The Cyber Resilience Act (Annex II) prescribes the minimum information and instructions that must accompany a product with digital elements when it is made available to users. User documentation is the primary channel through which the manufacturer empowers users to operate the product securely. If users do not know how to configure the product safely, when its support ends, or how to apply security updates, even a well engineered product can be rendered insecure through misuse or neglect.
Draft user documentation that identifies the product by name, type designation, and version or batch number as required by Annex II. Provide step by step secure setup guidance that walks the user through initial configuration to achieve the secure by default state. Clearly state the exact end of support date, at minimum specifying the month and year, so users can plan for product lifecycle transitions well in advance.
Include instructions for installing security updates, along with information about known residual risks and their potential impact on the user. Provide the manufacturer's contact details for reporting vulnerabilities, ensuring alignment with the coordinated vulnerability disclosure policy established under the incident response (IR) control. Write all documentation in a language that is clear and accessible to the intended audience, avoiding unnecessary technical jargon. Ensure user documentation is kept up to date as the product evolves and is readily available to users at all times, not only at the point of purchase.