Skip to main content

Record Keeping for Software Self-Assessment: How Long?

You've self-assessed your app or game using Module A under the Cyber Resilience Act (CRA), drawn up your EU Declaration of Conformity (DoC), and affixed the CE mark. Job done? Not quite. The CRA has specific requirements for how long you need to keep your records.

The 10-Year or Support Period Rule

For manufacturers conducting a self-assessment (Module A), the key documents you need to hold onto are:

  1. The EU Declaration of Conformity (DoC)
  2. The Technical Documentation (as detailed in Annex VII)

According to Article 13, Paragraph 13, and reiterated in Annex VIII, Part I, point 4.2, manufacturers must keep both the technical documentation and the EU DoC at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market, or for the support period, whichever is longer.

What "Placed on the Market" Means for Software

"Placing on the market" means the first making available of your software on the Union market (Article 3,) point 21). So, for a new game or app, this 10-year clock starts ticking from its initial launch or sale in the EU.

Support Period Consideration

The CRA also introduces the concept of a "support period," which is the time during which you commit to handling vulnerabilities (Article 13, Paragraph 8). This support period must be at least five years, unless the product's expected use time is shorter. If your determined support period (e.g., for a game-as-a-service) is longer than 10 years, then that longer period dictates your record-keeping obligation for the DoC and technical documentation.

Why This Long?

Market surveillance authorities need to be able to verify compliance even years after your software is released, especially if issues arise later in its lifecycle. This long-term record-keeping ensures accountability.

Key Takeway

For your self-assessed software, keep your EU Declaration of Conformity and technical documentation readily available for authorities for a minimum of 10 years from its EU market launch, or for the duration of its support period if that’s longer.