# Technical Documentation Outline for CRA Compliance

**Product:** [Product Name]
**Version:** [Version]
**Date:** [Date]
**Prepared by:** [Author/Team]

*Required under the EU Cyber Resilience Act (Regulation EU 2024/2847), Article 31.*

---

## 1. Product Description

### 1.1 General Description
- Product name and model designation
- Intended purpose and use cases
- Target market and user profiles
- Operating environment (temperature range, connectivity requirements, etc.)

### 1.2 Product Architecture
- Hardware block diagram
- Software/firmware architecture diagram
- Communication interfaces and protocols
- Data flows (internal and external)

### 1.3 Product Classification
- CRA product category: [ ] Default / [ ] Important Class I / [ ] Important Class II / [ ] Critical
- Justification for classification
- Applicable conformity assessment procedure (Article 32)

---

## 2. Risk Assessment

### 2.1 Threat Model
- Methodology used (e.g., STRIDE, LINDDUN, EMB3D)
- Asset identification
- Threat actors considered
- Attack surface analysis

### 2.2 Identified Risks
| Risk ID | Threat | Asset | Likelihood | Impact | Risk Level | Mitigation |
|---------|--------|-------|------------|--------|------------|------------|
| R-001   |        |       |            |        |            |            |
| R-002   |        |       |            |        |            |            |

### 2.3 Residual Risks
- Risks accepted after mitigation
- Justification for acceptance

---

## 3. Security Architecture

### 3.1 Authentication & Access Control
- Authentication mechanisms
- Authorization model
- Credential management
- Default credentials policy (must have none)

### 3.2 Data Protection
- Encryption at rest (algorithms, key lengths)
- Encryption in transit (TLS version, cipher suites)
- Key management procedures
- Personal data handling (if applicable)

### 3.3 Secure Boot & Firmware Integrity
- Boot chain description
- Code signing mechanism
- Firmware verification process
- Anti-rollback protection

### 3.4 Secure Update Mechanism
- Update delivery method (OTA, USB, etc.)
- Update authentication and integrity verification
- Rollback capability
- Update notification to users

### 3.5 Network Security
- Network interfaces and protocols
- Firewall rules or access controls
- Exposed ports and services (minimized per Annex I)

### 3.6 Logging & Monitoring
- Security events logged
- Log storage and protection
- Monitoring capabilities

---

## 4. Software Bill of Materials (SBOM)

### 4.1 SBOM Format
- Format: [ ] CycloneDX / [ ] SPDX
- Version: [e.g., CycloneDX 1.5]
- Generation method: [ ] Automated (build-time) / [ ] Manual

### 4.2 SBOM Location
- SBOM file: [path or URL]
- Machine-readable: [ ] Yes / [ ] No

### 4.3 Component Summary
| Component | Version | License | Source |
|-----------|---------|---------|--------|
|           |         |         |        |

*Full SBOM attached as Appendix A.*

---

## 5. Vulnerability Management

### 5.1 Vulnerability Handling Process
- Monitoring sources (NVD, vendor advisories, GHSAs)
- Triage and assessment procedure
- Remediation SLAs by severity:
  - Critical: [timeline]
  - High: [timeline]
  - Medium: [timeline]
  - Low: [timeline]

### 5.2 Coordinated Vulnerability Disclosure
- CVD policy location: [URL]
- Security contact: [email]
- security.txt location: [URL]

### 5.3 ENISA Reporting
- Process for 24-hour early warning
- Process for 72-hour vulnerability notification
- Process for 14-day final report
- Designated reporter: [Name/Role]

### 5.4 Support Period
- Security update support period: [X years, minimum 5 or product expected lifetime]
- End-of-support date: [Date]
- End-of-support notification plan

---

## 6. Conformity Assessment

### 6.1 Assessment Procedure
- Procedure used: [ ] Self-assessment (Module A) / [ ] EU-type examination (Module B+C) / [ ] Based on full QA (Module H)
- Applicable standards:
  - [ ] EN 18031 (Radio Equipment Directive)
  - [ ] IEC 62443 (Industrial Security)
  - [ ] ETSI EN 303 645 (Consumer IoT)
  - [ ] ISO/IEC 27001
  - [ ] Other: [specify]

### 6.2 Testing Results
- Security testing performed (penetration testing, fuzzing, code review)
- Test reports referenced
- Third-party assessments (if applicable)

### 6.3 EU Declaration of Conformity
- Declaration reference number
- Date of issue
- Authorized representative details

---

## 7. User Information

### 7.1 Security Instructions for Users
- Installation and configuration guidance
- Secure usage guidelines
- How to apply security updates
- How to report vulnerabilities
- How to securely decommission the product

---

## Appendices

- **Appendix A:** Full SBOM (CycloneDX/SPDX)
- **Appendix B:** Threat model report
- **Appendix C:** Security test reports
- **Appendix D:** EU Declaration of Conformity

---

*This template is provided by Stack Canary (stack-canary.com) as a starting point. Adapt it to your organization's specific products, processes, and legal requirements. This does not constitute legal advice.*