Skip to main content

Providing the EU DoC to Users and Authorities for Software

Once you've drawn up the EU Declaration of Conformity (DoC) for your app, game, or software, it doesn't just sit in your files. The Cyber Resilience Act (CRA) outlines how it needs to be made available.

Availability to Market Surveillance Authorities

This is a primary requirement. Your technical documentation, which includes a copy of the EU DoC (Annex VII, point 7), must be kept at the disposal of market surveillance authorities for at least 10 years after your software is placed on the market, or for the support period, whichever is longer (Article 13, Paragraph 13). Annex VIII, Part I, point 4.2, (covering Module A self-assessment) also states a copy of the EU DoC shall be made available to relevant authorities upon request.

Informing Users

The CRA also wants users to have access to conformity information. Article 13, Paragraph 20, mandates that manufacturers shall either:

  1. Provide a copy of the full EU Declaration of Conformity with the product with digital elements, OR
  2. Provide a simplified EU Declaration of Conformity with the product.

If you opt for the simplified DoC, it must contain the exact internet address where the full EU Declaration of Conformity can be accessed.

How This Applies to Software

For purely digital software like an app or game distributed online:

  • Simplified DoC with Link: The most common approach will likely be including a simplified DoC (as per Annex VI) within your software's "About" section, help files, or on its download page, with a clear, direct link to the full DoC hosted on your website.
  • Full DoC Accessible Online: You would then host the full, signed DoC (e.g., as a PDF) at that stable internet address.

The key is making the conformity information accessible as required.

Key Takeway

You must make your software's EU DoC (or a simplified version with a link to the full one) available with the product for users. The full DoC and technical documentation must be readily available to market surveillance authorities for at least 10 years or the support period.