EU CRA
2026-04-29
16 min read
EU CRA Policy & Procedure Register — 48 Documents Across 7 Domains
The complete EU CRA policy and procedure register: 48 documents (P-01 to P-48) organised into Governance, Secure Development, Vulnerability Management, Incident Response, Supply Chain, Documentation, and Conformity — each with an owner, a priority, and a CRA article reference.
By Threatstealth Compliance Research
Most CRA non-conformities discovered during pre-audit are not engineering failures — they are missing or stale documents. This register lists the 48 policies and procedures that a manufacturer of a product with digital elements is reasonably expected to maintain, organised across the seven domains that the CRA's essential requirements (Annex I), conformity-assessment procedures (Annex VIII), and reporting obligations (Article 14) collectively demand.
Use the priority column to sequence work: P1 documents must exist before placing the product on the market; P2 documents must exist within the support period; P3 documents are good service practice and reduce audit friction.
Domain A — Governance (P-01 → P-08)
| ID | Document | Owner | Priority | CRA reference |
|---|
| P-01 | CRA Programme Charter & Scope Statement | CISO / Head of Product Security | P1 | Art. 13(1)–(2) |
| P-02 | Roles & Responsibilities (RACI) for CRA Compliance | CISO | P1 | Art. 13 (general) |
| P-03 | Cybersecurity Risk Management Policy | Head of Risk | P1 | Annex I §1(1) |
| P-04 | Acceptable Use & Code of Conduct | HR / CISO | P2 | Annex I Part II §(3) |
| P-05 | CRA Training & Awareness Procedure | CISO / People Ops | P2 | Annex I §1(1) |
| P-06 | Internal Audit & Management Review Procedure | Internal Audit | P2 | Art. 13(11) |
| P-07 | Records Retention & Evidence Lifecycle Policy | DPO / CISO | P1 | Art. 13(11) |
| P-08 | Document Control & Versioning Procedure | Quality Manager | P2 | Annex VII §(2) |
Domain B — Secure Development (P-09 → P-15)
| ID | Document | Owner | Priority | CRA reference |
|---|
| P-09 | Secure Development Lifecycle (SDLC) Policy | VP Engineering | P1 | Annex I §1(1) |
| P-10 | Threat Modelling Procedure | Security Architect | P1 | Annex I §1(1) |
| P-11 | Secure Coding Standards (per language / runtime) | Engineering Lead | P1 | Annex I §1(2)(a–l) |
| P-12 | Code Review & Pull-Request Security Gate | Engineering Lead | P1 | Annex I Part II §(3) |
| P-13 | Application Security Testing Procedure (SAST/DAST/IAST) | AppSec Lead | P1 | Annex I Part II §(3) |
| P-14 | Cryptography & Key Management Standard | Security Architect | P1 | Annex I §1(2)(e)(f) |
| P-15 | Secure-by-Default Configuration Baseline | Product Manager | P1 | Annex I §1(2)(b) |
Domain C — Vulnerability Management (P-16 → P-22)
| ID | Document | Owner | Priority | CRA reference |
|---|
| P-16 | Vulnerability Management Policy | CISO | P1 | Annex I Part II §(2) |
| P-17 | Coordinated Vulnerability Disclosure (CVD) Policy | CISO | P1 | Annex I Part II §(5) |
| P-18 | Security Advisory Publication Procedure | PSIRT Lead | P1 | Annex I Part II §(8) |
| P-19 | Penetration Testing Procedure | AppSec Lead | P2 | Annex I Part II §(3) |
| P-20 | Bug Bounty / Researcher Engagement Procedure | PSIRT Lead | P3 | Annex I Part II §(5) |
| P-21 | SBOM Generation & Maintenance Procedure | Engineering Lead | P1 | Annex I Part II §(1) |
| P-22 | Component & Library Vulnerability Monitoring Procedure | AppSec Lead | P1 | Annex I Part II §(2) |
Domain D — Incident Response & Reporting (P-23 → P-28)
| ID | Document | Owner | Priority | CRA reference |
|---|
| P-23 | Incident Response Plan (IRP) | CISO / PSIRT Lead | P1 | Art. 14(3) |
| P-24 | ENISA / CSIRT Notification Procedure (24h / 72h / 14d) | PSIRT Lead | P1 | Art. 14(1)(3) |
| P-25 | User Notification Procedure (Severe Incidents) | PSIRT Lead / Comms | P1 | Art. 14(8) |
| P-26 | Incident Classification & Severity Matrix | CISO | P1 | Art. 14(3) |
| P-27 | Forensic Evidence Handling Procedure | PSIRT Lead | P2 | Art. 14 (general) |
| P-28 | Post-Incident Review & Lessons Learned Procedure | CISO | P2 | Art. 14 (general) |
Domain E — Supply Chain Security (P-29 → P-34)
| ID | Document | Owner | Priority | CRA reference |
|---|
| P-29 | Supplier & Third-Party Security Policy | Procurement / CISO | P1 | Annex I §1(1), Recital 32 |
| P-30 | Open-Source Software Use & Stewardship Policy | Engineering Lead | P1 | Art. 24, Recital 18 |
| P-31 | Build Pipeline Integrity & Artefact Signing Procedure | DevOps Lead | P1 | Annex I §1(2)(f) |
| P-32 | Update Distribution & Authenticity Verification Procedure | DevOps / PSIRT | P1 | Annex I Part II §(7) |
| P-33 | Provenance & SLSA Posture Procedure | DevOps Lead | P3 | Annex I §1(1) |
| P-34 | Sub-Component Vulnerability Notification Procedure | Procurement / PSIRT | P2 | Annex I Part II §(2) |
Domain F — Documentation & User Information (P-35 → P-41)
| ID | Document | Owner | Priority | CRA reference |
|---|
| P-35 | Technical Documentation Master (Annex VII Index) | Quality Manager | P1 | Annex VII |
| P-36 | Cybersecurity Risk Assessment Report | Security Architect | P1 | Annex VII §(3), Art. 13(2) |
| P-37 | Architecture & Data-Flow Diagrams | Security Architect | P1 | Annex VII §(2) |
| P-38 | User Information & Instructions (Annex II) | Product Manager / Tech Writer | P1 | Annex II |
| P-39 | Support Period & End-of-Support Notification Procedure | Product Manager | P1 | Art. 13(8) |
| P-40 | Decommissioning & Data-Wipe User Guidance | Product Manager | P2 | Annex I §1(2)(m) |
| P-41 | Logging & Monitoring User-Facing Documentation | Product Manager | P2 | Annex I §1(2)(l) |
Domain G — Conformity & Market-Surveillance (P-42 → P-48)
| ID | Document | Owner | Priority | CRA reference |
|---|
| P-42 | Conformity Assessment Procedure & Module Selection | Quality Manager | P1 | Art. 32, Annex VIII |
| P-43 | EU Declaration of Conformity Template & Register | Quality Manager | P1 | Art. 28, Annex V |
| P-44 | CE Marking Procedure | Quality Manager | P1 | Art. 30 |
| P-45 | Substantial Modification & Re-Assessment Procedure | Product Manager / Quality | P1 | Art. 13(3) |
| P-46 | Notified Body Engagement & Liaison Procedure | Quality Manager | P1 | Art. 32(2)–(3) |
| P-47 | Non-Conformity Handling, Recall & Authority Notification | CISO / Quality | P1 | Art. 13(5)(7) |
| P-48 | Importer & Distributor Verification Procedure | Procurement / Quality | P2 | Art. 19, 20 |
Total: 48 documents across 7 domains. Use this register as the master index for the technical documentation pack required under Annex VII; every entry should resolve to a versioned artefact in the evidence repository.