Draw up and maintain technical documentation (Annex VII)

Article 13(3) of Regulation (EU) 2024/2847 requires that, before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation referred to in Annex VII.

Article 13(13) requires that manufacturers keep the technical documentation and EU Declaration of Conformity at the disposal of the market surveillance authorities for ten years from the date the product is placed on the market, or for the expected lifetime of the product, whichever is longer.

Annex VII specifies the technical documentation must include:

1. General description of the product — name, version, intended use
2. Design and development documents — architecture, data flows, security-relevant design decisions
3. Cybersecurity risk assessment (see OBL-ART13-02)
4. Vulnerability handling policy — description of the process
5. List of cybersecurity standards applied — or description of solutions adopted to meet essential requirements where no standards exist
6. EU Declaration of Conformity (or a draft thereof)
7. SBOM — software bill of materials for the product
8. Testing and verification records — evidence that the Annex I requirements are met

1. Completeness — all Annex VII elements must be present
2. Up to date — documentation must be updated when the product is modified
3. 10-year retention — from first placement on the market or product expected lifetime, whichever is longer
4. Available to authorities — must be produced on request from market surveillance

• Compiled Annex VII technical file
• Change-management records showing when documentation was updated
• Version history of all included documents
• SBOM in CycloneDX or SPDX format