EU CRA 2026-04-29 16 min read

EU CRA Policy & Procedure Register — 48 Documents Across 7 Domains

Master register of the 48 policies and procedures required by the EU Cyber Resilience Act, organised across 7 domains, with owner, priority, and the controlling CRA reference for each.

Threatstealth Compliance Research

Most CRA non-conformities discovered during pre-audit are not engineering failures — they are missing or stale documents. This register lists the 48 policies and procedures that a manufacturer of a product with digital elements is reasonably expected to maintain, organised across the seven domains that the CRA's essential requirements (Annex I), conformity-assessment procedures (Annex VIII), and reporting obligations (Article 14) collectively demand.

Use the priority column to sequence work: P1 documents must exist before placing the product on the market; P2 documents must exist within the support period; P3 documents are good service practice and reduce audit friction.

Domain A — Governance (P-01 → P-08)

ID	Document	Owner	Priority	CRA reference
P-01	CRA Programme Charter & Scope Statement	CISO / Head of Product Security	P1	Art. 13(1)–(2)
P-02	Roles & Responsibilities (RACI) for CRA Compliance	CISO	P1	Art. 13 (general)
P-03	Cybersecurity Risk Management Policy	Head of Risk	P1	Annex I §1(1)
P-04	Acceptable Use & Code of Conduct	HR / CISO	P2	Annex I Part II §(3)
P-05	CRA Training & Awareness Procedure	CISO / People Ops	P2	Annex I §1(1)
P-06	Internal Audit & Management Review Procedure	Internal Audit	P2	Art. 13(11)
P-07	Records Retention & Evidence Lifecycle Policy	DPO / CISO	P1	Art. 13(11)
P-08	Document Control & Versioning Procedure	Quality Manager	P2	Annex VII §(2)

Domain B — Secure Development (P-09 → P-15)

ID	Document	Owner	Priority	CRA reference
P-09	Secure Development Lifecycle (SDLC) Policy	VP Engineering	P1	Annex I §1(1)
P-10	Threat Modelling Procedure	Security Architect	P1	Annex I §1(1)
P-11	Secure Coding Standards (per language / runtime)	Engineering Lead	P1	Annex I §1(2)(a–l)
P-12	Code Review & Pull-Request Security Gate	Engineering Lead	P1	Annex I Part II §(3)
P-13	Application Security Testing Procedure (SAST/DAST/IAST)	AppSec Lead	P1	Annex I Part II §(3)
P-14	Cryptography & Key Management Standard	Security Architect	P1	Annex I §1(2)(e)(f)
P-15	Secure-by-Default Configuration Baseline	Product Manager	P1	Annex I §1(2)(b)

Domain C — Vulnerability Management (P-16 → P-22)

ID	Document	Owner	Priority	CRA reference
P-16	Vulnerability Management Policy	CISO	P1	Annex I Part II §(2)
P-17	Coordinated Vulnerability Disclosure (CVD) Policy	CISO	P1	Annex I Part II §(5)
P-18	Security Advisory Publication Procedure	PSIRT Lead	P1	Annex I Part II §(8)
P-19	Penetration Testing Procedure	AppSec Lead	P2	Annex I Part II §(3)
P-20	Bug Bounty / Researcher Engagement Procedure	PSIRT Lead	P3	Annex I Part II §(5)
P-21	SBOM Generation & Maintenance Procedure	Engineering Lead	P1	Annex I Part II §(1)
P-22	Component & Library Vulnerability Monitoring Procedure	AppSec Lead	P1	Annex I Part II §(2)

Domain D — Incident Response & Reporting (P-23 → P-28)

ID	Document	Owner	Priority	CRA reference
P-23	Incident Response Plan (IRP)	CISO / PSIRT Lead	P1	Art. 14(3)
P-24	ENISA / CSIRT Notification Procedure (24h / 72h / 14d)	PSIRT Lead	P1	Art. 14(1)(3)
P-25	User Notification Procedure (Severe Incidents)	PSIRT Lead / Comms	P1	Art. 14(8)
P-26	Incident Classification & Severity Matrix	CISO	P1	Art. 14(3)
P-27	Forensic Evidence Handling Procedure	PSIRT Lead	P2	Art. 14 (general)
P-28	Post-Incident Review & Lessons Learned Procedure	CISO	P2	Art. 14 (general)

Domain E — Supply Chain Security (P-29 → P-34)

ID	Document	Owner	Priority	CRA reference
P-29	Supplier & Third-Party Security Policy	Procurement / CISO	P1	Annex I §1(1), Recital 32
P-30	Open-Source Software Use & Stewardship Policy	Engineering Lead	P1	Art. 24, Recital 18
P-31	Build Pipeline Integrity & Artefact Signing Procedure	DevOps Lead	P1	Annex I §1(2)(f)
P-32	Update Distribution & Authenticity Verification Procedure	DevOps / PSIRT	P1	Annex I Part II §(7)
P-33	Provenance & SLSA Posture Procedure	DevOps Lead	P3	Annex I §1(1)
P-34	Sub-Component Vulnerability Notification Procedure	Procurement / PSIRT	P2	Annex I Part II §(2)

Domain F — Documentation & User Information (P-35 → P-41)

ID	Document	Owner	Priority	CRA reference
P-35	Technical Documentation Master (Annex VII Index)	Quality Manager	P1	Annex VII
P-36	Cybersecurity Risk Assessment Report	Security Architect	P1	Annex VII §(3), Art. 13(2)
P-37	Architecture & Data-Flow Diagrams	Security Architect	P1	Annex VII §(2)
P-38	User Information & Instructions (Annex II)	Product Manager / Tech Writer	P1	Annex II
P-39	Support Period & End-of-Support Notification Procedure	Product Manager	P1	Art. 13(8)
P-40	Decommissioning & Data-Wipe User Guidance	Product Manager	P2	Annex I §1(2)(m)
P-41	Logging & Monitoring User-Facing Documentation	Product Manager	P2	Annex I §1(2)(l)

Domain G — Conformity & Market-Surveillance (P-42 → P-48)

ID	Document	Owner	Priority	CRA reference
P-42	Conformity Assessment Procedure & Module Selection	Quality Manager	P1	Art. 32, Annex VIII
P-43	EU Declaration of Conformity Template & Register	Quality Manager	P1	Art. 28, Annex V
P-44	CE Marking Procedure	Quality Manager	P1	Art. 30
P-45	Substantial Modification & Re-Assessment Procedure	Product Manager / Quality	P1	Art. 13(3)
P-46	Notified Body Engagement & Liaison Procedure	Quality Manager	P1	Art. 32(2)–(3)
P-47	Non-Conformity Handling, Recall & Authority Notification	CISO / Quality	P1	Art. 13(5)(7)
P-48	Importer & Distributor Verification Procedure	Procurement / Quality	P2	Art. 19, 20

Total: 48 documents across 7 domains. Use this register as the master index for the technical documentation pack required under Annex VII; every entry should resolve to a versioned artefact in the evidence repository.

← All articles