Back to blogs

Blog | OCT 20, 2025

The EU Declaration of Conformity Under the CRA: What Manufacturers Must Declare

Cyber Resilience Act

The EU Cyber Resilience Act (CRA) makes cybersecurity a legal requirement for all products with digital elements. At its core lies the EU Declaration of Conformity, a binding statement proving that a manufacturer’s product meets the CRA’s essential security standards. Far more than a formality, it’s the document that enables CE marking and EU market access, turning internal assessments into a public, legal commitment to resilience and trust.

The Cyber Resilience Act (CRA) sets a new baseline for how cybersecurity must be treated in products placed on the European market. From design to long-term maintenance, manufacturers are now required to prove that their devices meet a defined set of security requirements.

One building block in this framework is the EU Declaration of Conformity. It may look like just another piece of paperwork, but in practice it is the formal statement that ties a product to its legal compliance. By signing it, a manufacturer accepts full responsibility for meeting the CRA’s rules, and only with this declaration can a product bear the CE marking and be sold across the EU.

For most companies, the declaration results from an internal conformity assessment. This means the checks are performed in-house, based on technical documentation and risk analysis, without external bodies being involved. The declaration then becomes the visible outcome of that process: a clear, written confirmation that the product lives up to the standards the CRA demands.

Need a clear starting point for the EU's Cyber Resilience Act? Explore Tributech’s CRA Guide to understand all requirements, timelines, and practical steps for compliant digital products.

From Internal Assessment to Declaration

For most connected products, the CRA foresees the internal conformity assessment as the standard route to compliance. This procedure, set out in Annex VIII (Module A), does not require an external notified body. Instead, the responsibility remains fully with the manufacturer.

In practice, this means that the company must compile a comprehensive technical documentation: product description, design and production details, risk analysis, vulnerability handling processes, applied standards, and test results. These elements serve as evidence that the essential cybersecurity requirements of the CRA (Annex I) have been met. For further information on the essential cybersecurity requirements check out our deep dive blogpost.

Once this internal review is complete, the process moves from analysis to commitment. The manufacturer must draw up the EU Declaration of Conformity. This document is more than a summary, it is the legal statement in which the company formally confirms that its product complies with the CRA. By signing it, the manufacturer assumes sole responsibility for cybersecurity compliance, regardless of company size.

Only after this step can the CE marking be affixed and the product legally placed on the EU market. In other words: the internal assessment is the path, but the Declaration of Conformity is the formal outcome that opens the door to market access.

Structure and Content (Annex V & VI)

The CRA leaves no room for interpretation when it comes to the content of an EU Declaration of Conformity. Annex V sets out a uniform template to ensure that each declaration is complete and legally valid across the European Union.

According to the regulation, the declaration shall include:

  1. Name and type of the product, with any additional details needed for unique identification.

  2. Name and address of the manufacturer or, if applicable, its authorised representative.

  3. A statement of sole responsibility, confirming that the declaration is issued under the exclusive responsibility of the provider.

  4. Object of the declaration, describing the product with digital elements in a way that allows traceability (including, where appropriate, a photograph).

  5. A statement of conformity, declaring that the identified product complies with the relevant Union harmonisation legislation.

  6. References to harmonised standards or other specifications and cybersecurity certifications used as the basis for compliance.

  7. If relevant: details of a notified body — name and number, description of the procedure performed, and certificate issued.

  8. Signature block and additional details — place and date of issue, name and function of the signatory, and their signature.

This structure ensures that every declaration is both traceable and legally binding. Once signed, it represents the manufacturer’s formal assumption of responsibility for cybersecurity compliance.

Simplified EU Declaration of Conformity

The CRA also provides an option for a simplified declaration (Article 13(20) in connection with Annex VI). This version is shorter and can be used, for example, in packaging or user manuals where space is limited.

Its structure is as follows:

Hereby, … [name of manufacturer] declares that the product with digital elements type … [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/2847.

The full text of the EU declaration of conformity is available at the following internet address: …

This approach allows manufacturers to provide users with the essential statement of compliance, while pointing to the full declaration online. It reduces paperwork without reducing transparency, and can be especially practical for smaller companies managing multiple product lines.

Documentation Prerequisites (Annex VII)

The Declaration of Conformity is never created in isolation. It builds on the work that has already been carried out in the technical documentation. This documentation contains the detailed description of the product, its design and production processes, the results of risk assessments, and the measures taken to comply with the CRA’s essential requirements.

In other words: the technical documentation is the foundation, the Declaration of Conformity is the result. Only once the documentation is complete and up to date can the manufacturer sign the declaration with confidence.

Because of its central importance, we will soon dedicate a separate article to the requirements and structure of technical documentation under the CRA.

Risks of Non-Compliance (Article 58)

The CRA treats the Declaration of Conformity as a binding obligation. If it is missing, incomplete, or incorrect, authorities classify this as formal non-compliance under Article 58. The consequences can be severe: market surveillance bodies may order corrections, restrict or ban the sale of a product, or even require its withdrawal from the market.

In addition, manufacturers face financial penalties. The regulation allows administrative fines of up to the higher of EUR 10 million or 2% of worldwide annual turnover for breaches related to the declaration, CE marking, technical documentation, or assessment procedures.

For companies of all sizes, this means that mistakes in the declaration are not a minor paperwork issue but a direct business risk. A missing signature, outdated information, or inaccurate reference to standards can trigger enforcement. The declaration must therefore be treated with the same care as any other legal contract, because in practice, it carries the same weight.

Conclusion

The EU Declaration of Conformity marks the point at which a company commits itself publicly and legally to having fulfilled the requirements of the CRA. By signing and publishing the declaration, the manufacturer confirms that all preparatory work, from technical documentation to internal assessments, has been carried out diligently and in line with the regulation.

At this stage, nothing can be provisional or incomplete: what is written in the declaration stands as a binding statement. This makes the declaration not just an administrative form, but the decisive step where compliance becomes official and enforceable. For companies, it is the moment of accountability, the transition from internal preparation to an external, legally valid commitment.

CRA Learning Path

Get the CRA Newsletter and unlock everything you need to stay compliant with CRA regulations: