EU Declaration of Conformity for WordPress plugins: what to include

What is a Declaration of Conformity

The EU Declaration of Conformity (DoC) is a one-page document where the manufacturer formally declares that a product meets the requirements of an EU regulation. It is not new to the CRA. If you have ever bought an electronic device in Europe and seen the CE mark on the box, the manufacturer filed a Declaration of Conformity for that product.

What is new is that software now needs one. Under the CRA, WordPress plugins and themes sold to EU customers are “products with digital elements.” The same documentation framework that applies to hardware devices now applies to your code.

The DoC is your statement of responsibility. You are saying: “I, the manufacturer, have assessed this product against the CRA requirements and confirm it meets them.” It is not a certification from a third party. For most WordPress plugins, it is a self-declaration.

When you need one

The full CRA requirements, including the Declaration of Conformity, apply from 11 December 2027. That is the date by which all products with digital elements on the EU market must meet the essential cybersecurity requirements and have the required documentation in place.

However, the reporting obligations under Article 14 apply earlier, from September 2026. So while you do not legally need a DoC until December 2027, starting the documentation now means you are not scrambling later.

You need a DoC if your plugin is in scope of the CRA. If you sell commercially to EU customers, you almost certainly need one.

What Annex V requires

Annex V of the CRA specifies what the EU Declaration of Conformity must contain. Here is the list:

1. Name and type of the product with digital elements, plus any additional information enabling its identification
2. Name and address of the manufacturer, and where applicable, their authorised representative
3. A statement that the Declaration of Conformity is issued under the sole responsibility of the manufacturer
4. The object of the declaration (identification of the product, including version, batch, or serial number)
5. A statement that the product fulfils the essential requirements set out in Annex I of the CRA
6. References to the relevant harmonised standards or other technical specifications used
7. Where applicable, the name and number of the notified body that performed the conformity assessment, and a reference to the certificate issued
8. Additional information, including the date, signature, and signatory details

That is eight fields. For a WordPress plugin where you are doing a self-assessment (no third-party audit), fields 6 and 7 are simple: you reference the CRA itself as your standard, and you note that no notified body was involved because your product category allows self-assessment.

Field-by-field guide for WordPress plugins

Let us translate each Annex V requirement into what it actually looks like for a WordPress plugin developer.

1. Product identification

Your plugin name, slug, and description. Example: “MyPlugin, a WordPress plugin for managing customer invoices. WordPress.org slug: myplugin.” Be specific enough that the product is unambiguously identified.

2. Manufacturer details

Your name (or company name) and address. If you are a solo developer, this is your legal name and contact address. If you are outside the EU and do not have an authorised representative, you still need to provide your details. The CRA requires manufacturers outside the EU to designate an authorised representative if they want to continue placing products on the EU market.

3. Sole responsibility statement

A boilerplate sentence: “This declaration of conformity is issued under the sole responsibility of the manufacturer.” This is standard across all EU declarations of conformity.

4. Product version

The specific version of the plugin covered by this declaration. Example: “MyPlugin version 2.5.1.” If you release a major update that changes the security posture, you need to update the DoC. Minor patches and bug fixes typically do not require a new declaration.

5. Conformity statement

State that your product meets the essential cybersecurity requirements in Annex I. These cover:

• Security by design and by default (Part I of Annex I)
• Vulnerability handling requirements (Part II of Annex I)
• Provision of security updates for the support period
• Technical documentation per Annex V

You do not need to list every sub-requirement. A reference to Annex I Parts I and II is sufficient.

6. Standards used

Reference the CRA itself: “Regulation (EU) 2024/2847 of the European Parliament and of the Council.” As harmonised standards are published by European Standardisation Organisations (CEN, CENELEC, ETSI), you may reference those as well. As of early 2026, CRA-specific harmonised standards are still being developed.

7. Notified body

For most WordPress plugins: “Not applicable. The product falls under the default product category, and the conformity assessment was performed via the internal control procedure (Module A) in accordance with Annex VI of Regulation (EU) 2024/2847.”

Third-party assessment is only required for products listed in Annex III of the CRA as “important” or “critical.” Standard WordPress plugins are very unlikely to fall into those categories. Annex III covers things like operating systems, firewalls, microprocessors, and hardware security modules.

8. Date and signature

Sign and date the declaration. Include your name, role (e.g. “Lead Developer” or “Managing Director”), and the date the declaration was drawn up.

Conformity assessment: self-assessment vs third-party

The CRA defines three conformity assessment routes:

• Module A (internal control): You assess your own product against the requirements. No external auditor. This is what most WordPress plugins will use.
• Module B + C (EU-type examination):A notified body examines your product and issues a certificate. Required for “important” products in Class I of Annex III.
• Full quality assurance (Module H):A notified body audits your entire development process. Required for “critical” products in Annex III.

Unless your WordPress plugin is an operating system, a firewall, a VPN, a password manager, or a similar security-critical product listed in Annex III, you use Module A. Self-assessment. You write the declaration yourself, keep the technical documentation on file, and affix the CE marking.

CE marking for software

Yes, software gets a CE mark under the CRA. If you have ever wondered what a CE mark on a WordPress plugin looks like, you are not alone. There is no physical box to stamp. The CRA says the CE marking must be affixed “visibly, legibly, and indelibly” to the product. For software, this means:

• Include it in your product documentation
• Display it in the plugin’s about page or settings screen
• Include it on your product web page

If it is technically impossible to affix it directly to the product (which is arguable for a WordPress plugin distributed as a ZIP file), you can include it on the packaging or accompanying documents. Your readme.txt, your WordPress.org listing page, and your product website all qualify.

The CE marking requirement applies from December 2027 alongside the full compliance requirements.

Common mistakes to avoid

• Writing the DoC once and forgetting about it. Major version updates that change your plugin’s security architecture need an updated declaration. Keep it as a living document.
• Declaring conformity before doing the assessment. The DoC is the output of a conformity assessment process, not a substitute for it. Work through the five core obligations first, then declare.
• Missing the support period commitment. The CRA requires you to specify how long you will provide security updates. The minimum is five years or the expected product lifetime, whichever is shorter. State this explicitly in your documentation.
• Ignoring the SBOM requirement. Technical documentation under the CRA includes an SBOM listing your dependencies. The DoC says you meet the requirements, the SBOM is part of the evidence.
• Not keeping records. You must retain the DoC and technical documentation for ten years after placing the product on the market. Back it up.

Generate your Declaration of Conformity

CRA Guard includes an EU Declaration of Conformity template in the free document generator. Fill in your company details, product information, and signatory, and it produces a formatted document ready for your records. The pro tier adds PDF export for professional client delivery.

Get Early AccessView Pricing Plans

Sources

• Cyber Resilience Act full text (Annex V: Declaration of Conformity)
• EU Commission: CRA legislative summary
• Regulus: CRA Declaration of Conformity guide
• Cycode: CRA complete guide

Disclaimer: This article is for informational purposes and does not constitute legal advice. The Declaration of Conformity requirements described here are based on Regulation (EU) 2024/2847 Annex V. Consult qualified legal counsel for advice specific to your situation.