Skip to main content

Elements of Technical Documentation for Software: A Checklist

The Cyber Resilience Act's (CRA) Annex VII provides a clear structure for your Technical Documentation. For your game, app, or software, this translates into a specific set of documents and information you need to compile. Here's a checklist of the core elements.

Your Software Documentation Checklist (based on Annex VII)

  • General Product Description:

    • What is your software? What's its intended purpose?
    • Which software versions does this documentation cover?
    • A copy of the user information and instructions.

  • Design, Development, and Process Descriptions:

    • An overview of the software's architecture and design.
    • Details on your build/release ("production") and monitoring processes.
    • Documentation of your vulnerability handling processes. This includes your Coordinated Vulnerability Disclosure policy and details on your secure update mechanism.

  • Risk and Compliance Documentation:

    • Your full cybersecurity risk assessment.
    • Rationale for the determined support period.
    • List of standards or specifications applied (or justification for not applying them).

  • Verification and Formal Declarations:

    • Reports from any security tests you conducted.
    • A copy of your signed EU Declaration of Conformity.

  • Component Management:

    • Your Software Bill of Materials (SBOM). Annex VII states this is part of the vulnerability handling information and also specifies it may be requested by authorities.

This checklist covers the minimum requirements. You must draw up this documentation before placing your software on the market and keep it updated (Article 31, Paragraph 2).

Key Takeway

Use Annex VII as a direct checklist to build your Technical Documentation. It must cover everything from your software's design and risk assessment to your vulnerability handling processes and formal declarations.