EU Cyber Resilience Act

What is the EU Declaration of Conformity (CRA)?

The EU Declaration of Conformity (CRA Annex V) is the signed statement, issued under the manufacturer’s sole responsibility, that a product meets the Cyber Resilience Act’s essential requirements. It is a precondition for affixing the CE marking.

What it must contain

Annex V sets out the required fields: product identifiers; the manufacturer’s name and address; a statement that the declaration is issued under the manufacturer’s sole responsibility; the object of the declaration; the conformity statement and the assessment route used; the standards or specifications applied; and the place, date, and signatory’s identity and function.

The declaration is the visible top of a larger evidence stack — it should be backed by the Annex VII technical documentation, an SBOM, and a vulnerability-handling record.

Key points

  • Defined by CRA Annex V; issued under the manufacturer’s sole responsibility.
  • A precondition for CE marking.
  • Must reference the conformity route and standards applied.
  • Backed by the Annex VII technical documentation and SBOM.

Frequently asked questions

What is an EU Declaration of Conformity?
It is the manufacturer’s signed statement that a product meets the applicable EU requirements — under the CRA, the Annex I essential requirements. It is required before CE marking.
Who signs the EU Declaration of Conformity?
The manufacturer (or its authorised representative) signs it under sole responsibility; the declaration records the signatory’s identity and function.

Related

General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.

See exactly what the CRA requires for your product.

Run the free readiness check — your category, obligations, and deadlines in 60 seconds.