The CRA Declaration of Conformity is the formal statement in which the manufacturer declares that a product with digital elements complies with the EU Cyber Resilience Act and any other applicable legislation. Together with the technical file and CE marking, the CRA Declaration of Conformity (DoC) is one of the core pillars of your Cyber Resilience Act compliance.
This guide explains what the CRA Declaration of Conformity is, how it fits into the wider EU product compliance framework, which elements it must contain, and how you can structure a practical DoC template for your products with digital elements. It is written for manufacturers, IoT vendors, embedded system teams and software suppliers preparing for CRA compliance.
For broader context on documentation, see our guide Cyber Resilience Act Technical Documentation: Complete Guide. For component inventory, you can also review CRA SBOM Requirements.
1. What Is the CRA Declaration of Conformity?
In EU product regulation, a Declaration of Conformity (DoC) is a legal document signed by the manufacturer stating that a specific product complies with the relevant EU legislation. Under the Cyber Resilience Act, the CRA Declaration of Conformity plays the same role for products with digital elements, focusing on cybersecurity and lifecycle security obligations.
By signing the CRA Declaration of Conformity, the manufacturer takes legal responsibility for ensuring that:
- The product meets the essential cybersecurity requirements defined in the CRA
- Appropriate conformity assessment procedures have been followed
- Technical documentation is available and supports the claim of conformity
- Security obligations will be maintained throughout the product’s lifecycle
The DoC is not a marketing document. It is a legally binding statement that can be requested by market surveillance authorities and used in enforcement actions if the product is found to be non-compliant.
2. How the CRA Declaration of Conformity Fits into EU Compliance
The CRA Declaration of Conformity does not exist in isolation. It sits alongside other elements of EU product compliance:
- Cyber Resilience Act – Establishes cybersecurity obligations for products with digital elements
- Other EU product legislation – For example, RED, EMC, LVD, machinery or medical devices regulations, where applicable
- Technical file – Holds the detailed evidence demonstrating how CRA and other requirements are met
- CE marking – The visible mark on the product or packaging signalling conformity with applicable EU acts
In many cases, you will issue a single Declaration of Conformity that lists multiple pieces of EU legislation, including the Cyber Resilience Act and any other acts relevant to your product. The CRA Declaration of Conformity section then becomes the cybersecurity-focused part of that broader DoC.
For a high-level overview of CRA obligations and how they interact with other regulations, see our article CRA Conformity Assessment: Internal Control vs Third-Party Assessment.
3. When Do You Need a CRA Declaration of Conformity?
You need a CRA Declaration of Conformity for any product with digital elements that falls under Cyber Resilience Act scope and that you, as a manufacturer, place on the EU market. Typical cases include:
- IoT devices and smart home products
- Industrial sensors, gateways and controllers
- Embedded systems and firmware-driven devices
- Software products with network connectivity distributed as part of a product
Before issuing the CRA Declaration of Conformity, the manufacturer must:
- Perform a CRA scope and applicability assessment for the product
- Classify the product (default, important or critical)
- Complete the relevant conformity assessment procedure
- Prepare a CRA technical file supporting the declaration
If a product is exclusively covered by another set of EU rules (for example, certain medical devices under MDR or automotive systems under specific type-approval regulations), CRA may not apply. In such cases, its cybersecurity obligations are covered by those sector-specific frameworks instead of a CRA Declaration of Conformity.
4. Mandatory Elements of a CRA Declaration of Conformity
While exact layout may vary, a compliant CRA Declaration of Conformity should contain at least the following elements. This structure mirrors the logic found in other EU product regulations, adapted to Cyber Resilience Act specifics.
4.1 Manufacturer identification
- Full legal name of the manufacturer
- Registered trade name or trademark (if different)
- Full postal address (including country)
- Contact details such as website or email
If an authorised representative is used in the EU, their details will also be relevant, but the manufacturer remains primarily responsible for the CRA Declaration of Conformity.
4.2 Product identification
- Product name and model
- Type, batch or serial number, or other identifying elements
- Short description of the product with digital elements (PDE)
- Version(s) of hardware and/or software covered by this DoC
Clarity here is critical. The CRA Declaration of Conformity must unambiguously identify which product and which versions are being declared compliant.
4.3 Statement of responsibility
The heart of the CRA Declaration of Conformity is a clear statement along the lines of:
“We, [manufacturer name], take full responsibility for the compliance of the product [product identification] with the requirements of the legislation listed below.”
This statement ties the manufacturer’s identity to the claims of conformity under the Cyber Resilience Act and any other referenced legislation.
4.4 List of applicable EU legislation
The DoC must specify which EU acts apply. For a CRA-focused product, this will include the Cyber Resilience Act, usually in combination with other acts depending on the product type (for example, Radio Equipment Directive, EMC Directive, etc.). A typical listing in the CRA Declaration of Conformity looks like:
- Regulation (EU) [XXX/XXXX] – Cyber Resilience Act (Cybersecurity requirements for products with digital elements)
- Directive [YYYY/YY/EU] – [Other applicable legislation, e.g. Radio Equipment Directive]
You should track the exact formal references as they appear in the Official Journal and update your template when new acts or amendments become applicable.
4.5 Reference to standards and technical specifications
To demonstrate compliance, manufacturers normally rely on harmonised standards or other recognised technical specifications. The CRA Declaration of Conformity should list the standards that have been applied, for example:
- EN ISO/IEC 27001 – Information security management systems (for selected scopes)
- EN 303 645 – Cyber security for consumer internet of things (if applicable)
- Other product or domain-specific cybersecurity standards used
Using harmonised standards aligned with the Cyber Resilience Act can provide a presumption of conformity for those aspects covered by the standard.
4.6 Reference to the technical file
The DoC should indicate that a technical file is available and can be provided to competent authorities on request. This links the high-level CRA Declaration of Conformity to the detailed evidence contained in your CRA technical file structure.
4.7 Place, date, name and signature
Finally, the DoC must include:
- Place and date of issue
- Name and function of the signatory
- Signature (and company stamp if you use one)
The signatory should be a person with appropriate authority to bind the manufacturer, such as a senior executive or the person with ultimate responsibility for product compliance.
5. Suggested Structure for a CRA Declaration of Conformity Template
Although you will adapt your layout to internal standards, the following outline provides a practical structure for a CRA Declaration of Conformity template:
- Title: EU Declaration of Conformity
- 1. Product: Identification of the product with digital elements, including type and model
- 2. Manufacturer: Legal name, address and contact details
- 3. This declaration is issued under the sole responsibility of the manufacturer
- 4. Object of the declaration: Short description of the product, purpose and main features
- 5. The object of the declaration described above is in conformity with the relevant Union legislation: List CRA and other applicable acts
- 6. References to the relevant harmonised standards and other technical specifications
- 7. Where applicable: reference to the conformity assessment procedure or notified body involvement
- 8. Additional information: links to the technical file, security support period or specific CRA-relevant notes
- Place and date of issue
- Name and function
- Signature
This template can be reused across product lines, with the CRA section adjusted for each product’s specific situation.
6. Link Between the CRA Declaration of Conformity and the Technical File
The CRA Declaration of Conformity is a summary; the technical file contains the underlying evidence. Authorities or notified bodies may request the technical documentation to verify that the claims in the DoC are justified.
In practice, this means that:
- Every standard or specification listed in the DoC should be traceable to specific sections in the technical file
- Every product version mentioned in the DoC should have a corresponding technical file or a clearly identified configuration
- Risk assessment, security controls, SBOM and testing evidence must be available and linked to the DoC claims
For detailed guidance on building a solid CRA technical file structure, see our article CRA Technical File Structure: Complete Guide.
7. Drafting a CRA Declaration of Conformity: Step-by-Step
To make the process actionable, you can approach the creation of a CRA Declaration of Conformity in these steps:
7.1 Confirm CRA scope and classification
Validate that the product is in CRA scope and confirm its classification (default, important or critical). Use your CRA applicability assessment and classification results.
7.2 Verify that the technical file is complete enough
Ensure that core technical documentation is ready: architecture, risk assessment, SBOM, security controls mapping, testing evidence, vulnerability handling and lifecycle documentation. The DoC should not be issued before these elements exist.
7.3 Identify applicable legislation
List all applicable EU acts beyond the Cyber Resilience Act, such as electromagnetic compatibility or radio equipment requirements, depending on the product. This defines the scope of your combined Declaration of Conformity.
7.4 Compile standards and technical specifications
Gather the list of harmonised standards and other technical references you rely on to demonstrate compliance with CRA security requirements and other relevant legislation.
7.5 Populate your CRA Declaration of Conformity template
Using the template structure, fill in product details, manufacturer information, legal references, standards, and the link to the technical file. Check that product identifiers match labels and documentation.
7.6 Review, sign and store
Have the DoC reviewed by your compliance or legal team, obtain the signature of an authorised person, and store the signed document in your document management system alongside the technical file. Ensure that your retention period meets CRA expectations.
8. Common Mistakes in CRA Declarations of Conformity
When organisations start issuing CRA Declarations of Conformity, they often repeat similar mistakes. Being aware of these helps you avoid rework and audit findings.
8.1 Incomplete legislation list
Listing only the Cyber Resilience Act and forgetting other applicable EU acts can create confusion. The DoC should reflect the full regulatory landscape for the product, not just CRA.
8.2 Product identification that is too vague
Using generic names or missing model identifiers makes it hard to know which exact configuration the DoC covers. Your CRA Declaration of Conformity should be precise enough to avoid ambiguity during audits or incidents.
8.3 No alignment with technical documentation
Sometimes the standards, versions or product descriptions listed in the DoC do not match the technical file or marketing materials. This lack of consistency weakens your CRA compliance posture.
8.4 Issuing the DoC before the technical file is ready
Under time pressure, teams sometimes sign the CRA Declaration of Conformity while the technical documentation is incomplete. This exposes the manufacturer to risk if authorities request evidence and find gaps.
8.5 Forgetting to update the DoC when the product changes
Significant changes in architecture, components or security posture may require an update to the technical file, renewed assessment and eventually an updated DoC. Treat the CRA Declaration of Conformity as a living document, not a one-time formality.
9. How Regulus Helps with CRA Declaration of Conformity and Documentation
Regulus is building tooling to help manufacturers, IoT vendors and embedded system teams manage Cyber Resilience Act compliance in a structured way. Instead of juggling scattered documents and spreadsheets, our goal is to provide:
- Guided workflows for CRA scope assessment and product classification
- A requirements matrix that maps Cyber Resilience Act obligations to product-specific controls
- Structured CRA technical file templates aligned with your product portfolio
- Support for documenting SBOM, vulnerability handling, updates and lifecycle commitments
- Assistance in generating consistent CRA Declaration of Conformity content from existing documentation
To get started:
- Use our CRA Readiness Checklist to identify gaps in your CRA documentation and DoC process.
- Review our CRA documentation resources in the Resources section.
- Join the Regulus Early Access program to get priority access to CRA documentation workflows as they become available.
