CRA Art.23: EU Declaration of Conformity — Content, CE Marking & Lifecycle Obligations (Developer Guide 2026)

Post #469 in the sota.io EU Cyber Compliance Series

The EU Cyber Resilience Act (Regulation (EU) 2024/2847, "CRA") establishes a conformity assessment framework that culminates in a formal legal instrument: the EU Declaration of Conformity (EU DoC). Article 23 governs who must draw up the EU DoC, what it must contain, and how it interacts with the CE marking under Article 24.

The EU DoC is not a checkbox. It is a manufacturer's legally binding attestation that the product with digital elements fulfils every essential cybersecurity requirement in Annex I. Drawing up the EU DoC is the step that directly precedes CE marking — without a valid EU DoC, affixing the CE mark is unlawful. Under Art.64, placing a CE-marked product on the EU market without a valid EU DoC exposes manufacturers to penalties of up to €15 million or 2.5% of global annual turnover.

Critical deadline: 11 December 2027. Art.23 obligations apply in full from that date for most products. Class I and Class II products covered by transitional provisions of Art.73 must have conformity infrastructure in place earlier where notified body assessments are required.

The Conformity Assessment Triad: Art.22–24

Article 23 sits in the middle of a three-article conformity assessment sequence:

The three are interdependent. The EU DoC under Art.23 references the conformity assessment procedure under Annex VIII, IX, or X. Annex V element 5 (in the technical documentation) must contain a copy of the EU DoC or a reference to it. The CE mark under Art.24 may only be affixed once the EU DoC is drawn up.

Who Must Draw Up the EU DoC?

Art.23(1) places the obligation on the manufacturer. Where the manufacturer is not established in the EU, the authorised representative designated under Art.12 may draw up the EU DoC in the manufacturer's name — but the EU DoC itself must identify the manufacturer, not merely the authorised representative.

Multi-product EU DoC: Art.23(1) expressly permits a single EU DoC to cover multiple products with digital elements, subject to the requirement that each product is specifically identified. This is a practical concession — a software company shipping a suite of products (e.g., an SDK, a CLI tool, and a server agent) can issue one EU DoC referencing all three, provided the document clearly identifies each product by name, version range, and product category.

Open-source software: The EU DoC obligation applies when a product is placed on the market — i.e., made available in exchange for payment or supplied commercially. Open-source software stewards under Art.8 whose software is not placed on the market by them do not draw up EU DoCs; the downstream manufacturer who places a product incorporating the open-source component does.

Art.23(2) — What the EU DoC Must Attest

The EU DoC is a declaration that the essential cybersecurity requirements in Annex I are fulfilled. Annex I is divided into two parts:

Annex I Part I — Security Requirements for Properties of Products with Digital Elements

These are the core security-by-design obligations:

• Products must be placed on the market without known exploitable vulnerabilities
• Products must be delivered with a secure default configuration
• Products must provide mechanisms to protect against unauthorized access (authentication, access control)
• Products must protect confidentiality and integrity of data processed, transmitted, or stored
• Products must minimize attack surfaces and limit connectivity to functions necessary for purpose
• Products must be resilient to denial-of-service attacks
• Products must provide security update mechanisms
• Products must support data minimization

Annex I Part II — Vulnerability Handling Requirements

These are the ongoing operational obligations:

• Manufacturers must identify and document vulnerabilities in products including third-party components
• Manufacturers must apply security updates promptly and by default upon consent
• Manufacturers must maintain a coordinated vulnerability disclosure policy (CVD)
• Manufacturers must take measures to securely share vulnerability information across supply chain
• Manufacturers must provide mechanisms for secure disposal of user data

The EU DoC declares that the specific product identified in the document meets all of these requirements. It is not a partial or conditional attestation.

Art.23(3) — Mandatory Content Elements

The EU DoC must contain the following minimum information:

Element 1 — Product Identification

The name and type of the product, plus any batch, serial, or version information necessary to identify it unambiguously. For software products, this typically means:

• Product name
• Software version (e.g., 2.4.1) or supported version range (e.g., 2.x.x where the declaration covers a version family)
• Product category under Annex III (default, Class I, or Class II)

Element 2 — Manufacturer Information

Name and address of the manufacturer (and authorised representative where applicable). For software companies, the registered business address of the entity placing the product on the market.

Element 3 — Conformity Assessment Reference

The EU DoC must identify the conformity assessment procedure applied under:

• Annex VIII (Internal production control — self-assessment, for default products and Class I products not subject to third-party assessment)
• Annex IX (EU-type examination — Notified Body involvement, for Class I products opting for third-party assessment or Class II products)
• Annex X (Quality management system — for manufacturers with certified QMS under EN ISO 9001 or equivalent)

For most software products in the "default" category (not Class I or Class II), Annex VIII internal production control applies. The manufacturer conducts its own conformity assessment against Annex I, documents the results in the Annex V technical documentation, and issues the EU DoC without Notified Body involvement.

Element 4 — Standards or Specifications Applied

Where harmonised European standards or common specifications have been applied (conferring presumption of conformity under Art.26), the EU DoC must reference them. Relevant harmonised standards in development:

• EN 18031-1: Cybersecurity requirements for internet-connected radio equipment
• EN 18031-2/3: Extensions for smart devices and wearables
• IEC 62443-4-1/4-2: Industrial cybersecurity (for products in OT/ICS environments)

Where no harmonised standard covers the product, the EU DoC references the applicable ENISA-published common specifications or the manufacturer's own applied technical specifications.

Element 5 — Declaration Text

A statement that the product described in the EU DoC is in conformity with Regulation (EU) 2024/2847 and that the essential requirements in Annex I are fulfilled. This is the operative legal assertion of the document.

Element 6 — Signatory Information

Place and date of issue, plus the name and signature (or equivalent electronic authentication) of the person authorised to sign on behalf of the manufacturer. For EU DoCs drawn up by authorised representatives, the signatory is the authorised representative's designated officer.

Art.23(4) — Keeping the EU DoC Updated

The EU DoC is not a one-time document. Art.23(4) requires manufacturers to keep the EU DoC updated when:

1. A substantial modification is made to the product — under Art.20, a substantial modification that creates a new product with digital elements requires a new conformity assessment, which in turn requires a new EU DoC.
2. The applicable standards or specifications change — where the EU DoC references harmonised standards, a revision to those standards that affects conformity triggers an obligation to re-evaluate and potentially update the EU DoC.
3. A vulnerability is discovered that undermines the conformity declaration — where a discovered vulnerability demonstrates that an Annex I essential requirement is no longer fulfilled (e.g., a zero-day enabling unauthorized access with no available patch), the manufacturer must assess whether the EU DoC remains valid.

What does "update" mean in practice? Updating the EU DoC means issuing a new version of the document with a new issue date, reflecting the current state of the product's conformity with Annex I. Version-controlled EU DoC management is therefore not optional — it is a direct regulatory requirement.

Simplified EU DoC for SMEs

Art.23(5) creates a simplified EU DoC procedure for manufacturers who wish to reduce documentation volume. Under the simplified procedure, the EU DoC may contain only the minimum information specified, with a reference to the technical documentation for all supporting detail.

In practice, the simplified EU DoC:

• Identifies the product, manufacturer, and conformity assessment procedure
• Declares conformity with Regulation (EU) 2024/2847
• States that the full supporting documentation is available in the technical file maintained under Art.22
• Is signed by an authorised person

The simplified form is functionally equivalent for market access purposes. The technical documentation referenced must still be complete and Art.22-compliant — the simplification is in the EU DoC form only, not in the underlying compliance substance.

Recommendation for software companies: Use the simplified EU DoC format. It reduces the administrative burden of keeping the EU DoC current when product details change, because the operative compliance detail lives in the technical documentation (which is versioned separately) rather than in the EU DoC itself.

CE Marking Under Art.24

Art.24 is the downstream step after Art.23. Once the EU DoC is drawn up and signed, the manufacturer may affix the CE marking.

Form of CE Marking for Software

For hardware products, CE marking is affixed physically to the product or its packaging. For software-only products — where there is no physical product to mark — Art.24(3) provides that CE marking shall be:

• Made available electronically, typically in the product UI or documentation portal
• Clearly associated with the specific product and version
• Linked to or accompanied by a copy or reference to the EU DoC

In practice, a software product's CE marking compliance typically consists of:

1. A CE mark displayed in the product's "About" screen or compliance section of the documentation site
2. A link to the EU DoC (either as a downloadable PDF or as a dedicated compliance page)
3. Version-specific association so that the CE marking clearly applies to the version the user is running

CE Marking and Market Surveillance

National market surveillance authorities (MSAs) under Art.21 can request the EU DoC as part of any market surveillance action. MSAs are entitled to verify that the EU DoC exists, is current, and genuinely reflects the product placed on the market. An MSA that finds material discrepancies between the EU DoC and the actual product state can initiate corrective action under Art.55.

This is why CE marking without an accurate EU DoC is doubly risky: The CE mark signals conformity to MSAs — an inaccurate EU DoC underlying a CE mark is a compliance signal pointing the wrong direction.

Language Requirements

Art.23(3) requires the EU DoC to be drawn up in an official language of the EU. For manufacturers placing products on markets across multiple Member States, the EU DoC must be made available in the official language(s) of each Member State where the product is placed on the market, or in a language accepted by the relevant MSA.

In practice, English is widely accepted by MSAs across the EU for technical documentation, and an English-language EU DoC supplemented by translated key elements (product name, declaration text, signatory) is typically sufficient. However, manufacturers targeting markets where local language requirements apply (France, Germany) should maintain translated versions.

Python Implementation: CRADeclarationOfConformityKit

from dataclasses import dataclass, field
from datetime import date
from typing import Optional
from enum import Enum


class ConformityAssessmentProcedure(Enum):
    ANNEX_VIII_INTERNAL = "annex_viii_internal_production_control"
    ANNEX_IX_EU_TYPE_EXAM = "annex_ix_eu_type_examination"
    ANNEX_X_QMS = "annex_x_quality_management_system"


class ProductCategory(Enum):
    DEFAULT = "default"
    CLASS_I = "class_i"
    CLASS_II = "class_ii"


@dataclass
class ProductIdentifier:
    name: str
    version: str
    version_family: Optional[str]  # e.g. "2.x.x" for a family declaration
    product_category: ProductCategory


@dataclass
class ManufacturerInfo:
    company_name: str
    registered_address: str
    country_code: str  # ISO 3166-1 alpha-2
    authorised_rep_name: Optional[str] = None
    authorised_rep_address: Optional[str] = None


@dataclass
class HarmonisedStandardRef:
    standard_number: str  # e.g. "EN 18031-1:2024"
    title: str
    version: str
    coverage: str  # which Annex I requirements this standard covers


@dataclass
class EUDeclarationOfConformity:
    """
    EU Declaration of Conformity under CRA Art.23.
    Implements the minimum content requirements of Art.23(3).
    """
    doc_reference: str  # Internal reference number, e.g. "EU-DOC-2026-001"
    products: list[ProductIdentifier]
    manufacturer: ManufacturerInfo
    assessment_procedure: ConformityAssessmentProcedure
    harmonised_standards: list[HarmonisedStandardRef]
    issue_date: date
    signatory_name: str
    signatory_title: str
    simplified: bool = False  # Art.23(5) simplified form

    _superseded_by: Optional[str] = field(default=None, init=False)
    _issue_history: list[date] = field(default_factory=list, init=False)

    def __post_init__(self):
        self._issue_history.append(self.issue_date)

    def covers_product(self, name: str, version: str) -> bool:
        for p in self.products:
            if p.name == name:
                if p.version == version:
                    return True
                if p.version_family and version.startswith(
                    p.version_family.replace("x.x", "").replace(".x", "")
                ):
                    return True
        return False

    def update(self, new_issue_date: date, reason: str) -> "EUDeclarationOfConformity":
        """Create updated version of the EU DoC."""
        updated = EUDeclarationOfConformity(
            doc_reference=self.doc_reference + "-R" + str(len(self._issue_history)),
            products=self.products,
            manufacturer=self.manufacturer,
            assessment_procedure=self.assessment_procedure,
            harmonised_standards=self.harmonised_standards,
            issue_date=new_issue_date,
            signatory_name=self.signatory_name,
            signatory_title=self.signatory_title,
            simplified=self.simplified,
        )
        self._superseded_by = updated.doc_reference
        return updated

    def is_current(self) -> bool:
        return self._superseded_by is None

    def generate_declaration_text(self) -> str:
        product_list = ", ".join(
            f"{p.name} {p.version_family or p.version} ({p.product_category.value})"
            for p in self.products
        )
        standards_list = (
            ", ".join(s.standard_number for s in self.harmonised_standards)
            if self.harmonised_standards
            else "No harmonised standards applied (direct assessment against Annex I)"
        )
        auth_rep = ""
        if self.manufacturer.authorised_rep_name:
            auth_rep = f"\nAuthorised Representative: {self.manufacturer.authorised_rep_name}, {self.manufacturer.authorised_rep_address}"

        return f"""EU DECLARATION OF CONFORMITY
Reference: {self.doc_reference}
Issue Date: {self.issue_date.isoformat()}

Manufacturer: {self.manufacturer.company_name}
Address: {self.manufacturer.registered_address}{auth_rep}

Product(s): {product_list}

This declaration of conformity is issued under the sole responsibility of the manufacturer.

The product(s) described above are in conformity with Regulation (EU) 2024/2847 of the 
European Parliament and of the Council on horizontal cybersecurity requirements for products 
with digital elements (Cyber Resilience Act).

The following conformity assessment procedure was applied:
{self.assessment_procedure.value}

Harmonised standards applied: {standards_list}

The essential requirements of Annex I (Parts I and II) of Regulation (EU) 2024/2847 are fulfilled.

{"This is a simplified EU Declaration of Conformity under Art.23(5). Full supporting technical documentation is available upon request." if self.simplified else ""}

Signed: {self.signatory_name}, {self.signatory_title}
Date: {self.issue_date.isoformat()}
"""


class CRADeclarationOfConformityKit:
    """
    Manages EU DoC lifecycle: creation, updates, version control,
    and CE marking association for products with digital elements.
    """

    def __init__(self):
        self.declarations: dict[str, EUDeclarationOfConformity] = {}

    def register(self, doc: EUDeclarationOfConformity) -> None:
        self.declarations[doc.doc_reference] = doc

    def find_for_product(
        self, product_name: str, version: str
    ) -> list[EUDeclarationOfConformity]:
        return [
            doc for doc in self.declarations.values()
            if doc.covers_product(product_name, version) and doc.is_current()
        ]

    def update_declaration(
        self,
        doc_reference: str,
        new_issue_date: date,
        reason: str,
    ) -> EUDeclarationOfConformity:
        original = self.declarations[doc_reference]
        updated = original.update(new_issue_date, reason)
        self.declarations[updated.doc_reference] = updated
        return updated

    def ce_marking_status(self, product_name: str, version: str) -> dict:
        current_docs = self.find_for_product(product_name, version)
        return {
            "product": f"{product_name} {version}",
            "ce_marking_authorised": len(current_docs) > 0,
            "current_doc_references": [d.doc_reference for d in current_docs],
            "assessment_procedures": [
                d.assessment_procedure.value for d in current_docs
            ],
        }

    def compliance_report(self) -> dict:
        current = [d for d in self.declarations.values() if d.is_current()]
        superseded = [d for d in self.declarations.values() if not d.is_current()]
        return {
            "total_declarations": len(self.declarations),
            "current_declarations": len(current),
            "superseded_declarations": len(superseded),
            "products_covered": sum(len(d.products) for d in current),
            "report_date": date.today().isoformat(),
        }

Art.23 Compliance Checklist

EU DoC Content (Art.23(3))

• Product name, type, and version (or version family) clearly stated
• Manufacturer name and registered address included
• Authorised representative named if manufacturer is non-EU
• Conformity assessment procedure reference: Annex VIII, IX, or X
• Harmonised standards applied listed (or explicit statement that none apply)
• Declaration text states conformity with Regulation (EU) 2024/2847 and Annex I
• Issue date included
• Signatory name and title included with signature or electronic equivalent

EU DoC Lifecycle (Art.23(4))

• Version control system in place for EU DoC
• Trigger defined: substantial modification (Art.20) → new EU DoC
• Trigger defined: harmonised standard revision → EU DoC re-evaluation
• Trigger defined: discovered non-conformity → EU DoC suspension and update procedure
• Superseded EU DoCs archived (MSAs may request historical DoCs)
• Retention: EU DoC retained for 10 years per Art.22(3) / Annex V

CE Marking (Art.24)

• CE marking only affixed after EU DoC drawn up and signed
• Software: CE marking displayed electronically (product UI / documentation site)
• CE marking version-specific (clearly associated with specific release)
• EU DoC link/reference accessible from CE marking location
• No CE marking affixed before conformity assessment complete

Multi-Product and Simplified DoC

• Multi-product EU DoC: all products individually identified by name and version
• Simplified EU DoC (Art.23(5)): minimum content present; technical file reference included
• Simplified EU DoC: underlying technical documentation is complete and Art.22-compliant

Language and Availability

• EU DoC in official EU language(s) of relevant Member States
• EU DoC copy in technical documentation (Annex V element 5)
• EU DoC available to MSAs on request within 48 hours

Integration with Conformity Triad

• Annex V (Art.22 technical documentation) contains EU DoC reference
• EU DoC assessment procedure matches procedure documented in Annex V
• Standards referenced in EU DoC match standards listed in Annex V
• CE marking (Art.24) roll-out coordinated with EU DoC issuance

Art.23 and sota.io: EU-Native Infrastructure Advantages

The EU Declaration of Conformity must be stored, versioned, and made available to MSAs across the product's 10-year retention window. For manufacturers building products with digital elements on EU infrastructure:

• Jurisdiction-consistent document storage: EU DoC stored on EU-resident infrastructure is not subject to US discovery orders under CLOUD Act. An MSA requesting the EU DoC under Art.21 receives it through EU-legal channels, without conflict with non-EU jurisdiction orders.
• No data transfer compliance gap: EU DoC stored on AWS or Azure (US parent) creates a gap where GDPR-protected data used to populate the technical documentation may be subject to conflicting jurisdictional demands. EU-native storage eliminates this gap.
• Audit trail integrity: Version-controlled EU DoC history, with cryptographic integrity verification, demonstrates to MSAs that the EU DoC has not been retroactively altered — a critical assurance in any Art.55 market surveillance investigation.

This guide covers obligations under Regulation (EU) 2024/2847 (CRA) Article 23 and Article 24. Cross-references: Art.12 (authorised representatives), Art.13 (manufacturer obligations), Art.20 (substantial modification), Art.21 (MSA cooperation), Art.22 (technical documentation), Annex I (essential requirements), Annex V (technical documentation content), Annex VIII (internal production control), Annex IX (EU-type examination), Annex X (quality management system assessment), Art.26 (presumption of conformity), Art.55 (national procedures), Art.64 (penalties).

See Also

• CRA Art.22: Technical Documentation Requirements (Annex V & VI) — the documentation foundation the EU DoC draws from
• CRA Art.24: CE Marking for Software Products — affixing CE marking after EU DoC is drawn up
• CRA Art.25: Conformity Assessment Procedures (Annex VIII, Class I & II) — determines which assessment procedure precedes the EU DoC
• CRA Art.13: Manufacturer Obligations — overarching manufacturer duties the EU DoC must attest compliance with