates will be provided until: [DD Month YYYY]
(Minimum 5 years from date of market placement)
First EU Market Placement: [DD Month YYYY]
Cybersecurity Contact:
For vulnerability reports and security inquiries:
Email: [security@company.com]
Web: [https://company.com/security]
security.txt: [https://company.com/.well-known/security.txt]
Technical Documentation:
Technical documentation is available upon request to
competent authorities at the address above.
---------------------------------------------------------------
7. SIGNATURE
---------------------------------------------------------------
Signed for and on behalf of:
[Company Legal Name]
_________________________________
[Full Name]
[Title/Function]
Place: [City, Country]
Date: [DD Month YYYY]
═══════════════════════════════════════════════════════════════
END OF DECLARATION
═══════════════════════════════════════════════════════════════
Section-by-Section Guidance
1. Document Identification
Declaration Number: Not required by Annex V but strongly recommended as best practice for version control and internal tracking. Recommended format:
DoC-[ProductCode]-[Year]-[Sequence]- Example:
DoC-SSP3000-2027-001
Date of Issue: The date you sign the declaration. Must be after conformity assessment is complete.
2. Manufacturer Identification
Who signs the DoC?
- The manufacturer: the entity that designed, produced, or markets the product under its own name
- OR an authorized representative established in the EU, acting under a written mandate
If the manufacturer has no establishment in the EU, appointing an authorized representative is required. Add:
Authorized Representative: [Name, Address]
acting on behalf of: [Manufacturer Name, Address]
3. Product Identification
Be specific enough for traceability:
- Include model numbers, not just product names
- Specify version numbers for hardware and software separately
- Indicate batch or serial number scope
Example:
Product Name: SmartSense Pro Industrial Sensor
Model/Type: SSP-3000
Hardware Ver: Rev C (PCB v3.2)
Software Ver: Firmware 2.4.1
Batch/Serial: Serial numbers SSP3K-2027-XXXXXX
4. Conformity Assessment
Which module you must use depends on your product's classification. Use this table to orient yourself:
| Module | When it applies | Notified Body? |
|---|---|---|
| Module A (Internal Production Control) | Default products; Class I with harmonized standards | No |
| Module B+C (EU-Type Examination) | All products; mandatory for Class II (unless H); mandatory for Class I without harmonized standards | Yes |
| Module H (Full Quality Assurance) | All products; alternative to B+C for Class I and II | Yes |
| EUCC / Cybersecurity scheme | Products holding a European cybersecurity certificate at assurance level ≥ Substantial (Article 27(9)) | No additional third-party assessment required |
Note: For Critical products (Annex IV), EU-type examination must be performed by a specialized notified body. See CRA Conformity Assessment Decision Guide for the full routing logic.
Use this flowchart to identify your path:
flowchart TD
A["What is your product class?"] --> B["Default\n(not Annex III/IV)"]
A --> C["Class I\n(Annex III)"]
A --> D["Class II\n(Annex III)"]
A --> E["Critical\n(Annex IV)"]
B --> F["Module A, B+C, or H\nyour choice"]
C --> G{"Harmonized standards\nfully applied?"}
G -->|Yes| H["Module A available\nor B+C / H"]
G -->|No| I["Module B+C or H\nNotified Body required"]
D --> J["Module B+C or H\nNotified Body required"]
E --> K["EU-type examination\nspecialised Notified Body"]
5. Standards Applied
Harmonized Standards:
- Standards published in the Official Journal of the EU
- Create a presumption of conformity for the requirements they cover
- Include full reference: number, year, title
Format:
EN 303 645:2020 - Cyber Security for Consumer Internet of Things: Baseline Requirements
If no harmonized standards exist: State: "No harmonised standards applied. Conformity demonstrated through [describe approach]."
Cybersecurity Certifications (Annex V, item 6): If a European cybersecurity certificate was relied on during conformity assessment, list it here with the scheme name and certificate reference number.
6. CRA-Specific Additional Information
This section is not required by Annex V, but including it improves regulatory transparency:
Support Period: State when security updates end. Must be at least 5 years from market placement (Article 13(8)).
Cybersecurity Contact: Where vulnerability reports should be sent, including a reference to your security.txt file.
Note: The support period end date must also appear at the point of purchase under Article 13(19). Including it in the DoC is best practice, but it does not substitute for point-of-purchase communication.
7. Signature
Who can sign:
- A person authorized to legally commit the manufacturer
- Typically: CEO, Director, Quality Manager, or Regulatory Affairs Lead
Requirements:
- Full name and title/function
- Place and date (date must be after assessment completion)
- Handwritten signature, or a qualified electronic signature
When Must CE Marking Be Applied Relative to the Declaration of Conformity?
For physical products, affix the CE marking visibly, legibly, and indelibly to the product before placing it on the market (Article 30(1)).
For software-only products (Article 30(3)), the CE marking is placed either:
- Directly on the EU Declaration of Conformity, or
- On the product's website, in a section that is easily and directly accessible to users
Note: The CE marking must be affixed before placing the product on the market, not after. For software products, ensure the DoC or website section is live before any distribution begins.
Does the DoC Need to Be Translated?
Yes. Article 28(2) requires that the DoC be made available in the language(s) required by each Member State in which the product is placed on the market.
In practice:
- Selling only in Germany → a German DoC is required
- Selling across the EU → you will need multiple language versions
- Keep all language versions in the technical file
The simplified EU DoC (Annex VI) and the URL pointing to the full DoC must also be in the required language(s). The URL itself must remain stable and accessible.
Does Each Product Model or Version Need Its Own Declaration of Conformity?
One DoC Per Product Type
Each distinct product model or type generally needs its own DoC.
Can be covered by a single DoC when:
- Products are variants of the same type
- The same conformity assessment applies to all variants
- The same standards were applied
Example:
Product Name: SmartSense Pro Industrial Sensor
Model/Type: SSP-3000 (all variants)
- SSP-3000-WiFi
- SSP-3000-LoRa
- SSP-3000-Cellular
When Does a Modification Require a New DoC?
Warning: A substantial modification (any change that affects the product's compliance with CRA essential requirements under Annex I, Part I, or changes the product's intended purpose) triggers a mandatory new DoC (Article 28). Whoever carries out the substantial modification becomes the manufacturer of the modified product and must issue the new DoC. This applies equally to the original manufacturer making major updates and to a third party that modifies and resells the product.
| Scenario | New DoC required? |
|---|---|
| New hardware version that affects security characteristics | Yes, substantial modification |
| Firmware update that introduces new interfaces or new threat vectors | Yes, altered cybersecurity risk profile |
| Firmware update that changes the product's intended purpose | Yes, substantial modification |
| Security patch (same architecture, no new risk, reduces CVEs) | Case by case |
| Change to applied harmonized standards or conformity assessment certificate | Yes |
| Cosmetic, documentation-only, or localization change | No |
| Third party substantially modifies the product and places it on the market | Yes, third party issues the new DoC as the new manufacturer |
For the manufacturer's own iterative software releases: if the update is not a substantial modification, the existing DoC remains valid. You must be able to demonstrate this to market surveillance authorities. Performing a cybersecurity risk assessment per Article 13(2) is the explicit mechanism the guidance recommends for this.
DoC Distribution
With the product (Article 13(20)): Article 13(20) requires you to provide either:
- The full Annex V DoC, or
- A simplified EU DoC containing the exact internet address where the full DoC can be found
You are not required to include both.
On request:
- Must be provided to market surveillance authorities
- Should be provided to customers upon request
Simplified EU Declaration of Conformity
Article 13(20) allows manufacturers to ship a simplified EU Declaration of Conformity with the product in place of the full Annex V document. The simplified form is defined in Annex VI and consists of exactly two sentences:
Hereby, [name of manufacturer] declares that the product with digital elements
type [designation] is in compliance with Regulation (EU) 2024/2847.
The full text of the EU declaration of conformity is available at the
following internet address: [URL]
This is particularly useful for:
- Software products where including a full legal document with each distribution is impractical
- Hardware products with limited packaging space
- Any product where the full DoC is published online
Requirements:
- The full Annex V DoC must exist and be publicly accessible at the stated URL
- The simplified declaration must include the URL (Article 13(20))
- The full DoC remains mandatory in the technical file and for authority requests
Best practices for the URL:
- Use a stable URL. Do not change it after products are distributed
- Accessible without registration or login
- The page should allow the DoC to be downloaded or printed
Common Mistakes
| Mistake | Why it matters | Fix |
|---|---|---|
| Missing required elements (e.g., no conformity assessment module stated) | DoC is non-compliant | Use the checklist before signing; verify every Annex V item |
| Wrong entity signs (importer or distributor signs instead of manufacturer) | DoC is legally invalid | Only the manufacturer (or authorized representative with mandate) may sign |
| Outdated standards references (withdrawn or superseded standards listed) | Presumption of conformity is lost | Review applied standards regularly; update DoC when standards change |
| No version control (multiple DoC versions exist with no clear current version) | Audit and enforcement risk | Assign declaration numbers; archive superseded versions |
| Signing before assessment is complete (DoC dated before conformity activities finished) | Violates Article 28 | Complete all assessment activities first; DoC date must follow assessment |
| Wrong language (DoC only in English when selling in a non-English-speaking Member State) | Non-compliant for that market | Translate the DoC into each required Member State language (Article 28(2)) |
| No update after substantial modification (original DoC still in use after a material change) | DoC covers a version it was never assessed for | Issue a new DoC whenever a substantial modification occurs |
DoC Preparation Checklist
Before Drafting
| Item | Status |
|---|---|
| Conformity assessment complete | ☐ |
| Test reports available | ☐ |
| Technical file prepared | ☐ |
| Standards list finalized | ☐ |
| Support period determined | ☐ |
| Language requirements confirmed for all target Member States | ☐ |
Document Content
| Item | Status |
|---|---|
| Unique declaration number assigned | ☐ |
| Manufacturer name and address correct | ☐ |
| Product fully identified (model, version, batch/serial) | ☐ |
| CRA referenced correctly: "Regulation (EU) 2024/2847" | ☐ |
| Other applicable legislation listed (if any) | ☐ |
| Conformity assessment module stated | ☐ |
| Notified Body details included (if applicable) | ☐ |
| All applied standards listed with full references | ☐ |
| Support period end date included | ☐ |
| Security contact information included | ☐ |
Signature
| Item | Status |
|---|---|
| Signatory is authorized to commit the manufacturer | ☐ |
| Full name and title/function stated | ☐ |
| Place and date stated (date after assessment completion) | ☐ |
| Signature present (handwritten or qualified electronic) | ☐ |
Distribution
| Item | Status |
|---|---|
| Copy accompanies the product (physical or digital link) | ☐ |
| Copy in technical file | ☐ |
| Available for authority requests | ☐ |
| Versions tracked and archived | ☐ |
| Language versions prepared for all target Member States | ☐ |
| CE marking applied before distribution | ☐ |
DoC Template Variations
For Module A (Self-Assessment)
4. CONFORMITY ASSESSMENT
Conformity assessment procedure applied:
☑ Module A (Internal Production Control)
Based on Annex VIII of Regulation (EU) 2024/2847
The manufacturer has verified that the product meets
the essential requirements through internal assessment
documented in the technical file.
For Module B+C (Third-Party)
4. CONFORMITY ASSESSMENT
Conformity assessment procedure applied:
☑ Module B + C (EU-Type Examination + Conformity to Type)
Based on Annex VIII of Regulation (EU) 2024/2847
EU-Type Examination performed by:
Notified Body: TÜV Rheinland LGA Products GmbH
Notified Body Number: 0197
Certificate Number: EU-TYPE-2027-12345
Certificate Date: 15 January 2027
The manufacturer ensures production conformity to the
certified type (Module C) through internal production
controls.
For Multiple Regulations (Article 28(3))
When a product is subject to both the CRA and other EU legislation, a single combined DoC is permitted under Article 28(3):
3. DECLARATION
The object of the declaration described above is in conformity
with the relevant Union harmonisation legislation:
• Regulation (EU) 2024/2847 (Cyber Resilience Act)
• Directive 2014/53/EU (Radio Equipment Directive)
Notified Body: [Name], No. [XXXX]
Certificate: [Number]
• Directive 2014/35/EU (Low Voltage Directive)
Retention Requirements
| What to retain | Retention period | Where |
|---|---|---|
| Signed DoC (or authenticated copy) | 10 years after market placement, or for the length of the support period, whichever is longer (Article 13(13)) | Technical file; accessible to authorities on request |
| Version history and superseded DoCs | Alongside the current DoC | Technical file |
| Supporting documentation referenced in the DoC | Alongside the DoC | Technical file |
Frequently Asked Questions
Can one Declaration of Conformity cover products sold across all EU Member States?
The same DoC document can cover the full EU, but it must be translated into the language(s) required by each Member State where the product is placed (Article 28(2)). The core content is identical; only the language version changes. Keep all translations in the technical file.
Does the CRA Declaration of Conformity need to be notarised or officially certified?
No. The DoC is signed by the manufacturer or an authorised representative. A handwritten signature or a qualified electronic signature (as defined in Regulation (EU) 910/2014) is sufficient. No notarisation, apostille, or third-party certification of the document itself is required unless a specific Member State requires it for market surveillance purposes.
What happens if market surveillance finds the DoC is incomplete or inaccurate?
Penalties under Article 64 can reach €10 million or 2% of global annual turnover for a non-compliant or false DoC (Article 28 violation). Market surveillance authorities can require corrective measures and, in serious cases, restrict or recall products. The DoC must be available for inspection on request: having no DoC or an incomplete one will not go unnoticed once audits begin.
Can a software product use the simplified EU DoC instead of the full Annex V document?
Yes. Article 13(20) allows manufacturers to include only the simplified EU Declaration of Conformity (Annex VI) with the product, provided the full Annex V document is publicly accessible at a stable URL. The simplified form is two sentences: the manufacturer's declaration of conformity and the URL. The full Annex V DoC must still exist and be available to authorities on request.
How long must the CRA Declaration of Conformity be retained?
At least 10 years after the product is placed on the market, or for the length of the support period, whichever is longer (Article 13(13)). For a product with a 15-year support period, the DoC and technical file must be retained for 15 years.
Who is authorised to sign the CRA Declaration of Conformity?
The manufacturer, or an authorised representative established in the EU if the manufacturer has no EU establishment. The signatory must be authorised to legally commit the manufacturer: typically a CEO, Managing Director, or Regulatory Affairs Director. An importer or distributor cannot sign unless they have become the manufacturer by making a substantial modification to the product.
Next Steps
- Classify the product (Default, Important Class I/II, or Critical) using the CRA Product Classification Guide.
- Confirm the conformity assessment module with the CRA Conformity Assessment Decision Guide.
- Complete the conformity assessment and collect all test reports before drafting the DoC.
- Draft the DoC from the template above. Assign a declaration number and verify every Annex V element.
- Translate the DoC into the language(s) required by each Member State of placement (Article 28(2)).
- Sign and date after assessment is complete. Apply the CE marking before market placement.
- File the signed DoC in the technical file alongside test reports and the SBOM. See CRA Technical File (Annex VII): Complete Guide.
- Publish the full DoC at a stable URL if you plan to ship the simplified Annex VI form with the product.
- Retain the DoC for 10 years after market placement, or for the length of the support period, whichever is longer (Article 13(13)).
This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.
Related Articles
ECSMAF v3.0 Explained: How ENISA Maps the EU Cybersecurity Market
Does the CRA apply to your product?
Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.
Ready to achieve CRA compliance?
Start managing your SBOMs and compliance documentation with CRA Evidence.