← Back to Blogcompliance

How to Build a Technical File That Satisfies CRA Annex VII

The CRA technical file is the dossier of evidence that proves your product meets Annex I requirements. Annex VII specifies exactly what must be in it.

CRAReady Team·

What Is the Technical File and Why Does It Matter?

The technical file is the manufacturers dossier of evidence demonstrating that their product with digital elements satisfies the CRAs essential cybersecurity requirements. It is the backbone of the conformity assessment process.

Market surveillance authorities can demand access to the technical file at any time. Failing to produce it constitutes non-compliance independently of whether the product itself meets the technical requirements.

Annex VII -- Required Contents

  1. General Product Description: The intended use, target users, operating environments, technical architecture, all product variants and version numbers covered.

  2. Design and Development Documentation: Technical specifications, architectural diagrams, software design documentation, interface specifications, security design decisions, data flows, and trust boundaries.

  3. Cybersecurity Risk Assessment: A formal risk assessment identifying threat actors, attack surfaces, potential impacts, likelihood estimates, existing controls, and residual risk. Use STRIDE or a similar structured methodology. The assessment must demonstrate that Annex I requirements have been addressed systematically.

  4. Annex I Traceability Matrix: A mapping from each Annex I requirement to the specific product feature, configuration, or control that satisfies it. For each requirement, document what it demands, what the product does to satisfy it, and where the evidence lives in the file.

  5. Security Test and Evaluation Results: Penetration test reports, SAST and DAST scan results, fuzzing results, and dependency vulnerability scans. Include the date of testing, product version tested, and methodology used.

  6. SBOM: The current machine-readable SBOM (SPDX or CycloneDX). Maintain historical SBOMs for each released version.

  7. EU Declaration of Conformity: A signed copy of the EU DoC.

  8. Conformity Assessment Certificate (if applicable): For Class I or Class II products assessed by a notified body.

Maintaining the Technical File

The technical file must be kept current throughout the product support period and retained for at least 10 years after the product was last placed on the market. Update it when a release changes security-relevant functionality, a significant vulnerability is discovered and remediated, SBOM components change, or the risk assessment conclusions are revised.

Store in a version-controlled document management system with the product release version as the primary dimension. Assign a named document owner and schedule quarterly reviews.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker