{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"The AI Governance Brief","title":"CRA COUNTDOWN: Episode 4 -Documentation That Actually Survives an Audit","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/3168a922\"></iframe>","width":"100%","height":180,"duration":1952,"description":"In January 2025, a German market surveillance authority examined twelve IoT manufacturers under existing CE marking requirements. Four couldn't produce documentation within the required timeframe. Three produced documentation that failed to demonstrate conformity. Two had documentation so disorganized examiners couldn't determine what had been tested. Only three manufacturers—twenty-five percent—provided documentation that satisfied examination. And this was before CRA requirements took effect.Market surveillance authorities won't inspect your codebase. They won't interview your developers. They won't observe your security practices. They will examine documentation—and documentation alone.In This Episode:What Market Surveillance Actually ExaminesArticle 31: Authority to require documentation demonstrating conformityArticle 54: Ten-year minimum retention requirementWhy engineering documentation doesn't satisfy regulatory requirementsThe Four CRA Documentation Annexes DecodedAnnex II: User information requirements (manufacturer ID, security risks, update sources, vulnerability reporting contact)Annex V: EU Declaration of Conformity (the legal attestation creating personal liability)Annex VII: Technical documentation (risk assessment, design specification, test results, production process, vulnerability handling)Annex VIII: Conformity assessment procedures (documented internal assessment for Default category)The Five Documentation Gaps That Fail ExaminationRisk assessment without design traceabilityEvidence chains without version controlProduction process without conformity maintenanceVulnerability handling without product-specific recordsSupport periods without formal definition or notification mechanismDocumentation as a System, Not a CollectionDocument identifiers and explicit cross-referencesTraceability matrices linking requirements → risks → design → tests → evidenceIntegration with engineering workflows for automatic evidence generationDistinct documentation...","thumbnail_url":"https://img.transistorcdn.com/rDqBMJXwlhb2bvZjH0V1qAuqxHAFqIADttstgmIyldM/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8wNzgz/MjhlNjg0NjRjYThi/MGI3YWEzMzkyNzVm/ZTdiYy5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}