CRA EU Declaration of Conformity: Template and Elements

Every product with digital elements needs an EU Declaration of Conformity before it can legally carry the CE marking. The DoC is your formal statement that the product meets CRA requirements. You are legally responsible for its accuracy.

This guide provides a complete template and explains each required element.

What is the EU Declaration of Conformity?

The EU Declaration of Conformity is a formal legal document in which the manufacturer declares that a product complies with applicable EU legislation. It is mandatory for all products with digital elements before they can bear the CE marking. For CRA products, it must state:

• The product meets the essential cybersecurity requirements.
• Conformity assessment has been completed.
• The manufacturer takes legal responsibility.

Without a signed DoC, your product cannot bear the CE marking and cannot be legally placed on the EU market.

What does the CRA require in the DoC?

The DoC must be drawn up before market placement, kept current as the product or its compliance status changes, translated into the language(s) required by each Member State where the product is sold, and retained alongside the technical file for at least ten years.

Required elements

#	Element	What to include
1	Product name and type	Name, type, and any additional information enabling unique identification of the product with digital elements.
2	Manufacturer identification	Name and address of the manufacturer or its authorised representative.
3	Sole responsibility statement	Exact wording: "This declaration of conformity is issued under the sole responsibility of the provider."
4	Object of the declaration	Identification of the product allowing traceability, which may include a photograph where appropriate.
5	Conformity statement	Confirm the object is in conformity with Regulation (EU) 2024/2847.
6	Standards and certifications applied	Harmonised standards, common specifications, or cybersecurity certifications relied on.
7	Notified Body details	Name, number, conformity assessment procedure performed, certificate reference. Required only when a third-party assessment module was used.
8	Additional information + signature	Place and date of issue; signatory name, function, and signature (handwritten or qualified electronic). Other additional information as needed.

Each row maps to the correspondingly numbered item in Annex V.

Complete DoC template

Use this as a starting point. Customise the bracketed fields for your product.

Section-by-section guidance

1. Document identification

Declaration number. Not mandatory, but strongly recommended for version control. A practical format is DoC-[ProductCode]-[Year]-[Sequence], for example DoC-SSP3000-2027-001.

Date of issue. The date you sign the declaration. Must be after conformity assessment is complete.

2. Manufacturer identification

The signatory is the manufacturer: a person authorised to legally commit it. The CRA allows, but does not by itself require, the manufacturer to appoint an authorised representative; where one is appointed, it may be named on the declaration and hold it for authorities, but the act of declaring conformity stays with the manufacturer (Article 28). If an authorised representative is named, add a line such as:

Authorised Representative: [Name, Address]
acting on behalf of: [Manufacturer Name, Address]

3. Product identification

Be specific enough for traceability: include model numbers, separate hardware and software versions, and the batch or serial number scope.

Example:

Product Name:   SmartSense Pro Industrial Sensor
Model/Type:     SSP-3000
Hardware Ver:   Rev C (PCB v3.2)
Software Ver:   Firmware 2.4.1
Batch/Serial:   Serial numbers SSP3K-2027-XXXXXX

4. Conformity assessment

Which module you must use depends on your product's classification. Use this table to orient yourself:

Module	When it applies	Notified Body?
Module A (Internal Production Control)	Default products; Important Class I when the relevant standards, specifications, or scheme fully apply	No
Module B+C (EU-Type Examination)	Available to all products; required option for Important Class I when they do not fully apply; one route for Important Class II and Critical fallback	Yes
Module H (Full Quality Assurance)	All products; alternative to B+C for Important Class I and II	Yes
EUCC / cybersecurity scheme	Products holding a European cybersecurity certificate at assurance level ≥ Substantial (Article 27(9))	No additional third-party assessment required

Use this flowchart to identify your path:

flowchart TD
    A["What is your product class?"] --> B["Default\n(not listed)"]
    A --> C["Important Class I\n(listed class)"]
    A --> D["Important Class II\n(listed class)"]
    A --> E["Critical\n(critical list)"]
    B --> F["Module A, B+C, or H\nyour choice"]
    C --> G{"Standards, specs, or\nscheme fully applied?"}
    G -->|Yes| H["Module A available\nor B+C / H"]
    G -->|No| I["Module B+C or H\nNotified Body required"]
    D --> J["Module B+C, H, or a substantial-level certification scheme"]
    E --> K["Certification route if applicable
otherwise third-party routes"]

5. Standards applied

Harmonised standards are standards published in the Official Journal of the EU. They create a presumption of conformity for the requirements they cover. Include the full reference: number, year, title.

Format:

EN 303 645:2020, Cyber Security for Consumer Internet of Things: Baseline Requirements

If no harmonised standards exist, state: "No harmonised standards applied. Conformity demonstrated through [describe approach]."

If a European cybersecurity certificate was relied on during conformity assessment, list it with the scheme name and certificate reference number (this covers the certification field in the declaration).

6. CRA-specific additional information

This section is not part of the minimum declaration template, but including it improves regulatory transparency:

• Support period. State when security updates end. Must be at least 5 years from market placement, or the expected in-use period if shorter.
• Vulnerability contact. Where reports should be sent, including a reference to your security.txt file.

7. Signature

Anyone authorised to legally commit the manufacturer can sign. Typically that is the CEO, a director, the quality manager, or the regulatory affairs lead. The DoC must carry the signatory's full name and title, place and date (date must follow assessment completion), and either a handwritten signature or a qualified electronic signature.

When must CE marking be applied relative to the Declaration of Conformity?

For physical products, affix the CE marking visibly, legibly, and indelibly to the product before placing it on the market.

For software-only products, the CE marking is placed either directly on the EU Declaration of Conformity, or on the product's website in a section that is easily and directly accessible to users.

Does the DoC need to be translated?

Yes. The DoC must be made available in the language(s) required by each Member State in which the product is placed on the market.

In practice:

• Selling only in Germany → a German DoC is required.
• Selling across the EU → you will need multiple language versions.
• Keep all language versions in the technical file.

The simplified DoC and the URL pointing to the full DoC must also be in the required language(s). The URL itself must remain stable and accessible.

Does each product model or version need its own Declaration of Conformity?

One DoC per product type

Each distinct product model or type generally needs its own DoC.

A single DoC can cover several variants when they are variants of the same type, the same conformity assessment applies to all of them, and the same standards were applied.

Example:

Product Name:   SmartSense Pro Industrial Sensor
Model/Type:     SSP-3000 (all variants)
                - SSP-3000-WiFi
                - SSP-3000-LoRa
                - SSP-3000-Cellular

When does a modification require a new DoC?

Scenario	New DoC required?
New hardware version that affects security characteristics	Yes, substantial modification
Firmware update that introduces new interfaces or new threat vectors	Yes, altered cybersecurity risk profile
Firmware update that changes the product's intended purpose	Yes, substantial modification
Security patch (same architecture, no new risk, reduces CVEs)	Case by case
Change to applied harmonised standards or conformity assessment certificate	Yes
Cosmetic, documentation-only, or localisation change	No
Third party substantially modifies the product and places it on the market	Yes, the third party issues the new DoC as the new manufacturer

For iterative software releases that are not substantial modifications, the existing DoC remains valid. You must be able to demonstrate this to market surveillance authorities, and the risk-assessment update is how you do it.

DoC distribution

The DoC must travel with the product. You can choose between:

• the full DoC, or
• a simplified DoC carrying the exact internet address where the full DoC is published.

Either form must also be provided on request to market surveillance authorities, and should be available to customers on request.

Simplified EU Declaration of Conformity

The simplified form is two sentences: the manufacturer's declaration and a URL where the full document can be found. It is particularly useful for software distributions, packaging-constrained hardware, and any product whose full DoC is published online.

Requirements for the URL: stable (do not change it after products are distributed), accessible without registration or login, and the page should allow the DoC to be downloaded or printed. The full DoC must still exist in the technical file and be available to authorities on request.

Common mistakes

Mistake	Why it matters	Fix
Missing required elements (e.g., no conformity assessment module stated)	DoC is non-compliant	Use the checklist before signing; verify every required declaration item
Wrong entity signs (importer or distributor signs instead of manufacturer)	DoC is legally invalid	Only the manufacturer (a person authorised to legally commit it) may sign; an importer or distributor cannot unless they became the manufacturer
Outdated standards references (withdrawn or superseded standards listed)	Presumption of conformity is lost	Review applied standards regularly; update the DoC when standards change
No version control (multiple DoC versions exist with no clear current version)	Audit and enforcement risk	Assign declaration numbers; archive superseded versions
Signing before assessment is complete (DoC dated before conformity activities finished)	The DoC pre-dates the evidence it relies on	Complete all assessment activities first; DoC date must follow assessment
Wrong language (DoC only in English when selling in a non-English-speaking Member State)	Non-compliant for that market	Translate the DoC into each required Member State language
No update after substantial modification (original DoC still in use after a material change)	DoC covers a version it was never assessed for	Issue a new DoC whenever a substantial modification occurs

DoC preparation checklist

DoC template variations

For Module A (self-assessment)

For Module B+C (third-party)

For multiple regulations

A single combined DoC is permitted when a product is subject to both the CRA and other EU legislation:

Retention requirements

What to retain	Retention period	Where
Signed DoC (or authenticated copy)	10 years after market placement, or the support period if longer	Technical file; accessible to authorities on request
Version history and superseded DoCs	Alongside the current DoC	Technical file
Supporting documentation referenced in the DoC	Alongside the DoC	Technical file