Skip to main content

Drawing Up the EU Declaration of Conformity After Software Self-Assessment

You've completed your software's self-assessment (Module A) under the Cyber Resilience Act (CRA). You're confident your game, app, or uncritical library meets the essential cybersecurity requirements. The next crucial step is to formally declare this by drawing up an EU Declaration of Conformity (DoC).

Your Formal Statement of Compliance

The EU DoC is a legally binding document where you, the manufacturer, state that your software product and your processes fulfill the applicable essential cybersecurity requirements set out in Annex I of the CRA (Article 28, Paragraph 1). This is not a task to take lightly.

Assuming Responsibility

By drawing up this DoC, you explicitly assume responsibility for the compliance of your software product (Article 28, Paragraph 4). It’s your signature on the line, confirming you've done the necessary work.

Content and Structure

The CRA provides a model structure for the EU DoC in Annex V. Key elements you'll need to include for your software product are:

  • Product identification (name, type, version of your software).
  • Your name and address as the manufacturer.
  • A statement that the DoC is issued under your sole responsibility.
  • A clear statement that your software (the object of the declaration) conforms with the CRA (Regulation (EU) 2024/2847) and any other relevant Union harmonisation legislation.
  • References to any harmonised standards, common specifications, or cybersecurity certifications used to demonstrate conformity.
  • Place and date of issue, and your name, function, and signature.

This DoC must be kept up to date and made available in the languages required by the Member States where you market your software (Article 28, Paragraph 2). A copy also becomes part of your technical documentation (Annex VII, point 7).

Key Takeway

The EU Declaration of Conformity is your formal, signed attestation that your software meets CRA requirements. It signifies you've completed your self-assessment and take full responsibility for your product's compliance.