In January 2025, a German market surveillance authority examined twelve IoT manufacturers under existing CE marking requirements. Four couldn't produce documentation within the required timeframe. Three produced documentation that failed to demonstrate conformity. Two had documentation so disorganized examiners couldn't determine what had been tested. Only three manufacturers—twenty-five percent—provided documentation that satisfied examination. And this was before CRA requirements took effect.

Market surveillance authorities won't inspect your codebase. They won't interview your developers. They won't observe your security practices. They will examine documentation—and documentation alone.

In This Episode:

• What Market Surveillance Actually Examines
  • Article 31: Authority to require documentation demonstrating conformity
  • Article 54: Ten-year minimum retention requirement
  • Why engineering documentation doesn't satisfy regulatory requirements
• The Four CRA Documentation Annexes Decoded
  • Annex II: User information requirements (manufacturer ID, security risks, update sources, vulnerability reporting contact)
  • Annex V: EU Declaration of Conformity (the legal attestation creating personal liability)
  • Annex VII: Technical documentation (risk assessment, design specification, test results, production process, vulnerability handling)
  • Annex VIII: Conformity assessment procedures (documented internal assessment for Default category)
• The Five Documentation Gaps That Fail Examination
  • Risk assessment without design traceability
  • Evidence chains without version control
  • Production process without conformity maintenance
  • Vulnerability handling without product-specific records
  • Support periods without formal definition or notification mechanism
• Documentation as a System, Not a Collection
  • Document identifiers and explicit cross-references
  • Traceability matrices linking requirements → risks → design → tests → evidence
  • Integration with engineering workflows for automatic evidence generation
  • Distinct documentation ownership separate from engineering ownership
  • Retention infrastructure designed for ten-year horizons
• The Six Required Documentation Types
  • Product Risk Assessment (with treatment decisions referencing design)
  • Design Specification (with requirement traceability matrices)
  • Test Plan and Results (with requirement coverage matrix)
  • Production Process Description (with continuous conformity evidence)
  • Vulnerability Handling Record (with timeline documentation)
  • EU Declaration of Conformity (with authorized signatory)

Your Fourteen-Day Action Plan:

Days 1-3: Documentation inventory for priority product Days 4-6: Gap analysis against CRA requirements using six document types Days 7-9: Traceability assessment—trace one requirement through full evidence chain Days 10-12: Workflow integration analysis—identify automation opportunities Days 13-14: Documentation roadmap draft with prioritized improvements

Deliverables:

1. Documentation inventory
2. Gap analysis against CRA requirements
3. Traceability assessment identifying where evidence chains break
4. Prioritized documentation roadmap

Ready to assess your documentation gaps?

The First Witness Stress Test includes comprehensive documentation assessment—revealing where your evidence chains break, where traceability fails, and what examination would expose. The organizations that discover gaps internally can remediate. The organizations that discover gaps during examination cannot.

MAKE AN APPOINTMENT WITH ME TO PREPARE YOUR DOCUMENTATION APPROACH

https://calendly.com/verbalalchemist/30min

CRA documentation requirements, CRA technical documentation, Annex VII documentation, EU Declaration of Conformity, market surveillance examination, compliance evidence, regulatory documentation, CRA audit preparation, ten-year retention, risk assessment traceability, conformity assessment documentation, CRA Annex II user information