CRA Art.26: Simplified EU Declaration of Conformity — What SMEs and Indie Devs Need to Know (2026)
Post #472 in the sota.io EU Cyber Compliance Series
Once a manufacturer has completed a conformity assessment procedure under Article 25, they must draw up the EU Declaration of Conformity (EU DoC) under Article 23. But Article 26 offers a practical shortcut: a simplified EU Declaration of Conformity that can be used when the full EU DoC is available online. This is especially relevant for small teams, indie developers, and SMEs — the exact audience the EU Cyber Resilience Act (CRA) tries to help with its March 2026 Commission guidance under Article 52(8).
This guide explains how Article 26 works, when to use it, what the simplified DoC must contain, and how to generate one programmatically.
What Article 26 Actually Says
Article 26 of Regulation (EU) 2024/2847 (the CRA) reads:
"Where the conformity assessment procedure referred to in Article 25 allows for a simplified EU declaration of conformity, the manufacturer shall draw up a simplified EU declaration of conformity as referred to in Annex V, Part 2."
Annex V, Part 2 specifies the simplified format. It must contain:
- The name and address of the manufacturer (or authorised representative under Art.12)
- A statement that the product with digital elements conforms with the relevant requirements of the CRA
- A reference (URL) to the full EU Declaration of Conformity
That's it. Compared to the full EU DoC (Annex V, Part 1) — which requires conformity assessment body details, standards applied, Annex references, and technical documentation pointers — the simplified version is a three-field document.
When Can You Use the Simplified DoC?
The simplified EU Declaration of Conformity is available when the conformity assessment was conducted via Annex VIII (internal control) — the self-assessment path available to:
- Manufacturers of products not classified as Class I or Class II (the vast majority of software products)
- Manufacturers of Class I products who choose the Annex VIII path (self-assessment against harmonised standards, with technical documentation and test records)
If your product is Class II and required a notified body assessment under Annex X, you cannot use the simplified DoC — you must publish the full EU DoC.
Quick classification check
| Product type | Class | Conformity path | Simplified DoC? |
|---|---|---|---|
| Generic SaaS / web app | Default (unclassified) | Annex VIII self-assessment | Yes |
| Password manager, VPN software | Class I (Annex III) | Annex VIII or IX | Yes (if Annex VIII) |
| Hypervisor, firewall, secure element | Class II (Annex IV) | Annex X (notified body) | No |
Why This Matters for SMEs and Indie Devs
The European Commission's March 2026 draft guidance (published under Article 52(8) of the CRA, referenced in some sources as Article 26 guidance) explicitly addresses the compliance burden on small teams. Key points from the 70-page guidance document:
1. Proportionality for microenterprises: Manufacturers with fewer than 10 employees and annual turnover under €2M can rely on simplified self-declaration paths. The guidance discourages gold-plating — you do not need an ISO 27001 certification to satisfy CRA essential requirements for most software products.
2. Remote data processing products: SaaS platforms and PaaS services that process data remotely as part of a product with digital elements are in scope. The guidance clarifies that the manufacturer is the legal entity placing the product on the EU market — typically the developer or their company, not their hosting provider.
3. Technical documentation online: You can publish the full EU DoC on your product page or documentation site and simply reference the URL in the simplified DoC. This reduces paperwork significantly.
4. Free and open-source software: OSS projects that are not commercially distributed are not obligated to draw up a DoC at all. But once a commercial entity builds on OSS and places a product on the EU market, they become the manufacturer and must comply.
What the Simplified DoC Looks Like in Practice
Here is a minimal example for a hypothetical SaaS product:
EU Declaration of Conformity (Simplified)
Pursuant to Article 26 and Annex V, Part 2, Regulation (EU) 2024/2847
Manufacturer: Acme Software GmbH
Musterstraße 1, 10115 Berlin, Germany
Product: AcmeMonitor v3.0 (server-side SaaS)
Statement: The above-named product with digital elements conforms
with the requirements of Regulation (EU) 2024/2847
(EU Cyber Resilience Act).
Full EU DoC: https://acmesoftware.example/compliance/cra-eu-doc-v3.pdf
Date: 2026-12-11
Signed by: Jan Muster, CEO
This document must be made available to market surveillance authorities on request and must reference the full EU DoC, which contains the complete conformity evidence (technical documentation, test results, applied standards).
Python: Generate a CRA-Compliant Simplified DoC
from dataclasses import dataclass, field
from datetime import date
from pathlib import Path
import json
@dataclass
class SimplifiedDoC:
"""
CRA Article 26 + Annex V Part 2 simplified EU Declaration of Conformity.
"""
manufacturer_name: str
manufacturer_address: str
product_name: str
product_version: str
full_doc_url: str
signed_by: str
signed_date: date = field(default_factory=date.today)
regulation: str = "Regulation (EU) 2024/2847 (EU Cyber Resilience Act)"
def validate(self) -> list[str]:
errors = []
if not self.manufacturer_name.strip():
errors.append("manufacturer_name is required")
if not self.full_doc_url.startswith("https://"):
errors.append("full_doc_url must be an HTTPS URL (public, accessible by authorities)")
if not self.signed_by.strip():
errors.append("signed_by is required (natural person with authority to bind the manufacturer)")
return errors
def render_text(self) -> str:
return f"""EU Declaration of Conformity (Simplified)
Pursuant to Article 26 and Annex V, Part 2, {self.regulation}
{'=' * 70}
Manufacturer: {self.manufacturer_name}
{self.manufacturer_address}
Product: {self.product_name} {self.product_version}
Statement: The above-named product with digital elements conforms
with the essential cybersecurity requirements set out in
Annex I and the vulnerability handling requirements set
out in Annex I, Part II of {self.regulation}.
Full EU DoC: {self.full_doc_url}
Date: {self.signed_date.isoformat()}
Signed by: {self.signed_by}
{'=' * 70}
This simplified DoC is valid only when the full EU Declaration of
Conformity at the URL above is publicly accessible and up to date.
"""
def to_json(self) -> dict:
return {
"type": "EU_DOC_SIMPLIFIED",
"regulation": self.regulation,
"article": "26",
"annex": "V Part 2",
"manufacturer": {
"name": self.manufacturer_name,
"address": self.manufacturer_address,
},
"product": {
"name": self.product_name,
"version": self.product_version,
},
"statement": f"Conforms with Annex I requirements of {self.regulation}",
"full_doc_url": self.full_doc_url,
"signed_by": self.signed_by,
"signed_date": self.signed_date.isoformat(),
}
def save(self, output_dir: Path) -> tuple[Path, Path]:
output_dir.mkdir(parents=True, exist_ok=True)
slug = f"{self.product_name.lower().replace(' ', '-')}-{self.product_version}"
txt_path = output_dir / f"cra-simplified-doc-{slug}.txt"
json_path = output_dir / f"cra-simplified-doc-{slug}.json"
txt_path.write_text(self.render_text())
json_path.write_text(json.dumps(self.to_json(), indent=2))
return txt_path, json_path
def main():
doc = SimplifiedDoC(
manufacturer_name="Acme Software GmbH",
manufacturer_address="Musterstraße 1, 10115 Berlin, Germany",
product_name="AcmeMonitor",
product_version="v3.0",
full_doc_url="https://acmesoftware.example/compliance/cra-eu-doc-v3.pdf",
signed_by="Jan Muster, CEO",
)
errors = doc.validate()
if errors:
print("Validation errors:")
for e in errors:
print(f" - {e}")
return
txt_path, json_path = doc.save(Path("./cra-compliance"))
print(f"Simplified DoC saved:\n {txt_path}\n {json_path}")
print("\n--- Preview ---")
print(doc.render_text())
if __name__ == "__main__":
main()
Running this outputs a text file and a structured JSON record — both useful for audits, market surveillance requests, and keeping your compliance documentation in version control.
The Full EU DoC vs Simplified DoC: Key Differences
| Requirement | Full EU DoC (Annex V, Part 1) | Simplified DoC (Annex V, Part 2) |
|---|---|---|
| Manufacturer details | Required | Required |
| Product description | Required | Implicit (product name) |
| Conformity statement | Detailed | Single-sentence |
| Standards/Annexes referenced | Required (e.g., EN 18031) | Not required |
| Conformity assessment procedure | Must name Annex (VIII/IX/X) | Not required |
| URL to full DoC | Not applicable | Required |
| Notified body details (if applicable) | Required | Not applicable |
The simplified format trades documentation completeness for simplicity — but the full EU DoC must exist and remain publicly accessible. If your full DoC URL goes offline or the document is outdated, the simplified DoC becomes invalid.
Practical Steps for Indie Devs and Small Teams
- Determine your product class using Annexes III and IV of the CRA. Most SaaS tools fall outside Class I/II entirely.
- Complete Annex VIII self-assessment: Document your essential cybersecurity requirements against Annex I. Store evidence (test results, SBOM, vulnerability policy) in a secure location.
- Draw up the full EU DoC per Annex V, Part 1. Host it at a stable HTTPS URL (not a signed Dropbox link — use a path on your product domain).
- Generate the simplified DoC per Article 26 / Annex V, Part 2. This is the public-facing document you can include in your product README, app store listing, or compliance page.
- Affix CE marking per Article 24 once the DoC is complete.
- Keep it updated: When you release a new major version, the simplified DoC date and the full DoC must be updated before the new version ships in the EU market.
The sota.io Angle: EU-Hosted Compliance Documentation
One practical concern for CRA compliance is where to host the full EU DoC. Article 26 requires the URL to be publicly accessible. If you host your compliance documentation on a US-based cloud provider, the full DoC is technically reachable — but it could be subpoenaed under the US CLOUD Act without your knowledge.
For products targeting sensitive markets (healthcare software, fintech, industrial control systems), hosting your compliance documentation on EU-sovereign infrastructure eliminates this exposure. sota.io provides EU-native hosting with no US-entity involvement in the data chain — your CE marking documentation stays under EU jurisdiction.
What Comes Next in the CRA Series
- CRA Art.27: When the simplified EU DoC is not enough — products subject to Union harmonisation legislation requiring the full procedure
- CRA Art.28: Notified bodies — how they are designated, what they audit, how to select one, and what happens when they lose accreditation
- CRA Art.29: Notification procedures for conformity assessment bodies (Member State obligations)
- CRA Art.14: The 24-hour vulnerability reporting deadline — the most operationally critical article for software manufacturers in 2026
Summary
CRA Article 26 provides a proportionate compliance path for the majority of software manufacturers. The simplified EU Declaration of Conformity reduces documentation overhead while maintaining accountability — the full DoC exists online, the simplified DoC references it. For indie developers and small SaaS teams, this is the practical path:
- Self-assess under Annex VIII
- Create and host the full EU DoC
- Generate the simplified DoC referencing the URL
- Affix CE marking
- Keep both documents current
The March 2026 Commission guidance reinforces that SMEs are not expected to replicate enterprise compliance programs — but they are expected to have a documented, evidence-backed DoC ready for market surveillance inspection.
Part of the sota.io EU Cyber Resilience Act Developer Guide Series. Deploy your CRA-compliant product on EU-native infrastructure at sota.io.