← Back to Blogcompliance

CRA Technical File: What to Include and How to Maintain It

The CRA requires manufacturers to compile and maintain a technical file demonstrating compliance. This guide covers every required component — from the product description and risk assessment to test results and the SBOM.

CRAReady Team·

What Is the CRA Technical File?

The technical file is the manufacturer's dossier of evidence demonstrating that their product with digital elements meets the CRA's essential cybersecurity requirements. It is the backbone of the conformity assessment process — the EU Declaration of Conformity is essentially a summary of the technical file.

Market surveillance authorities can demand access to the technical file at any time. Failing to produce it on request — or producing an incomplete file — can constitute non-compliance independent of whether the product itself meets the technical requirements.

Required Contents

Product Description

A general description of the product: its intended use, target users, operating environment, and technical architecture. Include product variants and version numbers covered by the file.

Design and Development Documentation

Technical specifications, architectural diagrams, software design documentation, interface specifications, and security design decisions. For embedded or firmware-based products, include hardware-software interaction documentation.

Cybersecurity Risk Assessment

A formal risk assessment identifying: threat actors, attack surfaces, potential impacts, likelihood estimates, existing controls, and residual risk. The risk assessment must demonstrate that Annex I requirements have been addressed systematically rather than ad hoc.

Security Requirements Traceability

A mapping from each Annex I requirement to the specific product feature, control, or configuration that satisfies it. This is what auditors and market surveillance authorities will scrutinise most closely.

Test and Evaluation Results

Results of security testing — penetration test reports, SAST/DAST scan results, fuzzing results, dependency vulnerability scans. Include dates and the version of the product tested.

SBOM

The current SBOM for the product in a machine-readable format (SPDX or CycloneDX). Keep historical SBOMs per version.

EU Declaration of Conformity

A copy of the signed DoC.

Conformity Assessment Certificate (if applicable)

For Class I and Class II important products assessed by a notified body.

Maintaining the Technical File

The technical file is a living document. It must be kept up to date throughout the product's support period and for at least 10 years after the product was last placed on the market.

Triggers for update:

  • Every product release that changes security-relevant functionality
  • Discovery and remediation of significant vulnerabilities
  • Changes to third-party components in the SBOM
  • Updates to risk assessment conclusions

Practical Tips

Store the technical file in a version-controlled document management system. Use the product version as the primary version dimension. Assign a named document owner responsible for keeping it current. Schedule a quarterly review of the file against the current product state.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker