ANNEX VII
CONTENTS OF THE TECHNICAL DOCUMENTATION
The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the product with digital elements concerned:
a general description of the product with digital elements, including:
its intended purpose;
versions of software that affect compliance with the essential cybersecurity requirements;
if the product with digital elements is a hardware product, photographs or illustrations showing its external features, markings, and internal layout;
user information and instructions as described in Annex II;
a description of the design, development, and production of the product with digital elements and the procedures for responding to vulnerabilities, including:
necessary information about the design and development of the product with digital elements, including, where applicable, drawings and diagrams and a description of the system architecture explaining how software components build on or complement each other and are integrated into the overall processing;
necessary information and specifications of the processes established by the manufacturer regarding the response to vulnerabilities, including the software bill of materials, the coordinated vulnerability disclosure policy, proof of providing a contact address for reporting vulnerabilities, and a description of the technical solutions chosen for the secure distribution of updates;
necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes;
an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, manufactured, supplied, and maintained pursuant to Article 13, including how the essential cybersecurity requirements of Part I of Annex I apply;
relevant information taken into account to determine the support period for the product with digital elements pursuant to Article 13(8);
a list of the harmonized standards applied in full or in part, the references of which have been published in the Official Journal of the European Union, common specifications referred to in Article 27 of this Regulation, or European cybersecurity certification schemes established pursuant to Regulation (EU) 2019/881 on the basis of Article 27(8) paragraph 8, of this Regulation and, where those harmonized standards, common specifications or European cybersecurity certification schemes have not been applied, a description of the solutions chosen to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications that have been applied. In the case of partially applied harmonized standards, common specifications, or European cybersecurity certification schemes, the technical documentation shall specify which parts have been applied;
reports of the tests carried out to verify the conformity of the product with digital elements and of the procedures for responding to vulnerabilities with the applicable essential cybersecurity requirements of Parts I and II of Annex I;
a copy of the EU declaration of conformity;
where applicable, the software bill of materials, following a reasoned request from a market surveillance authority, provided that this is necessary to enable that authority to verify compliance with the essential cybersecurity requirements set out in Annex I.
